search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
added links from the parameter list (in the beginning on smb.conf)
[Samba.git] / docs / docbook / manpages / smb.conf.5.sgml
blobf55da93705335276f9722a640b004bd88e7f1a2a
1 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
2 <refentry id="smb.conf">
3
4 <refmeta>
5 <refentrytitle>smb.conf</refentrytitle>
6 <manvolnum>5</manvolnum>
7 </refmeta>
8
9
10 <refnamediv>
11 <refname>smb.conf</refname>
12 <refpurpose>The configuration file for the Samba suite</refpurpose>
13 </refnamediv>
14
15 <refsect1>
16 <title>SYNOPSIS</title>
17
18 <para>The <filename>smb.conf</filename> file is a configuration
19 file for the Samba suite. <filename>smb.conf</filename> contains
20 runtime configuration information for the Samba programs. The
21 <filename>smb.conf</filename> file is designed to be configured and
22 administered by the <ulink url="swat.8.html"><command>swat(8)</command>
23 </ulink> program. The complete description of the file format and
24 possible parameters held within are here for reference purposes.</para>
25 </refsect1>
26
27 <refsect1>
28 <title id="FILEFORMATSECT">FILE FORMAT</title>
29
30 <para>The file consists of sections and parameters. A section
31 begins with the name of the section in square brackets and continues
32 until the next section begins. Sections contain parameters of the
33 form</para>
34
35 <para><replaceable>name</replaceable> = <replaceable>value
36 </replaceable></para>
37
38 <para>The file is line-based - that is, each newline-terminated
39 line represents either a comment, a section name or a parameter.</para>
40
41 <para>Section and parameter names are not case sensitive.</para>
42
43 <para>Only the first equals sign in a parameter is significant.
44 Whitespace before or after the first equals sign is discarded.
45 Leading, trailing and internal whitespace in section and parameter
46 names is irrelevant. Leading and trailing whitespace in a parameter
47 value is discarded. Internal whitespace within a parameter value
48 is retained verbatim.</para>
49
50 <para>Any line beginning with a semicolon (';') or a hash ('#')
51 character is ignored, as are lines containing only whitespace.</para>
52
53 <para>Any line ending in a '\' is continued
54 on the next line in the customary UNIX fashion.</para>
55
56 <para>The values following the equals sign in parameters are all
57 either a string (no quotes needed) or a boolean, which may be given
58 as yes/no, 0/1 or true/false. Case is not significant in boolean
59 values, but is preserved in string values. Some items such as
60 create modes are numeric.</para>
61 </refsect1>
62
63 <refsect1>
64 <title>SECTION DESCRIPTIONS</title>
65
66 <para>Each section in the configuration file (except for the
67 [global] section) describes a shared resource (known
68 as a "share"). The section name is the name of the
69 shared resource and the parameters within the section define
70 the shares attributes.</para>
71
72 <para>There are three special sections, [global],
73 [homes] and [printers], which are
74 described under <emphasis>special sections</emphasis>. The
75 following notes apply to ordinary section descriptions.</para>
76
77 <para>A share consists of a directory to which access is being
78 given plus a description of the access rights which are granted
79 to the user of the service. Some housekeeping options are
80 also specifiable.</para>
81
82 <para>Sections are either file share services (used by the
83 client as an extension of their native file systems) or
84 printable services (used by the client to access print services
85 on the host running the server).</para>
86
87 <para>Sections may be designated <emphasis>guest</emphasis> services,
88 in which case no password is required to access them. A specified
89 UNIX <emphasis>guest account</emphasis> is used to define access
90 privileges in this case.</para>
91
92 <para>Sections other than guest services will require a password
93 to access them. The client provides the username. As older clients
94 only provide passwords and not usernames, you may specify a list
95 of usernames to check against the password using the "user="
96 option in the share definition. For modern clients such as
97 Windows 95/98/ME/NT/2000, this should not be necessary.</para>
98
99 <para>Note that the access rights granted by the server are
100 masked by the access rights granted to the specified or guest
101 UNIX user by the host system. The server does not grant more
102 access than the host system grants.</para>
103
104 <para>The following sample section defines a file space share.
105 The user has write access to the path <filename>/home/bar</filename>.
106 The share is accessed via the share name "foo":</para>
107
108 <screen>
109 <computeroutput>
110 [foo]
111 path = /home/bar
112 writeable = true
113 </computeroutput>
114 </screen>
115
116 <para>The following sample section defines a printable share.
117 The share is readonly, but printable. That is, the only write
118 access permitted is via calls to open, write to and close a
119 spool file. The <emphasis>guest ok</emphasis> parameter means
120 access will be permitted as the default guest user (specified
121 elsewhere):</para>
122
123 <screen>
124 <computeroutput>
125 [aprinter]
126 path = /usr/spool/public
127 writeable = false
128 printable = true
129 guest ok = true
130 </computeroutput>
131 </screen>
132 </refsect1>
133
134 <refsect1>
135 <title>SPECIAL SECTIONS</title>
136
137 <refsect2>
138 <title>The [global] section</title>
139
140 <para>parameters in this section apply to the server
141 as a whole, or are defaults for sections which do not
142 specifically define certain items. See the notes
143 under PARAMETERS for more information.</para>
144 </refsect2>
145
146 <refsect2>
147 <title id="HOMESECT">The [homes] section</title>
148
149 <para>If a section called homes is included in the
150 configuration file, services connecting clients to their
151 home directories can be created on the fly by the server.</para>
152
153 <para>When the connection request is made, the existing
154 sections are scanned. If a match is found, it is used. If no
155 match is found, the requested section name is treated as a
156 user name and looked up in the local password file. If the
157 name exists and the correct password has been given, a share is
158 created by cloning the [homes] section.</para>
159
160 <para>Some modifications are then made to the newly
161 created share:</para>
162
163 <itemizedlist>
164 <listitem><para>The share name is changed from homes to
165 the located username.</para></listitem>
166
167 <listitem><para>If no path was given, the path is set to
168 the user's home directory.</para></listitem>
169 </itemizedlist>
170
171 <para>If you decide to use a <emphasis>path=</emphasis> line
172 in your [homes] section then you may find it useful
173 to use the %S macro. For example :</para>
174
175 <para><userinput>path=/data/pchome/%S</userinput></para>
176
177 <para>would be useful if you have different home directories
178 for your PCs than for UNIX access.</para>
179
180 <para>This is a fast and simple way to give a large number
181 of clients access to their home directories with a minimum
182 of fuss.</para>
183
184 <para>A similar process occurs if the requested section
185 name is "homes", except that the share name is not
186 changed to that of the requesting user. This method of using
187 the [homes] section works well if different users share
188 a client PC.</para>
189
190 <para>The [homes] section can specify all the parameters
191 a normal service section can specify, though some make more sense
192 than others. The following is a typical and suitable [homes]
193 section:</para>
194
195 <screen>
196 <computeroutput>
197 [homes]
198 writeable = yes
199 </computeroutput>
200 </screen>
201
202 <para>An important point is that if guest access is specified
203 in the [homes] section, all home directories will be
204 visible to all clients <emphasis>without a password</emphasis>.
205 In the very unlikely event that this is actually desirable, it
206 would be wise to also specify <emphasis>read only
207 access</emphasis>.</para>
208
209 <para>Note that the <emphasis>browseable</emphasis> flag for
210 auto home directories will be inherited from the global browseable
211 flag, not the [homes] browseable flag. This is useful as
212 it means setting browseable=no in the [homes] section
213 will hide the [homes] share but make any auto home
214 directories visible.</para>
215 </refsect2>
216
217 <refsect2>
218 <title id="PRINTERSSECT">The [printers] section</title>
219
220 <para>This section works like [homes],
221 but for printers.</para>
222
223 <para>If a [printers] section occurs in the
224 configuration file, users are able to connect to any printer
225 specified in the local host's printcap file.</para>
226
227 <para>When a connection request is made, the existing sections
228 are scanned. If a match is found, it is used. If no match is found,
229 but a [homes] section exists, it is used as described
230 above. Otherwise, the requested section name is treated as a
231 printer name and the appropriate printcap file is scanned to see
232 if the requested section name is a valid printer share name. If
233 a match is found, a new printer share is created by cloning
234 the [printers] section.</para>
235
236 <para>A few modifications are then made to the newly created
237 share:</para>
238
239 <itemizedlist>
240 <listitem><para>The share name is set to the located printer
241 name</para></listitem>
242
243 <listitem><para>If no printer name was given, the printer name
244 is set to the located printer name</para></listitem>
245
246 <listitem><para>If the share does not permit guest access and
247 no username was given, the username is set to the located
248 printer name.</para></listitem>
249 </itemizedlist>
250
251 <para>Note that the [printers] service MUST be
252 printable - if you specify otherwise, the server will refuse
253 to load the configuration file.</para>
254
255 <para>Typically the path specified would be that of a
256 world-writeable spool directory with the sticky bit set on
257 it. A typical [printers] entry would look like
258 this:</para>
259
260 <screen><computeroutput>
261 [printers]
262 path = /usr/spool/public
263 guest ok = yes
264 printable = yes
265 </computeroutput></screen>
266
267 <para>All aliases given for a printer in the printcap file
268 are legitimate printer names as far as the server is concerned.
269 If your printing subsystem doesn't work like that, you will have
270 to set up a pseudo-printcap. This is a file consisting of one or
271 more lines like this:</para>
272
273 <screen>
274 <computeroutput>
275 alias|alias|alias|alias...
276 </computeroutput>
277 </screen>
278
279 <para>Each alias should be an acceptable printer name for
280 your printing subsystem. In the [global] section, specify
281 the new file as your printcap. The server will then only recognize
282 names found in your pseudo-printcap, which of course can contain
283 whatever aliases you like. The same technique could be used
284 simply to limit access to a subset of your local printers.</para>
285
286 <para>An alias, by the way, is defined as any component of the
287 first entry of a printcap record. Records are separated by newlines,
288 components (if there are more than one) are separated by vertical
289 bar symbols ('|').</para>
290
291 <para>NOTE: On SYSV systems which use lpstat to determine what
292 printers are defined on the system you may be able to use
293 "printcap name = lpstat" to automatically obtain a list
294 of printers. See the "printcap name" option
295 for more details.</para>
296 </refsect2>
297 </refsect1>
298
299 <refsect1>
300 <title>PARAMETERS</title>
301
302 <para>parameters define the specific attributes of sections.</para>
303
304 <para>Some parameters are specific to the [global] section
305 (e.g., <emphasis>security</emphasis>). Some parameters are usable
306 in all sections (e.g., <emphasis>create mode</emphasis>). All others
307 are permissible only in normal sections. For the purposes of the
308 following descriptions the [homes] and [printers]
309 sections will be considered normal. The letter <emphasis>G</emphasis>
310 in parentheses indicates that a parameter is specific to the
311 [global] section. The letter <emphasis>S</emphasis>
312 indicates that a parameter can be specified in a service specific
313 section. Note that all <emphasis>S</emphasis> parameters can also be specified in
314 the [global] section - in which case they will define
315 the default behavior for all services.</para>
316
317 <para>parameters are arranged here in alphabetical order - this may
318 not create best bedfellows, but at least you can find them! Where
319 there are synonyms, the preferred synonym is described, others refer
320 to the preferred synonym.</para>
321 </refsect1>
322
323 <refsect1>
324 <title>VARIABLE SUBSTITUTIONS</title>
325
326 <para>Many of the strings that are settable in the config file
327 can take substitutions. For example the option "path =
328 /tmp/%u" would be interpreted as "path =
329 /tmp/john" if the user connected with the username john.</para>
330
331 <para>These substitutions are mostly noted in the descriptions below,
332 but there are some general substitutions which apply whenever they
333 might be relevant. These are:</para>
334
335 <variablelist>
336 <varlistentry>
337 <term>%S</term>
338 <listitem><para>the name of the current service, if any.</para>
339 </listitem>
340 </varlistentry>
341
342 <varlistentry>
343 <term>%P</term>
344 <listitem><para>the root directory of the current service,
345 if any.</para></listitem>
346 </varlistentry>
347
348 <varlistentry>
349 <term>%u</term>
350 <listitem><para>user name of the current service, if any.</para>
351 </listitem>
352 </varlistentry>
353
354 <varlistentry>
355 <term>%g</term>
356 <listitem><para>primary group name of %u.</para></listitem>
357 </varlistentry>
358
359 <varlistentry>
360 <term>%U</term>
361 <listitem><para>session user name (the user name that the client
362 wanted, not necessarily the same as the one they got).</para></listitem>
363 </varlistentry>
364
365 <varlistentry>
366 <term>%G</term>
367 <listitem><para>primary group name of %U.</para></listitem>
368 </varlistentry>
369
370 <varlistentry>
371 <term>%H</term>
372 <listitem><para>the home directory of the user given
373 by %u.</para></listitem>
374 </varlistentry>
375
376 <varlistentry>
377 <term>%v</term>
378 <listitem><para>the Samba version.</para></listitem>
379 </varlistentry>
380
381 <varlistentry>
382 <term>%h</term>
383 <listitem><para>the Internet hostname that Samba is running
384 on.</para></listitem>
385 </varlistentry>
386
387 <varlistentry>
388 <term>%m</term>
389 <listitem><para>the NetBIOS name of the client machine
390 (very useful).</para></listitem>
391 </varlistentry>
392
393 <varlistentry>
394 <term>%L</term>
395 <listitem><para>the NetBIOS name of the server. This allows you
396 to change your config based on what the client calls you. Your
397 server can have a "dual personality".</para></listitem>
398 </varlistentry>
399
400 <varlistentry>
401 <term>%M</term>
402 <listitem><para>the Internet name of the client machine.
403 </para></listitem>
404 </varlistentry>
405
406 <varlistentry>
407 <term>%N</term>
408 <listitem><para>the name of your NIS home directory server.
409 This is obtained from your NIS auto.map entry. If you have
410 not compiled Samba with the <emphasis>--with-automount</emphasis>
411 option then this value will be the same as %.</para>
412 </listitem>
413 </varlistentry>
414
415 <varlistentry>
416 <term>%p</term>
417 <listitem><para>the path of the service's home directory,
418 obtained from your NIS auto.map entry. The NIS auto.map entry
419 is split up as "%N:%p".</para></listitem>
420 </varlistentry>
421
422 <varlistentry>
423 <term>%R</term>
424 <listitem><para>the selected protocol level after
425 protocol negotiation. It can be one of CORE, COREPLUS,
426 LANMAN1, LANMAN2 or NT1.</para></listitem>
427 </varlistentry>
428
429 <varlistentry>
430 <term>%d</term>
431 <listitem><para>The process id of the current server
432 process.</para></listitem>
433 </varlistentry>
434
435 <varlistentry>
436 <term>%a</term>
437 <listitem><para>the architecture of the remote
438 machine. Only some are recognized, and those may not be
439 100% reliable. It currently recognizes Samba, WfWg,
440 WinNT and Win95. Anything else will be known as
441 "UNKNOWN". If it gets it wrong then sending a level
442 3 log to <ulink url="mailto:samba@samba.org">samba@samba.org
443 </ulink> should allow it to be fixed.</para></listitem>
444 </varlistentry>
445
446 <varlistentry>
447 <term>%I</term>
448 <listitem><para>The IP address of the client machine.</para>
449 </listitem>
450 </varlistentry>
451
452 <varlistentry>
453 <term>%T</term>
454 <listitem><para>the current date and time.</para></listitem>
455 </varlistentry>
456
457 <varlistentry>
458 <term>%$(<replaceable>envvar</replaceable>)</term>
459 <listitem><para>The value of the environment variable
460 <replaceable>envar</replaceable>.</para></listitem>
461 </varlistentry>
462 </variablelist>
463
464 <para>There are some quite creative things that can be done
465 with these substitutions and other smb.conf options.</para
466 </refsect1>
467
468 <refsect1>
469 <title id="NAMEMANGLINGSECT">NAME MANGLING</title>
470
471 <para>Samba supports "name mangling" so that DOS and
472 Windows clients can use files that don't conform to the 8.3 format.
473 It can also be set to adjust the case of 8.3 format filenames.</para>
474
475 <para>There are several options that control the way mangling is
476 performed, and they are grouped here rather than listed separately.
477 For the defaults look at the output of the testparm program. </para>
478
479 <para>All of these options can be set separately for each service
480 (or globally, of course). </para>
481
482 <para>The options are: </para>
483
484 <variablelist>
485
486 <varlistentry>
487 <term>mangle case= yes/no</term>
488 <listitem><para> controls if names that have characters that
489 aren't of the "default" case are mangled. For example,
490 if this is yes then a name like "Mail" would be mangled.
491 Default <emphasis>no</emphasis>.</para></listitem>
492 </varlistentry>
493
494 <varlistentry>
495 <term>case sensitive = yes/no</term>
496 <listitem><para>controls whether filenames are case sensitive. If
497 they aren't then Samba must do a filename search and match on passed
498 names. Default <emphasis>no</emphasis>.</para></listitem>
499 </varlistentry>
500
501 <varlistentry>
502 <term>default case = upper/lower</term>
503 <listitem><para>controls what the default case is for new
504 filenames. Default <emphasis>lower</emphasis>.</para></listitem>
505 </varlistentry>
506
507 <varlistentry>
508 <term>preserve case = yes/no</term>
509 <listitem><para>controls if new files are created with the
510 case that the client passes, or if they are forced to be the
511 "default" case. Default <emphasis>yes</emphasis>.
512 </para></listitem>
513 </varlistentry>
514
515 <varlistentry>
516 <term>short preserve case = yes/no</term>
517 <listitem><para>controls if new files which conform to 8.3 syntax,
518 that is all in upper case and of suitable length, are created
519 upper case, or if they are forced to be the "default"
520 case. This option can be use with "preserve case = yes"
521 to permit long filenames to retain their case, while short names
522 are lowered. Default <emphasis>yes</emphasis>.</para></listitem>
523 </varlistentry>
524 </variablelist>
525
526 <para>By default, Samba 2.2 has the same semantics as a Windows
527 NT server, in that it is case insensitive but case preserving.</para>
528
529 </refsect1>
530
531 <refsect1>
532 <title id="VALIDATIONSECT">NOTE ABOUT USERNAME/PASSWORD VALIDATION</title>
533
534 <para>There are a number of ways in which a user can connect
535 to a service. The server uses the following steps in determining
536 if it will allow a connection to a specified service. If all the
537 steps fail, then the connection request is rejected. However, if one of the
538 steps succeeds, then the following steps are not checked.</para>
539
540 <para>If the service is marked "guest only = yes" then
541 steps 1 to 5 are skipped.</para>
542
543 <orderedlist numeration="Arabic">
544 <listitem><para>If the client has passed a username/password
545 pair and that username/password pair is validated by the UNIX
546 system's password programs then the connection is made as that
547 username. Note that this includes the
548 \\server\service%<replaceable>username</replaceable> method of passing
549 a username.</para></listitem>
550
551 <listitem><para>If the client has previously registered a username
552 with the system and now supplies a correct password for that
553 username then the connection is allowed.</para></listitem>
554
555 <listitem><para>The client's netbios name and any previously
556 used user names are checked against the supplied password, if
557 they match then the connection is allowed as the corresponding
558 user.</para></listitem>
559
560 <listitem><para>If the client has previously validated a
561 username/password pair with the server and the client has passed
562 the validation token then that username is used. </para></listitem>
563
564 <listitem><para>If a "user = " field is given in the
565 <filename>smb.conf</filename> file for the service and the client
566 has supplied a password, and that password matches (according to
567 the UNIX system's password checking) with one of the usernames
568 from the "user=" field then the connection is made as
569 the username in the "user=" line. If one
570 of the username in the "user=" list begins with a
571 '@' then that name expands to a list of names in
572 the group of the same name.</para></listitem>
573
574 <listitem><para>If the service is a guest service then a
575 connection is made as the username given in the "guest
576 account =" for the service, irrespective of the
577 supplied password.</para></listitem>
578 </orderedlist>
579
580 </refsect1>
581
582 <refsect1>
583 <title>COMPLETE LIST OF GLOBAL PARAMETERS</title>
584
585 <para>Here is a list of all global parameters. See the section of
586 each parameter for details. Note that some are synonyms.</para>
587
588 <itemizedlist>
589 <listitem><para><link linkend="ADDUSERSCRIPT"><parameter>add user script</parameter></link></para></listitem>
590 <listitem><para><link linkend="ADDPRINTERCOMMAND"><parameter>addprinter command</parameter></link></para></listitem>
591 <listitem><para><link linkend="ALLOWTRUSTEDDOMAINS"><parameter>allow trusted domains</parameter></link></para></listitem>
592 <listitem><para><link linkend="ANNOUNCEAS"><parameter>announce as</parameter></link></para></listitem>
593 <listitem><para><link linkend="ANNOUNCEVERSION"><parameter>announce version</parameter></link></para></listitem>
594 <listitem><para><link linkend="AUTOSERVICES"><parameter>auto services</parameter></link></para></listitem>
595 <listitem><para><link linkend="BINDINTERFACESONLY"><parameter>bind interfaces only</parameter></link></para></listitem>
596 <listitem><para><link linkend="BROWSELIST"><parameter>browse list</parameter></link></para></listitem>
597 <listitem><para><link linkend="CHANGENOTIFYTIMEOUT"><parameter>change notify timeout</parameter></link></para></listitem>
598 <listitem><para><link linkend="CHARACTERSET"><parameter>character set</parameter></link></para></listitem>
599 <listitem><para><link linkend="CLIENTCODEPAGE"><parameter>client code page</parameter></link></para></listitem>
600 <listitem><para><link linkend="CODEPAGEDIRECTORY"><parameter>code page directory</parameter></link></para></listitem>
601 <listitem><para><link linkend="CODINGSYSTEM"><parameter>coding system</parameter></link></para></listitem>
602 <listitem><para><link linkend="CONFIGFILE"><parameter>config file</parameter></link></para></listitem>
603 <listitem><para><link linkend="DEADTIME"><parameter>deadtime</parameter></link></para></listitem>
604 <listitem><para><link linkend="DEBUGHIRESTIMESTAMP"><parameter>debug hires timestamp</parameter></link></para></listitem>
605 <listitem><para><link linkend="DEBUGPID"><parameter>debug pid</parameter></link></para></listitem>
606 <listitem><para><link linkend="DEBUGTIMESTAMP"><parameter>debug timestamp</parameter></link></para></listitem>
607 <listitem><para><link linkend="DEBUGUID"><parameter>debug uid</parameter></link></para></listitem>
608 <listitem><para><link linkend="DEBUGLEVEL"><parameter>debuglevel</parameter></link></para></listitem>
609 <listitem><para><link linkend="DEFAULT"><parameter>default</parameter></link></para></listitem>
610 <listitem><para><link linkend="DEFAULTSERVICE"><parameter>default service</parameter></link></para></listitem>
611 <listitem><para><link linkend="DELETEUSERSCRIPT"><parameter>delete user script</parameter></link></para></listitem>
612 <listitem><para><link linkend="DELETEPRINTERCOMMAND"><parameter>deleteprinter command</parameter></link></para></listitem>
613 <listitem><para><link linkend="DFREECOMMAND"><parameter>dfree command</parameter></link></para></listitem>
614 <listitem><para><link linkend="DNSPROXY"><parameter>dns proxy</parameter></link></para></listitem>
615 <listitem><para><link linkend="DOMAINADMINGROUP"><parameter>domain admin group</parameter></link></para></listitem>
616 <listitem><para><link linkend="DOMAINADMINUSERS"><parameter>domain admin users</parameter></link></para></listitem>
617 <listitem><para><link linkend="DOMAINGROUPS"><parameter>domain groups</parameter></link></para></listitem>
618 <listitem><para><link linkend="DOMAINGUESTGROUP"><parameter>domain guest group</parameter></link></para></listitem>
619 <listitem><para><link linkend="DOMAINGUESTUSERS"><parameter>domain guest users</parameter></link></para></listitem>
620 <listitem><para><link linkend="DOMAINLOGONS"><parameter>domain logons</parameter></link></para></listitem>
621 <listitem><para><link linkend="DOMAINMASTER"><parameter>domain master</parameter></link></para></listitem>
622 <listitem><para><link linkend="ENCRYPTPASSWORDS"><parameter>encrypt passwords</parameter></link></para></listitem>
623 <listitem><para><link linkend="ENHANCEDBROWSING"><parameter>enhanced browsing</parameter></link></para></listitem>
624 <listitem><para><link linkend="ENUMPORTSCOMMAND"><parameter>enumports command</parameter></link></para></listitem>
625 <listitem><para><link linkend="GETWDCACHE"><parameter>getwd cache</parameter></link></para></listitem>
626 <listitem><para><link linkend="HIDELOCALUSERS"><parameter>hide local users</parameter></link></para></listitem>
627 <listitem><para><link linkend="HOMEDIRMAP"><parameter>homedir map</parameter></link></para></listitem>
628 <listitem><para><link linkend="HOSTMSDFS"><parameter>host msdfs</parameter></link></para></listitem>
629 <listitem><para><link linkend="HOSTSEQUIV"><parameter>hosts equiv</parameter></link></para></listitem>
630 <listitem><para><link linkend="INTERFACES"><parameter>interfaces</parameter></link></para></listitem>
631 <listitem><para><link linkend="KEEPALIVE"><parameter>keepalive</parameter></link></para></listitem>
632 <listitem><para><link linkend="KERNELOPLOCKS"><parameter>kernel oplocks</parameter></link></para></listitem>
633 <listitem><para><link linkend="LANMANAUTH"><parameter>lanman auth</parameter></link></para></listitem>
634 <listitem><para><link linkend="LMANNOUNCE"><parameter>lm announce</parameter></link></para></listitem>
635 <listitem><para><link linkend="LMINTERVAL"><parameter>lm interval</parameter></link></para></listitem>
636 <listitem><para><link linkend="LOADPRINTERS"><parameter>load printers</parameter></link></para></listitem>
637 <listitem><para><link linkend="LOCALMASTER"><parameter>local master</parameter></link></para></listitem>
638 <listitem><para><link linkend="LOCKDIR"><parameter>lock dir</parameter></link></para></listitem>
639 <listitem><para><link linkend="LOCKDIRECTORY"><parameter>lock directory</parameter></link></para></listitem>
640 <listitem><para><link linkend="LOGFILE"><parameter>log file</parameter></link></para></listitem>
641 <listitem><para><link linkend="LOGLEVEL"><parameter>log level</parameter></link></para></listitem>
642 <listitem><para><link linkend="LOGONDRIVE"><parameter>logon drive</parameter></link></para></listitem>
643 <listitem><para><link linkend="LOGONHOME"><parameter>logon home</parameter></link></para></listitem>
644 <listitem><para><link linkend="LOGONPATH"><parameter>logon path</parameter></link></para></listitem>
645 <listitem><para><link linkend="LOGONSCRIPT"><parameter>logon script</parameter></link></para></listitem>
646 <listitem><para><link linkend="LPQCACHETIME"><parameter>lpq cache time</parameter></link></para></listitem>
647 <listitem><para><link linkend="MACHINEPASSWORDTIMEOUT"><parameter>machine password timeout</parameter></link></para></listitem>
648 <listitem><para><link linkend="MANGLEDSTACK"><parameter>mangled stack</parameter></link></para></listitem>
649 <listitem><para><link linkend="MAPTOGUEST"><parameter>map to guest</parameter></link></para></listitem>
650 <listitem><para><link linkend="MAXDISKSIZE"><parameter>max disk size</parameter></link></para></listitem>
651 <listitem><para><link linkend="MAXLOGSIZE"><parameter>max log size</parameter></link></para></listitem>
652 <listitem><para><link linkend="MAXMUX"><parameter>max mux</parameter></link></para></listitem>
653 <listitem><para><link linkend="MAXOPENFILES"><parameter>max open files</parameter></link></para></listitem>
654 <listitem><para><link linkend="MAXPROTOCOL"><parameter>max protocol</parameter></link></para></listitem>
655 <listitem><para><link linkend="MAXSMBDPROCESSES"><parameter>max smbd processes</parameter></link></para></listitem>
656 <listitem><para><link linkend="MAXTTL"><parameter>max ttl</parameter></link></para></listitem>
657 <listitem><para><link linkend="MAXWINSTTL"><parameter>max wins ttl</parameter></link></para></listitem>
658 <listitem><para><link linkend="MAXXMIT"><parameter>max xmit</parameter></link></para></listitem>
659 <listitem><para><link linkend="MESSAGECOMMAND"><parameter>message command</parameter></link></para></listitem>
660 <listitem><para><link linkend="MINPASSWDLENGTH"><parameter>min passwd length</parameter></link></para></listitem>
661 <listitem><para><link linkend="MINPASSWORDLENGTH"><parameter>min password length</parameter></link></para></listitem>
662 <listitem><para><link linkend="MINPROTOCOL"><parameter>min protocol</parameter></link></para></listitem>
663 <listitem><para><link linkend="MINWINSTTL"><parameter>min wins ttl</parameter></link></para></listitem>
664 <listitem><para><link linkend="NAMERESOLVEORDER"><parameter>name resolve order</parameter></link></para></listitem>
665 <listitem><para><link linkend="NETBIOSALIASES"><parameter>netbios aliases</parameter></link></para></listitem>
666 <listitem><para><link linkend="NETBIOSNAME"><parameter>netbios name</parameter></link></para></listitem>
667 <listitem><para><link linkend="NETBIOSSCOPE"><parameter>netbios scope</parameter></link></para></listitem>
668 <listitem><para><link linkend="NISHOMEDIR"><parameter>nis homedir</parameter></link></para></listitem>
669 <listitem><para><link linkend="NTACLSUPPORT"><parameter>nt acl support</parameter></link></para></listitem>
670 <listitem><para><link linkend="NTPIPESUPPORT"><parameter>nt pipe support</parameter></link></para></listitem>
671 <listitem><para><link linkend="NTSMBSUPPORT"><parameter>nt smb support</parameter></link></para></listitem>
672 <listitem><para><link linkend="NULLPASSWORDS"><parameter>null passwords</parameter></link></para></listitem>
673 <listitem><para><link linkend="OPLOCKBREAKWAITTIME"><parameter>oplock break wait time</parameter></link></para></listitem>
674 <listitem><para><link linkend="OSLEVEL"><parameter>os level</parameter></link></para></listitem>
675 <listitem><para><link linkend="OS2DRIVERMAP"><parameter>os2 driver map</parameter></link></para></listitem>
676 <listitem><para><link linkend="PANICACTION"><parameter>panic action</parameter></link></para></listitem>
677 <listitem><para><link linkend="PASSWDCHAT"><parameter>passwd chat</parameter></link></para></listitem>
678 <listitem><para><link linkend="PASSWDCHATDEBUG"><parameter>passwd chat debug</parameter></link></para></listitem>
679 <listitem><para><link linkend="PASSWDPROGRAM"><parameter>passwd program</parameter></link></para></listitem>
680 <listitem><para><link linkend="PASSWORDLEVEL"><parameter>password level</parameter></link></para></listitem>
681 <listitem><para><link linkend="PASSWORDSERVER"><parameter>password server</parameter></link></para></listitem>
682 <listitem><para><link linkend="PREFEREDMASTER"><parameter>prefered master</parameter></link></para></listitem>
683 <listitem><para><link linkend="PREFERREDMASTER"><parameter>preferred master</parameter></link></para></listitem>
684 <listitem><para><link linkend="PRELOAD"><parameter>preload</parameter></link></para></listitem>
685 <listitem><para><link linkend="PRINTCAP"><parameter>printcap</parameter></link></para></listitem>
686 <listitem><para><link linkend="PRINTCAPNAME"><parameter>printcap name</parameter></link></para></listitem>
687 <listitem><para><link linkend="PRINTERDRIVERFILE"><parameter>printer driver file</parameter></link></para></listitem>
688 <listitem><para><link linkend="PROTOCOL"><parameter>protocol</parameter></link></para></listitem>
689 <listitem><para><link linkend="READBMPX"><parameter>read bmpx</parameter></link></para></listitem>
690 <listitem><para><link linkend="READRAW"><parameter>read raw</parameter></link></para></listitem>
691 <listitem><para><link linkend="READSIZE"><parameter>read size</parameter></link></para></listitem>
692 <listitem><para><link linkend="REMOTEANNOUNCE"><parameter>remote announce</parameter></link></para></listitem>
693 <listitem><para><link linkend="REMOTEBROWSESYNC"><parameter>remote browse sync</parameter></link></para></listitem>
694 <listitem><para><link linkend="RESTRICTANONYMOUS"><parameter>restrict anonymous</parameter></link></para></listitem>
695 <listitem><para><link linkend="ROOT"><parameter>root</parameter></link></para></listitem>
696 <listitem><para><link linkend="ROOTDIR"><parameter>root dir</parameter></link></para></listitem>
697 <listitem><para><link linkend="ROOTDIRECTORY"><parameter>root directory</parameter></link></para></listitem>
698 <listitem><para><link linkend="SECURITY"><parameter>security</parameter></link></para></listitem>
699 <listitem><para><link linkend="SERVERSTRING"><parameter>server string</parameter></link></para></listitem>
700 <listitem><para><link linkend="SHOWADDPRINTERWIZARD"><parameter>show add printer wizard</parameter></link></para></listitem>
701 <listitem><para><link linkend="SMBPASSWDFILE"><parameter>smb passwd file</parameter></link></para></listitem>
702 <listitem><para><link linkend="SMBRUN"><parameter>smbrun</parameter></link></para></listitem>
703 <listitem><para><link linkend="SOCKETADDRESS"><parameter>socket address</parameter></link></para></listitem>
704 <listitem><para><link linkend="SOCKETOPTIONS"><parameter>socket options</parameter></link></para></listitem>
705 <listitem><para><link linkend="SOURCEENVIRONMENT"><parameter>source environment</parameter></link></para></listitem>
706 <listitem><para><link linkend="SSL"><parameter>ssl</parameter></link></para></listitem>
707 <listitem><para><link linkend="SSLCACERTDIR"><parameter>ssl CA certDir</parameter></link></para></listitem>
708 <listitem><para><link linkend="SSLCACERTFILE"><parameter>ssl CA certFile</parameter></link></para></listitem>
709 <listitem><para><link linkend="SSLCIPHERS"><parameter>ssl ciphers</parameter></link></para></listitem>
710 <listitem><para><link linkend="SSLCLIENTCERT"><parameter>ssl client cert</parameter></link></para></listitem>
711 <listitem><para><link linkend="SSLCLIENTKEY"><parameter>ssl client key</parameter></link></para></listitem>
712 <listitem><para><link linkend="SSLCOMPATIBILITY"><parameter>ssl compatibility</parameter></link></para></listitem>
713 <listitem><para><link linkend="SSLHOSTS"><parameter>ssl hosts</parameter></link></para></listitem>
714 <listitem><para><link linkend="SSLHOSTSRESIGN"><parameter>ssl hosts resign</parameter></link></para></listitem>
715 <listitem><para><link linkend="SSLREQUIRECLIENTCERT"><parameter>ssl require clientcert</parameter></link></para></listitem>
716 <listitem><para><link linkend="SSLREQUIRESERVERCERT"><parameter>ssl require servercert</parameter></link></para></listitem>
717 <listitem><para><link linkend="SSLSERVERCERT"><parameter>ssl server cert</parameter></link></para></listitem>
718 <listitem><para><link linkend="SSLSERVERKEY"><parameter>ssl server key</parameter></link></para></listitem>
719 <listitem><para><link linkend="SSLVERSION"><parameter>ssl version</parameter></link></para></listitem>
720 <listitem><para><link linkend="STATCACHE"><parameter>stat cache</parameter></link></para></listitem>
721 <listitem><para><link linkend="STATCACHESIZE"><parameter>stat cache size</parameter></link></para></listitem>
722 <listitem><para><link linkend="STRIPDOT"><parameter>strip dot</parameter></link></para></listitem>
723 <listitem><para><link linkend="SYSLOG"><parameter>syslog</parameter></link></para></listitem>
724 <listitem><para><link linkend="SYSLOGONLY"><parameter>syslog only</parameter></link></para></listitem>
725 <listitem><para><link linkend="TEMPLATEHOMEDIR"><parameter>template homedir</parameter></link></para></listitem>
726 <listitem><para><link linkend="TEMPLATESHELL"><parameter>template shell</parameter></link></para></listitem>
727 <listitem><para><link linkend="TIMEOFFSET"><parameter>time offset</parameter></link></para></listitem>
728 <listitem><para><link linkend="TIMESERVER"><parameter>time server</parameter></link></para></listitem>
729 <listitem><para><link linkend="TIMESTAMPLOGS"><parameter>timestamp logs</parameter></link></para></listitem>
730 <listitem><para><link linkend="TOTALPRINTJOBS"><parameter>total print jobs</parameter></link></para></listitem>
731 <listitem><para><link linkend="UNIXPASSWORDSYNC"><parameter>unix password sync</parameter></link></para></listitem>
732 <listitem><para><link linkend="UNIXREALNAME"><parameter>unix realname</parameter></link></para></listitem>
733 <listitem><para><link linkend="UPDATEENCRYPTED"><parameter>update encrypted</parameter></link></para></listitem>
734 <listitem><para><link linkend="USERHOSTS"><parameter>use rhosts</parameter></link></para></listitem>
735 <listitem><para><link linkend="USERNAMELEVEL"><parameter>username level</parameter></link></para></listitem>
736 <listitem><para><link linkend="USERNAMEMAP"><parameter>username map</parameter></link></para></listitem>
737 <listitem><para><link linkend="UTMPDIRECTORY"><parameter>utmp directory</parameter></link></para></listitem>
738 <listitem><para><link linkend="VALIDCHARS"><parameter>valid chars</parameter></link></para></listitem>
739 <listitem><para><link linkend="WINBINDCACHETIME"><parameter>winbind cache time</parameter></link></para></listitem>
740 <listitem><para><link linkend="WINBINDGID"><parameter>winbind gid</parameter></link></para></listitem>
741 <listitem><para><link linkend="WINBINDSEPARATOR"><parameter>winbind separator</parameter></link></para></listitem>
742 <listitem><para><link linkend="WINBINDUID"><parameter>winbind uid</parameter></link></para></listitem>
743 <listitem><para><link linkend="WINSHOOK"><parameter>wins hook</parameter></link></para></listitem>
744 <listitem><para><link linkend="WINSPROXY"><parameter>wins proxy</parameter></link></para></listitem>
745 <listitem><para><link linkend="WINSSERVER"><parameter>wins server</parameter></link></para></listitem>
746 <listitem><para><link linkend="WINSSUPPORT"><parameter>wins support</parameter></link></para></listitem>
747 <listitem><para><link linkend="WORKGROUP"><parameter>workgroup</parameter></link></para></listitem>
748 <listitem><para><link linkend="WRITERAW"><parameter>write raw</parameter></link></para></listitem>
749 </itemizedlist>
750
751 </refsect1>
752
753 <refsect1>
754 <title>COMPLETE LIST OF SERVICE PARAMETERS</title>
755
756 <para>Here is a list of all service parameters. See the section on
757 each parameter for details. Note that some are synonyms.</para>
758
759 <itemizedlist>
760 <listitem><para><link linkend="ADMINUSERS"><parameter>admin users</parameter></link></para></listitem>
761 <listitem><para><link linkend="ALLOWHOSTS"><parameter>allow hosts</parameter></link></para></listitem>
762 <listitem><para><link linkend="AVAILABLE"><parameter>available</parameter></link></para></listitem>
763 <listitem><para><link linkend="BLOCKINGLOCKS"><parameter>blocking locks</parameter></link></para></listitem>
764 <listitem><para><link linkend="BROWSABLE"><parameter>browsable</parameter></link></para></listitem>
765 <listitem><para><link linkend="BROWSEABLE"><parameter>browseable</parameter></link></para></listitem>
766 <listitem><para><link linkend="CASESENSITIVE"><parameter>case sensitive</parameter></link></para></listitem>
767 <listitem><para><link linkend="CASESIGNAMES"><parameter>casesignames</parameter></link></para></listitem>
768 <listitem><para><link linkend="COMMENT"><parameter>comment</parameter></link></para></listitem>
769 <listitem><para><link linkend="COPY"><parameter>copy</parameter></link></para></listitem>
770 <listitem><para><link linkend="CREATEMASK"><parameter>create mask</parameter></link></para></listitem>
771 <listitem><para><link linkend="CREATEMODE"><parameter>create mode</parameter></link></para></listitem>
772 <listitem><para><link linkend="DEFAULTCASE"><parameter>default case</parameter></link></para></listitem>
773 <listitem><para><link linkend="DELETEREADONLY"><parameter>delete readonly</parameter></link></para></listitem>
774 <listitem><para><link linkend="DELETEVETOFILES"><parameter>delete veto files</parameter></link></para></listitem>
775 <listitem><para><link linkend="DENYHOSTS"><parameter>deny hosts</parameter></link></para></listitem>
776 <listitem><para><link linkend="DIRECTORY"><parameter>directory</parameter></link></para></listitem>
777 <listitem><para><link linkend="DIRECTORYMASK"><parameter>directory mask</parameter></link></para></listitem>
778 <listitem><para><link linkend="DIRECTORYMODE"><parameter>directory mode</parameter></link></para></listitem>
779 <listitem><para><link linkend="DIRECTORYSECURITYMASK"><parameter>directory security mask</parameter></link></para></listitem>
780 <listitem><para><link linkend="DONTDESCEND"><parameter>dont descend</parameter></link></para></listitem>
781 <listitem><para><link linkend="DOSFILEMODE"><parameter>dos filemode</parameter></link></para></listitem>
782 <listitem><para><link linkend="DOSFILETIMERESOLUTION"><parameter>dos filetime resolution</parameter></link></para></listitem>
783 <listitem><para><link linkend="DOSFILETIMES"><parameter>dos filetimes</parameter></link></para></listitem>
784 <listitem><para><link linkend="EXEC"><parameter>exec</parameter></link></para></listitem>
785 <listitem><para><link linkend="FAKEDIRECTORYCREATETIMES"><parameter>fake directory create times</parameter></link></para></listitem>
786 <listitem><para><link linkend="FAKEOPLOCKS"><parameter>fake oplocks</parameter></link></para></listitem>
787 <listitem><para><link linkend="FOLLOWSYMLINKS"><parameter>follow symlinks</parameter></link></para></listitem>
788 <listitem><para><link linkend="FORCECREATEMODE"><parameter>force create mode</parameter></link></para></listitem>
789 <listitem><para><link linkend="FORCEDIRECTORYMODE"><parameter>force directory mode</parameter></link></para></listitem>
790 <listitem><para><link linkend="FORCEDIRECTORYSECURITYMODE"><parameter>force directory security mode</parameter></link></para></listitem>
791 <listitem><para><link linkend="FORCEGROUP"><parameter>force group</parameter></link></para></listitem>
792 <listitem><para><link linkend="FORCESECURITYMODE"><parameter>force security mode</parameter></link></para></listitem>
793 <listitem><para><link linkend="FORCEUSER"><parameter>force user</parameter></link></para></listitem>
794 <listitem><para><link linkend="FSTYPE"><parameter>fstype</parameter></link></para></listitem>
795 <listitem><para><link linkend="GROUP"><parameter>group</parameter></link></para></listitem>
796 <listitem><para><link linkend="GUESTACCOUNT"><parameter>guest account</parameter></link></para></listitem>
797 <listitem><para><link linkend="GUESTOK"><parameter>guest ok</parameter></link></para></listitem>
798 <listitem><para><link linkend="GUESTONLY"><parameter>guest only</parameter></link></para></listitem>
799 <listitem><para><link linkend="HIDEDOTFILES"><parameter>hide dot files</parameter></link></para></listitem>
800 <listitem><para><link linkend="HIDEFILES"><parameter>hide files</parameter></link></para></listitem>
801 <listitem><para><link linkend="HOSTSALLOW"><parameter>hosts allow</parameter></link></para></listitem>
802 <listitem><para><link linkend="HOSTSDENY"><parameter>hosts deny</parameter></link></para></listitem>
803 <listitem><para><link linkend="INCLUDE"><parameter>include</parameter></link></para></listitem>
804 <listitem><para><link linkend="INHERITPERMISSIONS"><parameter>inherit permissions</parameter></link></para></listitem>
805 <listitem><para><link linkend="INVALIDUSERS"><parameter>invalid users</parameter></link></para></listitem>
806 <listitem><para><link linkend="LEVEL2OPLOCKS"><parameter>level2 oplocks</parameter></link></para></listitem>
807 <listitem><para><link linkend="LOCKING"><parameter>locking</parameter></link></para></listitem>
808 <listitem><para><link linkend="LPPAUSECOMMAND"><parameter>lppause command</parameter></link></para></listitem>
809 <listitem><para><link linkend="LPQCOMMAND"><parameter>lpq command</parameter></link></para></listitem>
810 <listitem><para><link linkend="LPRESUMECOMMAND"><parameter>lpresume command</parameter></link></para></listitem>
811 <listitem><para><link linkend="LPRMCOMMAND"><parameter>lprm command</parameter></link></para></listitem>
812 <listitem><para><link linkend="MAGICOUTPUT"><parameter>magic output</parameter></link></para></listitem>
813 <listitem><para><link linkend="MAGICSCRIPT"><parameter>magic script</parameter></link></para></listitem>
814 <listitem><para><link linkend="MANGLECASE"><parameter>mangle case</parameter></link></para></listitem>
815 <listitem><para><link linkend="MANGLEDMAP"><parameter>mangled map</parameter></link></para></listitem>
816 <listitem><para><link linkend="MANGLEDNAMES"><parameter>mangled names</parameter></link></para></listitem>
817 <listitem><para><link linkend="MANGLINGCHAR"><parameter>mangling char</parameter></link></para></listitem>
818 <listitem><para><link linkend="MAPARCHIVE"><parameter>map archive</parameter></link></para></listitem>
819 <listitem><para><link linkend="MAPHIDDEN"><parameter>map hidden</parameter></link></para></listitem>
820 <listitem><para><link linkend="MAPSYSTEM"><parameter>map system</parameter></link></para></listitem>
821 <listitem><para><link linkend="MAXCONNECTIONS"><parameter>max connections</parameter></link></para></listitem>
822 <listitem><para><link linkend="MAXPRINTJOBS"><parameter>max print jobs</parameter></link></para></listitem>
823 <listitem><para><link linkend="MINPRINTSPACE"><parameter>min print space</parameter></link></para></listitem>
824 <listitem><para><link linkend="MSDFSROOT"><parameter>msdfs root</parameter></link></para></listitem>
825 <listitem><para><link linkend="ONLYGUEST"><parameter>only guest</parameter></link></para></listitem>
826 <listitem><para><link linkend="ONLYUSER"><parameter>only user</parameter></link></para></listitem>
827 <listitem><para><link linkend="OPLOCKCONTENTIONLIMIT"><parameter>oplock contention limit</parameter></link></para></listitem>
828 <listitem><para><link linkend="OPLOCKS"><parameter>oplocks</parameter></link></para></listitem>
829 <listitem><para><link linkend="PATH"><parameter>path</parameter></link></para></listitem>
830 <listitem><para><link linkend="POSIXLOCKING"><parameter>posix locking</parameter></link></para></listitem>
831 <listitem><para><link linkend="POSTEXEC"><parameter>postexec</parameter></link></para></listitem>
832 <listitem><para><link linkend="POSTSCRIPT"><parameter>postscript</parameter></link></para></listitem>
833 <listitem><para><link linkend="PREEXEC"><parameter>preexec</parameter></link></para></listitem>
834 <listitem><para><link linkend="PREEXECCLOSE"><parameter>preexec close</parameter></link></para></listitem>
835 <listitem><para><link linkend="PRESERVECASE"><parameter>preserve case</parameter></link></para></listitem>
836 <listitem><para><link linkend="PRINTCOMMAND"><parameter>print command</parameter></link></para></listitem>
837 <listitem><para><link linkend="PRINTOK"><parameter>print ok</parameter></link></para></listitem>
838 <listitem><para><link linkend="PRINTABLE"><parameter>printable</parameter></link></para></listitem>
839 <listitem><para><link linkend="PRINTER"><parameter>printer</parameter></link></para></listitem>
840 <listitem><para><link linkend="PRINTERADMIN"><parameter>printer admin</parameter></link></para></listitem>
841 <listitem><para><link linkend="PRINTERDRIVER"><parameter>printer driver</parameter></link></para></listitem>
842 <listitem><para><link linkend="PRINTERDRIVERLOCATION"><parameter>printer driver location</parameter></link></para></listitem>
843 <listitem><para><link linkend="PRINTERNAME"><parameter>printer name</parameter></link></para></listitem>
844 <listitem><para><link linkend="PRINTING"><parameter>printing</parameter></link></para></listitem>
845 <listitem><para><link linkend="PUBLIC"><parameter>public</parameter></link></para></listitem>
846 <listitem><para><link linkend="QUEUEPAUSECOMMAND"><parameter>queuepause command</parameter></link></para></listitem>
847 <listitem><para><link linkend="QUEUERESUMECOMMAND"><parameter>queueresume command</parameter></link></para></listitem>
848 <listitem><para><link linkend="READLIST"><parameter>read list</parameter></link></para></listitem>
849 <listitem><para><link linkend="READONLY"><parameter>read only</parameter></link></para></listitem>
850 <listitem><para><link linkend="ROOTPOSTEXEC"><parameter>root postexec</parameter></link></para></listitem>
851 <listitem><para><link linkend="ROOTPREEXEC"><parameter>root preexec</parameter></link></para></listitem>
852 <listitem><para><link linkend="ROOTPREEXECCLOSE"><parameter>root preexec close</parameter></link></para></listitem>
853 <listitem><para><link linkend="SECURITYMASK"><parameter>security mask</parameter></link></para></listitem>
854 <listitem><para><link linkend="SETDIRECTORY"><parameter>set directory</parameter></link></para></listitem>
855 <listitem><para><link linkend="SHAREMODES"><parameter>share modes</parameter></link></para></listitem>
856 <listitem><para><link linkend="SHORTPRESERVECASE"><parameter>short preserve case</parameter></link></para></listitem>
857 <listitem><para><link linkend="STATUS"><parameter>status</parameter></link></para></listitem>
858 <listitem><para><link linkend="STRICTLOCKING"><parameter>strict locking</parameter></link></para></listitem>
859 <listitem><para><link linkend="STRICTSYNC"><parameter>strict sync</parameter></link></para></listitem>
860 <listitem><para><link linkend="SYNCALWAYS"><parameter>sync always</parameter></link></para></listitem>
861 <listitem><para><link linkend="USER"><parameter>user</parameter></link></para></listitem>
862 <listitem><para><link linkend="USERNAME"><parameter>username</parameter></link></para></listitem>
863 <listitem><para><link linkend="USERS"><parameter>users</parameter></link></para></listitem>
864 <listitem><para><link linkend="UTMP"><parameter>utmp</parameter></link></para></listitem>
865 <listitem><para><link linkend="VALIDUSERS"><parameter>valid users</parameter></link></para></listitem>
866 <listitem><para><link linkend="VETOFILES"><parameter>veto files</parameter></link></para></listitem>
867 <listitem><para><link linkend="VETOOPLOCKFILES"><parameter>veto oplock files</parameter></link></para></listitem>
868 <listitem><para><link linkend="VFSOBJECT"><parameter>vfs object</parameter></link></para></listitem>
869 <listitem><para><link linkend="VFSOPTIONS"><parameter>vfs options</parameter></link></para></listitem>
870 <listitem><para><link linkend="VOLUME"><parameter>volume</parameter></link></para></listitem>
871 <listitem><para><link linkend="WIDELINKS"><parameter>wide links</parameter></link></para></listitem>
872 <listitem><para><link linkend="WRITABLE"><parameter>writable</parameter></link></para></listitem>
873 <listitem><para><link linkend="WRITECACHESIZE"><parameter>write cache size</parameter></link></para></listitem>
874 <listitem><para><link linkend="WRITELIST"><parameter>write list</parameter></link></para></listitem>
875 <listitem><para><link linkend="WRITEOK"><parameter>write ok</parameter></link></para></listitem>
876 <listitem><para><link linkend="WRITEABLE"><parameter>writeable</parameter></link></para></listitem>
877 </itemizedlist>
878
879 </refsect1>
880
881 <refsect1>
882 <title>EXPLANATION OF EACH PARAMETER</title>
883
884 <variablelist>
885
886 <varlistentry>
887 <term><anchor id="ADDUSERSCRIPT">add user script (G)</term>
888 <listitem><para>This is the full pathname to a script that will
889 be run <emphasis>AS ROOT</emphasis> by <ulink url="smbd.8.html">smbd(8)
890 </ulink> under special circumstances described below.</para>
891
892 <para>Normally, a Samba server requires that UNIX users are
893 created for all users accessing files on this server. For sites
894 that use Windows NT account databases as their primary user database
895 creating these users and keeping the user list in sync with the
896 Windows NT PDC is an onerous task. This option allows <ulink
897 url="smbd.8.html">smbd</ulink> to create the required UNIX users
898 <emphasis>ON DEMAND</emphasis> when a user accesses the Samba server.</para>
899
900 <para>In order to use this option, <ulink url="smbd.8.html">smbd</ulink>
901 must be set to <parameter>security=server</parameter> or <parameter>
902 security=domain</parameter> and <parameter>add user script</parameter>
903 must be set to a full pathname for a script that will create a UNIX
904 user given one argument of <parameter>%u</parameter>, which expands into
905 the UNIX user name to create.</para>
906
907 <para>When the Windows user attempts to access the Samba server,
908 at login (session setup in the SMB protocol) time, <ulink url="smbd.8.html">
909 smbd</ulink> contacts the <parameter>password server</parameter> and
910 attempts to authenticate the given user with the given password. If the
911 authentication succeeds then <command>smbd</command>
912 attempts to find a UNIX user in the UNIX password database to map the
913 Windows user into. If this lookup fails, and <parameter>add user script
914 </parameter> is set then <command>smbd</command> will
915 call the specified script <emphasis>AS ROOT</emphasis>, expanding
916 any <parameter>%u</parameter> argument to be the user name to create.</para>
917
918 <para>If this script successfully creates the user then <command>smbd
919 </command> will continue on as though the UNIX user
920 already existed. In this way, UNIX users are dynamically created to
921 match existing Windows NT accounts.</para>
922
923 <para>See also <link linkend="SECURITY"><parameter>
924 security</parameter></link>, <link linkend="PASSWORDSERVER">
925 <parameter>password server</parameter></link>,
926 <link linkend="DELETEUSERSCRIPT"><parameter>delete user
927 script</parameter></link>.</para>
928
929 <para>Default: <command>add user script = &lt;empty string&gt;
930 </command></para>
931
932 <para>Example: <command>add user script = /usr/local/samba/bin/add_user
933 %u</command></para>
934 </listitem>
935 </varlistentry>
936
937
938
939 <varlistentry>
940 <term><anchor id="ADDPRINTERCOMMAND">addprinter command (G)</term>
941 <listitem><para>With the introduction of MS-RPC based printing
942 support for Windows NT/2000 clients in Samba 2.2, The MS Add
943 Printer Wizard (APW) icon is now also available in the
944 "Printers..." folder displayed a share listing. The APW
945 allows for printers to be add remotely to a Samba or Windows
946 NT/2000 print server.</para>
947
948 <para>For a Samba host this means that the printer must be
949 physically added to underlying printing system. The <parameter>
950 addprinter command</parameter> defines a script to be run which
951 will perform the necessary operations for adding the printer
952 to the print system and to add the appropriate service definition
953 to the <filename>smb.conf</filename> file in order that it can be
954 shared by <ulink url="smbd.8.html"><command>smbd(8)</command>
955 </ulink>.</para>
956
957 <para>The <parameter>addprinter command</parameter> is
958 automatically invoked with the following parameter (in
959 order:</para>
960
961 <itemizedlist>
962 <listitem><para><parameter>printer name</parameter></para></listitem>
963 <listitem><para><parameter>share name</parameter></para></listitem>
964 <listitem><para><parameter>port name</parameter></para></listitem>
965 <listitem><para><parameter>driver name</parameter></para></listitem>
966 <listitem><para><parameter>location</parameter></para></listitem>
967 <listitem><para><parameter>Windows 9x driver location</parameter>
968 </para></listitem>
969 </itemizedlist>
970
971 <para>All parameters are filled in from the PRINTER_INFO_2 structure sent
972 by the Windows NT/2000 client with one exception. The "Windows 9x
973 driver location" parameter is included for backwards compatibility
974 only. The remaining fields in the structure are generated from answers
975 to the APW questions.</para>
976
977 <para>Once the <parameter>addprinter command</parameter> has
978 been executed, <command>smbd</command> will reparse the <filename>
979 smb.conf</filename> to determine if the share defined by the APW
980 exists. If the sharename is still invalid, then <command>smbd
981 </command> will return an ACCESS_DENIED error to the client.</para>
982
983 <para>See also <link linkend="DELETEPRINTERCOMMAND"><parameter>
984 deleteprinter command</parameter></link>, <link
985 linkend="printing"><parameter>printing</parameter></link>,
986 <link linkend="SHOWADDPRINTERWIZARD"><parameter>show add
987 printer wizard</parameter></link></para>
988
989 <para>Default: <emphasis>none</emphasis></para>
990 <para>Example: <command>addprinter command = /usr/bin/addprinter
991 </command></para>
992 </listitem>
993 </varlistentry>
994
995
996 <varlistentry>
997 <term><anchor id="ADMINUSERS">admin users (S)</term>
998 <listitem><para>This is a list of users who will be granted
999 administrative privileges on the share. This means that they
1000 will do all file operations as the super-user (root).</para>
1001
1002 <para>You should use this option very carefully, as any user in
1003 this list will be able to do anything they like on the share,
1004 irrespective of file permissions.</para>
1005
1006 <para>Default: <emphasis>no admin users</emphasis></para>
1007
1008 <para>Example: <command>admin users = jason</command></para>
1009 </listitem>
1010 </varlistentry>
1011
1012
1013
1014 <varlistentry>
1015 <term><anchor id="ALLOWHOSTS">allow hosts (S)</term>
1016 <listitem><para>Synonym for <link linkend="HOSTSALLOW">
1017 <parameter>hosts allow</parameter></link>.</para></listitem>
1018 </varlistentry>
1019
1020
1021
1022 <varlistentry>
1023 <term><anchor id="ALLOWTRUSTEDDOMAINS">allow trusted domains (G)</term>
1024 <listitem><para>This option only takes effect when the <link
1025 linkend="SECURITY"><parameter>security</parameter></link> option is set to
1026 <constant>server</constant> or <constant>domain</constant>.
1027 If it is set to no, then attempts to connect to a resource from
1028 a domain or workgroup other than the one which smbd is running
1029 in will fail, even if that domain is trusted by the remote server
1030 doing the authentication.</para>
1031
1032 <para>This is useful if you only want your Samba server to
1033 serve resources to users in the domain it is a member of. As
1034 an example, suppose that there are two domains DOMA and DOMB. DOMB
1035 is trusted by DOMA, which contains the Samba server. Under normal
1036 circumstances, a user with an account in DOMB can then access the
1037 resources of a UNIX account with the same account name on the
1038 Samba server even if they do not have an account in DOMA. This
1039 can make implementing a security boundary difficult.</para>
1040
1041 <para>Default: <command>allow trusted domains = yes</command></para>
1042
1043 </listitem>
1044 </varlistentry>
1045
1046
1047
1048 <varlistentry>
1049 <term><anchor id="ANNOUNCEAS">announce as (G)</term>
1050 <listitem><para>This specifies what type of server
1051 <ulink url="nmbd.8.html"><command>nmbd</command></ulink>
1052 will announce itself as, to a network neighborhood browse
1053 list. By default this is set to Windows NT. The valid options
1054 are : "NT Server" (which can also be written as "NT"),
1055 "NT Workstation", "Win95" or "WfW" meaning Windows NT Server,
1056 Windows NT Workstation, Windows 95 and Windows for Workgroups
1057 respectively. Do not change this parameter unless you have a
1058 specific need to stop Samba appearing as an NT server as this
1059 may prevent Samba servers from participating as browser servers
1060 correctly.</para>
1061
1062 <para>Default: <command>announce as = NT Server</command></para>
1063
1064 <para>Example: <command>announce as = Win95</command></para>
1065 </listitem>
1066 </varlistentry>
1067
1068
1069
1070 <varlistentry>
1071 <term><anchor id="ANNOUNCEVERSION">annouce version (G)</term>
1072 <listitem><para>This specifies the major and minor version numbers
1073 that nmbd will use when announcing itself as a server. The default
1074 is 4.2. Do not change this parameter unless you have a specific
1075 need to set a Samba server to be a downlevel server.</para>
1076
1077 <para>Default: <command>announce version = 4.2</command></para>
1078
1079 <para>Example: <command>announce version = 2.0</command></para>
1080 </listitem>
1081 </varlistentry>
1082
1083
1084
1085 <varlistentry>
1086 <term><anchor id="AUTOSERVICES">auto services (G)</term>
1087 <listitem><para>This is a synonym for the <link linkend="PRELOAD">
1088 <parameter>preload</parameter></link>.</para>
1089 </listitem>
1090 </varlistentry>
1091
1092
1093
1094 <varlistentry>
1095 <term><anchor id="AVAILABLE">available (S)</term>
1096 <listitem><para>This parameter lets you "turn off" a service. If
1097 <parameter>available = no</parameter>, then <emphasis>ALL</emphasis>
1098 attempts to connect to the service will fail. Such failures are
1099 logged.</para>
1100
1101 <para>Default: <command>available = yes</command></para>
1102
1103 </listitem>
1104 </varlistentry>
1105
1106
1107
1108 <varlistentry>
1109 <term><anchor id="BINDINTERFACESONLY">bind interfaces only (G)</term>
1110 <listitem><para>This global parameter allows the Samba admin
1111 to limit what interfaces on a machine will serve smb requests. If
1112 affects file service <ulink url="smbd.8.html">smbd(8)</ulink> and
1113 name service <ulink url="nmbd.8.html">nmbd(8)</ulink> in slightly
1114 different ways.</para>
1115
1116 <para>For name service it causes <command>nmbd</command> to bind
1117 to ports 137 and 138 on the interfaces listed in the <link
1118 linkend="INTERFACES">interfaces</link> parameter. <command>nmbd
1119 </command> also binds to the "all addresses" interface (0.0.0.0)
1120 on ports 137 and 138 for the purposes of reading broadcast messages.
1121 If this option is not set then <command>nmbd</command> will service
1122 name requests on all of these sockets. If <parameter>bind interfaces
1123 only</parameter> is set then <command>nmbd</command> will check the
1124 source address of any packets coming in on the broadcast sockets
1125 and discard any that don't match the broadcast addresses of the
1126 interfaces in the <parameter>interfaces</parameter> parameter list.
1127 As unicast packets are received on the other sockets it allows
1128 <command>nmbd</command> to refuse to serve names to machines that
1129 send packets that arrive through any interfaces not listed in the
1130 <parameter>interfaces</parameter> list. IP Source address spoofing
1131 does defeat this simple check, however so it must not be used
1132 seriously as a security feature for <command>nmbd</command>.</para>
1133
1134 <para>For file service it causes <ulink url="smbd.8.html">smbd(8)</ulink>
1135 to bind only to the interface list given in the <link linkend="INTERFACES">
1136 interfaces</link> parameter. This restricts the networks that
1137 <command>smbd</command> will serve to packets coming in those
1138 interfaces. Note that you should not use this parameter for machines
1139 that are serving PPP or other intermittent or non-broadcast network
1140 interfaces as it will not cope with non-permanent interfaces.</para>
1141
1142 <para>If <parameter>bind interfaces only</parameter> is set then
1143 unless the network address <emphasis>127.0.0.1</emphasis> is added
1144 to the <parameter>interfaces</parameter> parameter list <ulink
1145 url="smbpasswd.8.html"><command>smbpasswd(8)</command></ulink>
1146 and <ulink url="swat.8.html"><command>swat(8)</command></ulink> may
1147 not work as expected due to the reasons covered below.</para>
1148
1149 <para>To change a users SMB password, the <command>smbpasswd</command>
1150 by default connects to the <emphasis>localhost - 127.0.0.1</emphasis>
1151 address as an SMB client to issue the password change request. If
1152 <parameter>bind interfaces only</parameter> is set then unless the
1153 network address <emphasis>127.0.0.1</emphasis> is added to the
1154 <parameter>interfaces</parameter> parameter list then <command>
1155 smbpasswd</command> will fail to connect in it's default mode.
1156 <command>smbpasswd</command> can be forced to use the primary IP interface
1157 of the local host by using its <ulink url="smbpasswd.8.html#minusr">
1158 <parameter>-r <replaceable>remote machine</replaceable></parameter>
1159 </ulink> parameter, with <replaceable>remote machine</replaceable> set
1160 to the IP name of the primary interface of the local host.</para>
1161
1162 <para>The <command>swat</command> status page tries to connect with
1163 <command>smbd</command> and <command>nmbd</command> at the address
1164 <emphasis>127.0.0.1</emphasis> to determine if they are running.
1165 Not adding <emphasis>127.0.0.1</emphasis> will cause <command>
1166 smbd</command> and <command>nmbd</command> to always show
1167 "not running" even if they really are. This can prevent <command>
1168 swat</command> from starting/stopping/restarting <command>smbd</command>
1169 and <command>nmbd</command>.</para>
1170
1171 <para>Default: <command>bind interfaces only = no</command></para>
1172
1173 </listitem>
1174 </varlistentry>
1175
1176
1177
1178 <varlistentry>
1179 <term><anchor id="BLOCKINGLOCKS">blocking locks (S)</term>
1180 <listitem><para>This parameter controls the behavior of <ulink
1181 url="smbd.8.html">smbd(8)</ulink> when given a request by a client
1182 to obtain a byte range lock on a region of an open file, and the
1183 request has a time limit associated with it.</para>
1184
1185 <para>If this parameter is set and the lock range requested
1186 cannot be immediately satisfied, Samba 2.2 will internally
1187 queue the lock request, and periodically attempt to obtain
1188 the lock until the timeout period expires.</para>
1189
1190 <para>If this parameter is set to <constant>False</constant>, then
1191 Samba 2.2 will behave as previous versions of Samba would and
1192 will fail the lock request immediately if the lock range
1193 cannot be obtained.</para>
1194
1195 <para>Default: <command>blocking locks = yes</command></para>
1196
1197 </listitem>
1198 </varlistentry>
1199
1200
1201
1202 <varlistentry>
1203 <term><anchor id="BROWSABLE">browsable (S)</term>
1204 <listitem><para>See the <link linkend="BROWSEABLE"><parameter>
1205 browseable</parameter></link>.</para></listitem>
1206 </varlistentry>
1207
1208
1209
1210 <varlistentry>
1211 <term><anchor id="BROWSELIST">browse list (G)</term>
1212 <listitem><para>This controls whether <ulink url="smbd.8.html">
1213 <command>smbd(8)</command></ulink> will serve a browse list to
1214 a client doing a <command>NetServerEnum</command> call. Normally
1215 set to <constant>true</constant>. You should never need to change
1216 this.</para>
1217
1218 <para>Default: <command>browse list = yes</command></para></listitem>
1219 </varlistentry>
1220
1221
1222
1223 <varlistentry>
1224 <term><anchor id="BROWSEABLE">browseable (S)</term>
1225 <listitem><para>This controls whether this share is seen in
1226 the list of available shares in a net view and in the browse list.</para>
1227
1228 <para>Default: <command>browseable = yes</command></para>
1229 </listitem>
1230 </varlistentry>
1231
1232
1233
1234 <varlistentry>
1235 <term><anchor id="CASESENSITIVE">case sensitive (S)</term>
1236 <listitem><para>See the discussion in the section <link
1237 linkend="NAMEMANGLINGSECT">NAME MANGLING</link>.</para>
1238
1239 <para>Default: <command>case sensitive = no</command></para>
1240 </listitem>
1241 </varlistentry>
1242
1243
1244
1245 <varlistentry>
1246 <term><anchor id="CASESIGNAMES">casesignames (S)</term>
1247 <listitem><para>Synonym for <link linkend="CASESENSITIVE">case
1248 sensitive</link>.</para></listitem>
1249 </varlistentry>
1250
1251
1252
1253 <varlistentry>
1254 <term><anchor id="CHANGENOTIFYTIMEOUT">change notify timeout (G)</term>
1255 <listitem><para>This SMB allows a client to tell a server to
1256 "watch" a particular directory for any changes and only reply to
1257 the SMB request when a change has occurred. Such constant scanning of
1258 a directory is expensive under UNIX, hence an <ulink url="smbd.8.html">
1259 <command>smbd(8)</command></ulink> daemon only performs such a scan
1260 on each requested directory once every <parameter>change notify
1261 timeout</parameter> seconds.</para>
1262
1263 <para>Default: <command>change notify timeout = 60</command></para>
1264 <para>Example: <command>change notify timeout = 300</command></para>
1265
1266 <para>Would change the scan time to every 5 minutes.</para></listitem>
1267 </varlistentry>
1268
1269
1270
1271 <varlistentry>
1272 <term><anchor id="CHARACTERSET">character set (G)</term>
1273 <listitem><para>This allows a smbd to map incoming filenames
1274 from a DOS Code page (see the <link linkend="CLIENTCODEPAGE">client
1275 code page</link> parameter) to several built in UNIX character sets.
1276 The built in code page translations are:</para>
1277
1278 <itemizedlist>
1279 <listitem><para><constant>ISO8859-1</constant> : Western European
1280 UNIX character set. The parameter <parameter>client code page</parameter>
1281 <emphasis>MUST</emphasis> be set to code page 850 if the
1282 <parameter>character set</parameter> parameter is set to
1283 <constant>ISO8859-1</constant> in order for the conversion to the
1284 UNIX character set to be done correctly.</para></listitem>
1285
1286 <listitem><para><constant>ISO8859-2</constant> : Eastern European
1287 UNIX character set. The parameter <parameter>client code page
1288 </parameter> <emphasis>MUST</emphasis> be set to code page 852 if
1289 the <parameter> character set</parameter> parameter is set
1290 to <constant>ISO8859-2</constant> in order for the conversion
1291 to the UNIX character set to be done correctly. </para></listitem>
1292
1293 <listitem><para><constant>ISO8859-5</constant> : Russian Cyrillic
1294 UNIX character set. The parameter <parameter>client code page
1295 </parameter> <emphasis>MUST</emphasis> be set to code page
1296 866 if the <parameter>character set </parameter> parameter is
1297 set to <constant>ISO8859-5</constant> in order for the conversion
1298 to the UNIX character set to be done correctly. </para></listitem>
1299
1300 <listitem><para><constant>ISO8859-7</constant> : Greek UNIX
1301 character set. The parameter <parameter>client code page
1302 </parameter> <emphasis>MUST</emphasis> be set to code page
1303 737 if the <parameter>character set</parameter> parameter is
1304 set to <constant>ISO8859-7</constant> in order for the conversion
1305 to the UNIX character set to be done correctly.</para></listitem>
1306
1307 <listitem><para><constant>KOI8-R</constant> : Alternate mapping
1308 for Russian Cyrillic UNIX character set. The parameter
1309 <parameter>client code page</parameter> <emphasis>MUST</emphasis>
1310 be set to code page 866 if the <parameter>character set</parameter>
1311 parameter is set to <constant>KOI8-R</constant> in order for the
1312 conversion to the UNIX character set to be done correctly.</para>
1313 </listitem>
1314 </itemizedlist>
1315
1316 <para><emphasis>BUG</emphasis>. These MSDOS code page to UNIX character
1317 set mappings should be dynamic, like the loading of MS DOS code pages,
1318 not static.</para>
1319
1320 <para>Normally this parameter is not set, meaning no filename
1321 translation is done.</para>
1322
1323 <para>Default: <command>character set = &lt;empty string&gt;</command></para>
1324 <para>Example: <command>character set = ISO8859-1</command></para></listitem>
1325 </varlistentry>
1326
1327
1328
1329 <varlistentry>
1330 <term><anchor id="CLIENTCODEPAGE">client code page (G)</term>
1331 <listitem><para>This parameter specifies the DOS code page
1332 that the clients accessing Samba are using. To determine what code
1333 page a Windows or DOS client is using, open a DOS command prompt
1334 and type the command <command>chcp</command>. This will output
1335 the code page. The default for USA MS-DOS, Windows 95, and
1336 Windows NT releases is code page 437. The default for western
1337 European releases of the above operating systems is code page 850.</para>
1338
1339 <para>This parameter tells <ulink url="smbd.8.html">smbd(8)</ulink>
1340 which of the <filename>codepage.<replaceable>XXX</replaceable>
1341 </filename> files to dynamically load on startup. These files,
1342 described more fully in the manual page <ulink url="make_smbcodepage.1.html">
1343 <command>make_smbcodepage(1)</command></ulink>, tell <command>
1344 smbd</command> how to map lower to upper case characters to provide
1345 the case insensitivity of filenames that Windows clients expect.</para>
1346
1347 <para>Samba currently ships with the following code page files :</para>
1348
1349 <itemizedlist>
1350 <listitem><para>Code Page 437 - MS-DOS Latin US</para></listitem>
1351 <listitem><para>Code Page 737 - Windows '95 Greek</para></listitem>
1352 <listitem><para>Code Page 850 - MS-DOS Latin 1</para></listitem>
1353 <listitem><para>Code Page 852 - MS-DOS Latin 2</para></listitem>
1354 <listitem><para>Code Page 861 - MS-DOS Icelandic</para></listitem>
1355 <listitem><para>Code Page 866 - MS-DOS Cyrillic</para></listitem>
1356 <listitem><para>Code Page 932 - MS-DOS Japanese SJIS</para></listitem>
1357 <listitem><para>Code Page 936 - MS-DOS Simplified Chinese</para></listitem>
1358 <listitem><para>Code Page 949 - MS-DOS Korean Hangul</para></listitem>
1359 <listitem><para>Code Page 950 - MS-DOS Traditional Chinese</para></listitem>
1360 </itemizedlist>
1361
1362 <para>Thus this parameter may have any of the values 437, 737, 850, 852,
1363 861, 932, 936, 949, or 950. If you don't find the codepage you need,
1364 read the comments in one of the other codepage files and the
1365 <command>make_smbcodepage(1)</command> man page and write one. Please
1366 remember to donate it back to the Samba user community.</para>
1367
1368 <para>This parameter co-operates with the <parameter>valid
1369 chars</parameter> parameter in determining what characters are
1370 valid in filenames and how capitalization is done. If you set both
1371 this parameter and the <parameter>valid chars</parameter> parameter
1372 the <parameter>client code page</parameter> parameter
1373 <emphasis>MUST</emphasis> be set before the <parameter>valid
1374 chars</parameter> parameter in the <filename>smb.conf</filename>
1375 file. The <parameter>valid chars</parameter> string will then
1376 augment the character settings in the <parameter>client code page</parameter>
1377 parameter.</para>
1378
1379 <para>If not set, <parameter>client code page</parameter> defaults
1380 to 850.</para>
1381
1382 <para>See also : <link linkend="VALIDCHARS"><parameter>valid
1383 chars</parameter></link>, <link linkend="CODEPAGEDIRECTORY">
1384 <parameter>code page directory</parameter></link></para>
1385
1386 <para>Default: <command>client code page = 850</command></para>
1387 <para>Example: <command>client code page = 936</command></para>
1388 </listitem>
1389 </varlistentry>
1390
1391
1392
1393
1394 <varlistentry>
1395 <term><anchor id="CODEPAGEDIRECTORY">code page directory (G)</term>
1396 <listitem><para>Define the location of the various client code page
1397 files.</para>
1398
1399 <para>See also <link linkend="CLIENTCODEPAGE"><parameter>client
1400 code page</parameter></link></para>
1401
1402 <para>Default: <command>code page directory = ${prefix}/lib/codepages
1403 </command></para>
1404 <para>Example: <command>code page directory = /usr/share/samba/codepages
1405 </command></para>
1406 </listitem>
1407 </varlistentry>
1408
1409
1410
1411
1412
1413 <varlistentry>
1414 <term><anchor id="CODINGSYSTEM">codingsystem (G)</term>
1415 <listitem><para>This parameter is used to determine how incoming
1416 Shift-JIS Japanese characters are mapped from the incoming <link
1417 linkend="CLIENTCODEPAGE"><parameter>client code page</parameter>
1418 </link> used by the client, into file names in the UNIX filesystem.
1419 Only useful if <parameter>client code page</parameter> is set to
1420 932 (Japanese Shift-JIS). The options are :</para>
1421
1422 <itemizedlist>
1423 <listitem><para><constant>SJIS</constant> - Shift-JIS. Does no
1424 conversion of the incoming filename.</para></listitem>
1425
1426 <listitem><para><constant>JIS8, J8BB, J8BH, J8@B,
1427 J8@J, J8@H </constant> - Convert from incoming Shift-JIS to eight
1428 bit JIS code with different shift-in, shift out codes.</para></listitem>
1429
1430 <listitem><para><constant>JIS7, J7BB, J7BH, J7@B, J7@J,
1431 J7@H </constant> - Convert from incoming Shift-JIS to seven bit
1432 JIS code with different shift-in, shift out codes.</para></listitem>
1433
1434 <listitem><para><constant>JUNET, JUBB, JUBH, JU@B, JU@J, JU@H </constant>
1435 - Convert from incoming Shift-JIS to JUNET code with different shift-in,
1436 shift out codes.</para></listitem>
1437
1438 <listitem><para><constant>EUC</constant> - Convert an incoming
1439 Shift-JIS character to EUC code.</para></listitem>
1440
1441 <listitem><para><constant>HEX</constant> - Convert an incoming
1442 Shift-JIS character to a 3 byte hex representation, i.e.
1443 <constant>:AB</constant>.</para></listitem>
1444
1445 <listitem><para><constant>CAP</constant> - Convert an incoming
1446 Shift-JIS character to the 3 byte hex representation used by
1447 the Columbia AppleTalk Program (CAP), i.e. <constant>:AB</constant>.
1448 This is used for compatibility between Samba and CAP.</para></listitem>
1449 </itemizedlist>
1450
1451 <para>Default: <command>coding system = &lt;empty value&gt;</command>
1452 </para>
1453 </listitem>
1454 </varlistentry>
1455
1456
1457
1458 <varlistentry>
1459 <term><anchor id="COMMENT">comment (S)</term>
1460 <listitem><para>This is a text field that is seen next to a share
1461 when a client does a queries the server, either via the network
1462 neighborhood or via <command>net view</command> to list what shares
1463 are available.</para>
1464
1465 <para>If you want to set the string that is displayed next to the
1466 machine name then see the <link linkend="SERVERSTRING"><parameter>
1467 server string</parameter></link> parameter.</para>
1468
1469 <para>Default: <emphasis>No comment string</emphasis></para>
1470 <para>Example: <command>comment = Fred's Files</command></para></listitem>
1471 </varlistentry>
1472
1473
1474
1475 <varlistentry>
1476 <term><anchor id="CONFIGFILE">config file (G)</term>
1477 <listitem><para>This allows you to override the config file
1478 to use, instead of the default (usually <filename>smb.conf</filename>).
1479 There is a chicken and egg problem here as this option is set
1480 in the config file!</para>
1481
1482 <para>For this reason, if the name of the config file has changed
1483 when the parameters are loaded then it will reload them from
1484 the new config file.</para>
1485
1486 <para>This option takes the usual substitutions, which can
1487 be very useful.</para>
1488
1489 <para>If the config file doesn't exist then it won't be loaded
1490 (allowing you to special case the config files of just a few
1491 clients).</para>
1492
1493 <para>Example: <command>config file = /usr/local/samba/lib/smb.conf.%m
1494 </command></para></listitem>
1495 </varlistentry>
1496
1497
1498
1499 <varlistentry>
1500 <term><anchor id="COPY">copy (S)</term>
1501 <listitem><para>This parameter allows you to "clone" service
1502 entries. The specified service is simply duplicated under the
1503 current service's name. Any parameters specified in the current
1504 section will override those in the section being copied.</para>
1505
1506 <para>This feature lets you set up a 'template' service and
1507 create similar services easily. Note that the service being
1508 copied must occur earlier in the configuration file than the
1509 service doing the copying.</para>
1510
1511 <para>Default: <emphasis>no value</emphasis></para>
1512 <para>Example: <command>copy = otherservice</command></para></listitem>
1513 </varlistentry>
1514
1515
1516
1517 <varlistentry>
1518 <term><anchor id="CREATEMASK">create mask (S)</term>
1519 <listitem><para>A synonym for this parameter is
1520 <link linkend="CREATEMODE"><parameter>create mode</parameter>
1521 </link>.</para>
1522
1523 <para>When a file is created, the necessary permissions are
1524 calculated according to the mapping from DOS modes to UNIX
1525 permissions, and the resulting UNIX mode is then bit-wise 'AND'ed
1526 with this parameter. This parameter may be thought of as a bit-wise
1527 MASK for the UNIX modes of a file. Any bit <emphasis>not</emphasis>
1528 set here will be removed from the modes set on a file when it is
1529 created.</para>
1530
1531 <para>The default value of this parameter removes the
1532 'group' and 'other' write and execute bits from the UNIX modes.</para>
1533
1534 <para>Following this Samba will bit-wise 'OR' the UNIX mode created
1535 from this parameter with the value of the <link
1536 linkend="FORCECREATEMODE"><parameter>force create mode</parameter></link>
1537 parameter which is set to 000 by default.</para>
1538
1539 <para>This parameter does not affect directory modes. See the
1540 parameter <link linkend="DIRECTORYMODE"><parameter>directory mode
1541 </parameter></link> for details.</para>
1542
1543 <para>See also the <link linkend="FORCECREATEMODE"><parameter>force
1544 create mode</parameter></link> parameter for forcing particular mode
1545 bits to be set on created files. See also the <link linkend="DIRECTORYMODE">
1546 <parameter>directory mode"</parameter></link> parameter for masking
1547 mode bits on created directories. See also the <link linkend="INHERITPERMISSIONS">
1548 <parameter>inherit permissions</parameter></link> parameter.</para>
1549
1550 <para>Default: <command>create mask = 0744</command></para>
1551 <para>Example: <command>create mask = 0775</command></para></listitem>
1552 </varlistentry>
1553
1554
1555
1556 <varlistentry>
1557 <term><anchor id="CREATEMODE">create mode (S)</term>
1558 <listitem><para>This is a synonym for <link linkend="CREATEMASK"><parameter>
1559 create mask</parameter></link>.</para></listitem>
1560 </varlistentry>
1561
1562
1563
1564 <varlistentry>
1565 <term><anchor id="DEADTIME">deadtime (G)</term>
1566 <listitem><para>The value of the parameter (a decimal integer)
1567 represents the number of minutes of inactivity before a connection
1568 is considered dead, and it is disconnected. The deadtime only takes
1569 effect if the number of open files is zero.</para>
1570
1571 <para>This is useful to stop a server's resources being
1572 exhausted by a large number of inactive connections.</para>
1573
1574 <para>Most clients have an auto-reconnect feature when a
1575 connection is broken so in most cases this parameter should be
1576 transparent to users.</para>
1577
1578 <para>Using this parameter with a timeout of a few minutes
1579 is recommended for most systems.</para>
1580
1581 <para>A deadtime of zero indicates that no auto-disconnection
1582 should be performed.</para>
1583
1584 <para>Default: <command>deadtime = 0</command></para>
1585 <para>Example: <command>deadtime = 15</command></para></listitem>
1586 </varlistentry>
1587
1588
1589
1590 <varlistentry>
1591 <term><anchor id="DEBUGHIRESTIMESTAMP">debug hires timestamp (G)</term>
1592 <listitem><para>Sometimes the timestamps in the log messages
1593 are needed with a resolution of higher that seconds, this
1594 boolean parameter adds microsecond resolution to the timestamp
1595 message header when turned on.</para>
1596
1597 <para>Note that the parameter <link linkend="DEBUGTIMESTAMP"><parameter>
1598 debug timestamp</parameter></link> must be on for this to have an
1599 effect.</para>
1600
1601 <para>Default: <command>debug hires timestamp = no</command></para>
1602 </listitem>
1603 </varlistentry>
1604
1605
1606
1607 <varlistentry>
1608 <term><anchor id="DEBUGPID">debug pid (G)</term>
1609 <listitem><para>When using only one log file for more then one
1610 forked smbd-process there may be hard to follow which process
1611 outputs which message. This boolean parameter is adds the process-id
1612 to the timestamp message headers in the logfile when turned on.</para>
1613
1614 <para>Note that the parameter <link linkend="DEBUGTIMESTAMP"><parameter>
1615 debug timestamp</parameter></link> must be on for this to have an
1616 effect.</para>
1617
1618 <para>Default: <command>debug pid = no</command></para></listitem>
1619 </varlistentry>
1620
1621
1622 <varlistentry>
1623 <term><anchor id="DEBUGTIMESTAMP">debug timestamp (G)</term>
1624 <listitem><para>Samba 2.2 debug log messages are timestamped
1625 by default. If you are running at a high <link linkend="DEBUGLEVEL">
1626 <parameter>debug level</parameter></link> these timestamps
1627 can be distracting. This boolean parameter allows timestamping
1628 to be turned off.</para>
1629
1630 <para>Default: <command>debug timestamp = yes</command></para></listitem>
1631 </varlistentry>
1632
1633
1634
1635 <varlistentry>
1636 <term><anchor id="DEBUGUID">debug uid (G)</term>
1637 <listitem><para>Samba is sometimes run as root and sometime
1638 run as the connected user, this boolean parameter inserts the
1639 current euid, egid, uid and gid to the timestamp message headers
1640 in the log file if turned on.</para>
1641
1642 <para>Note that the parameter <link linkend="DEBUGTIMESTAMP"><parameter>
1643 debug timestamp</parameter></link> must be on for this to have an
1644 effect.</para>
1645
1646 <para>Default: <command>debug uid = no</command></para></listitem>
1647 </varlistentry>
1648
1649
1650
1651 <varlistentry>
1652 <term><anchor id="DEBUGLEVEL">debuglevel (G)</term>
1653 <listitem><para>The value of the parameter (an integer) allows
1654 the debug level (logging level) to be specified in the
1655 <filename>smb.conf</filename> file. This is to give greater
1656 flexibility in the configuration of the system.</para>
1657
1658 <para>The default will be the debug level specified on
1659 the command line or level zero if none was specified.</para>
1660
1661 <para>Example: <command>debug level = 3</command></para></listitem>
1662 </varlistentry>
1663
1664
1665
1666 <varlistentry>
1667 <term><anchor id="DEFAULT">default (G)</term>
1668 <listitem><para>A synonym for <link linkend="DEFAULTSERVICE"><parameter>
1669 default service</parameter></link>.</para></listitem>
1670 </varlistentry>
1671
1672
1673
1674 <varlistentry>
1675 <term><anchor id="DEFAULTCASE">default case (S)</term>
1676 <listitem><para>See the section on <link linkend="NAMEMANGLINGSECT">
1677 NAME MANGLING</link>. Also note the <link linkend="SHORTPRESERVECASE">
1678 <parameter>short preserve case"</parameter></link> parameter.</para>
1679
1680 <para>Default: <command>default case = lower</command></para>
1681 </listitem>
1682 </varlistentry>
1683
1684
1685
1686 <varlistentry>
1687 <term><anchor id="DEFAULTSERVICE">default service (G)</term>
1688 <listitem><para>This parameter specifies the name of a service
1689 which will be connected to if the service actually requested cannot
1690 be found. Note that the square brackets are <emphasis>NOT</emphasis>
1691 given in the parameter value (see example below).</para>
1692
1693 <para>There is no default value for this parameter. If this
1694 parameter is not given, attempting to connect to a nonexistent
1695 service results in an error.</para>
1696
1697 <para>Typically the default service would be a <link linkend="GUESTOK">
1698 <parameter>guest ok</parameter></link>, <link linkend="READONLY">
1699 <parameter>read-only</parameter></link> service.</para>
1700
1701 <para>Also note that the apparent service name will be changed
1702 to equal that of the requested service, this is very useful as it
1703 allows you to use macros like <parameter>%S</parameter> to make
1704 a wildcard service.</para>
1705
1706 <para>Note also that any "_" characters in the name of the service
1707 used in the default service will get mapped to a "/". This allows for
1708 interesting things.</para>
1709
1710
1711 <para>Example:</para>
1712
1713 <para><programlisting>
1714 [global]
1715 default service = pub
1716
1717 [pub]
1718 path = /%S
1719 </programlisting></para>
1720 </listitem>
1721 </varlistentry>
1722
1723
1724
1725 <varlistentry>
1726 <term><anchor id="DELETEREADONLY">delete readonly (S)</term>
1727 <listitem><para>This parameter allows readonly files to be deleted.
1728 This is not normal DOS semantics, but is allowed by UNIX.</para>
1729
1730 <para>This option may be useful for running applications such
1731 as rcs, where UNIX file ownership prevents changing file
1732 permissions, and DOS semantics prevent deletion of a read only file.</para>
1733
1734 <para>Default: <command>delete readonly = no</command></para></listitem>
1735 </varlistentry>
1736
1737
1738
1739
1740 <varlistentry>
1741 <term><anchor id="DELETEUSERSCRIPT">delete user script (G)</term>
1742 <listitem><para>This is the full pathname to a script that will
1743 be run <emphasis>AS ROOT</emphasis> by <ulink url="smbd.8.html">
1744 <command>smbd(8)</command></ulink> under special circumstances
1745 described below.</para>
1746
1747 <para>Normally, a Samba server requires that UNIX users are
1748 created for all users accessing files on this server. For sites
1749 that use Windows NT account databases as their primary user database
1750 creating these users and keeping the user list in sync with the
1751 Windows NT PDC is an onerous task. This option allows <command>
1752 smbd</command> to delete the required UNIX users <emphasis>ON
1753 DEMAND</emphasis> when a user accesses the Samba server and the
1754 Windows NT user no longer exists.</para>
1755
1756 <para>In order to use this option, <command>smbd</command> must be
1757 set to <parameter>security=domain</parameter> and <parameter>delete
1758 user script</parameter> must be set to a full pathname for a script
1759 that will delete a UNIX user given one argument of <parameter>%u
1760 </parameter>, which expands into the UNIX user name to delete.
1761 <emphasis>NOTE</emphasis> that this is different to the <link
1762 linkend="ADDUSERSCRIPT"><parameter>add user script</parameter></link>
1763 which will work with the <parameter>security=server</parameter> option
1764 as well as <parameter>security=domain</parameter>. The reason for this
1765 is only when Samba is a domain member does it get the information
1766 on an attempted user logon that a user no longer exists. In the
1767 <parameter>security=server</parameter> mode a missing user
1768 is treated the same as an invalid password logon attempt. Deleting
1769 the user in this circumstance would not be a good idea.</para>
1770
1771 <para>When the Windows user attempts to access the Samba server,
1772 at <emphasis>login</emphasis> (session setup in the SMB protocol)
1773 time, <command>smbd</command> contacts the <link linkend="PASSWORDSERVER">
1774 <parameter>password server</parameter></link> and attempts to authenticate
1775 the given user with the given password. If the authentication fails
1776 with the specific Domain error code meaning that the user no longer
1777 exists then <command>smbd</command> attempts to find a UNIX user in
1778 the UNIX password database that matches the Windows user account. If
1779 this lookup succeeds, and <parameter>delete user script</parameter> is
1780 set then <command>smbd</command> will all the specified script
1781 <emphasis>AS ROOT</emphasis>, expanding any <parameter>%u</parameter>
1782 argument to be the user name to delete.</para>
1783
1784 <para>This script should delete the given UNIX username. In this way,
1785 UNIX users are dynamically deleted to match existing Windows NT
1786 accounts.</para>
1787
1788 <para>See also <link linkend="SECURITYEQUALSDOMAIN">security=domain</link>,
1789 <link linkend="PASSWORDSERVER"><parameter>password server</parameter>
1790 </link>, <link linkend="ADDUSERSCRIPT"><parameter>add user script</parameter>
1791 </link>.</para>
1792
1793 <para>Default: <command>delete user script = &lt;empty string&gt;
1794 </command></para>
1795 <para>Example: <command>delete user script = /usr/local/samba/bin/del_user
1796 %u</command></para></listitem>
1797 </varlistentry>
1798
1799
1800
1801
1802 <varlistentry>
1803 <term><anchor id="DELETEPRINTERCOMMAND">deleteprinter command (G)</term>
1804 <listitem><para>With the introduction of MS-RPC based printer
1805 support for Windows NT/2000 clients in Samba 2.2, it is now
1806 possible to delete printer at run time by issuing the
1807 DeletePrinter() RPC call.</para>
1808
1809 <para>For a Samba host this means that the printer must be
1810 physically deleted from underlying printing system. The <parameter>
1811 deleteprinter command</parameter> defines a script to be run which
1812 will perform the necessary operations for removing the printer
1813 from the print system and from <filename>smb.conf</filename>.
1814 </para>
1815
1816 <para>The <parameter>deleteprinter command</parameter> is
1817 automatically called with only one parameter: <parameter>
1818 "printer name"</parameter>.</para>
1819
1820
1821 <para>Once the <parameter>deleteprinter command</parameter> has
1822 been executed, <command>smbd</command> will reparse the <filename>
1823 smb.conf</filename> to associated printer no longer exists.
1824 If the sharename is still valid, then <command>smbd
1825 </command> will return an ACCESS_DENIED error to the client.</para>
1826
1827 <para>See also <link linkend="ADDPRINTERCOMMAND"><parameter>
1828 addprinter command</parameter></link>, <link
1829 linkend="printing"><parameter>printing</parameter></link>,
1830 <link linkend="SHOWADDPRINTERWIZARD"><parameter>show add
1831 printer wizard</parameter></link></para>
1832
1833 <para>Default: <emphasis>none</emphasis></para>
1834 <para>Example: <command>deleteprinter command = /usr/bin/removeprinter
1835 </command></para>
1836 </listitem>
1837 </varlistentry>
1838
1839
1840
1841
1842
1843 <varlistentry>
1844 <term><anchor id="DELETEVETOFILES">delete veto files (S)</term>
1845 <listitem><para>This option is used when Samba is attempting to
1846 delete a directory that contains one or more vetoed directories
1847 (see the <link linkend="VETOFILES"><parameter>veto files</parameter></link>
1848 option). If this option is set to False (the default) then if a vetoed
1849 directory contains any non-vetoed files or directories then the
1850 directory delete will fail. This is usually what you want.</para>
1851
1852 <para>If this option is set to <constant>True</constant>, then Samba
1853 will attempt to recursively delete any files and directories within
1854 the vetoed directory. This can be useful for integration with file
1855 serving systems such as NetAtalk which create meta-files within
1856 directories you might normally veto DOS/Windows users from seeing
1857 (e.g. <filename>.AppleDouble</filename>)</para>
1858
1859 <para>Setting <command>delete veto files = yes</command> allows these
1860 directories to be transparently deleted when the parent directory
1861 is deleted (so long as the user has permissions to do so).</para>
1862
1863 <para>See also the <link linkend="VETOFILES"><parameter>veto
1864 files</parameter></link> parameter.</para>
1865
1866 <para>Default: <command>delete veto files = no</command></para></listitem>
1867 </varlistentry>
1868
1869
1870
1871
1872 <varlistentry>
1873 <term><anchor id="DENYHOSTS">deny hosts (S)</term>
1874 <listitem><para>Synonym for <link linkend="HOSTSDENY"><parameter>hosts
1875 deny</parameter></link>.</para></listitem>
1876 </varlistentry>
1877
1878
1879
1880
1881 <varlistentry>
1882 <term><anchor id="DFREECOMMAND">dfree command (G)</term>
1883 <listitem><para>The <parameter>dfree command</parameter> setting should
1884 only be used on systems where a problem occurs with the internal
1885 disk space calculations. This has been known to happen with Ultrix,
1886 but may occur with other operating systems. The symptom that was
1887 seen was an error of "Abort Retry Ignore" at the end of each
1888 directory listing.</para>
1889
1890 <para>This setting allows the replacement of the internal routines to
1891 calculate the total disk space and amount available with an external
1892 routine. The example below gives a possible script that might fulfill
1893 this function.</para>
1894
1895 <para>The external program will be passed a single parameter indicating
1896 a directory in the filesystem being queried. This will typically consist
1897 of the string <filename>./</filename>. The script should return two
1898 integers in ASCII. The first should be the total disk space in blocks,
1899 and the second should be the number of available blocks. An optional
1900 third return value can give the block size in bytes. The default
1901 blocksize is 1024 bytes.</para>
1902
1903 <para>Note: Your script should <emphasis>NOT</emphasis> be setuid or
1904 setgid and should be owned by (and writeable only by) root!</para>
1905
1906 <para>Default: <emphasis>By default internal routines for
1907 determining the disk capacity and remaining space will be used.
1908 </emphasis></para>
1909
1910 <para>Example: <command>dfree command = /usr/local/samba/bin/dfree
1911 </command></para>
1912
1913 <para>Where the script dfree (which must be made executable) could be:</para>
1914
1915 <para><programlisting>
1916 #!/bin/sh
1917 df $1 | tail -1 | awk '{print $2" "$4}'
1918 </programlisting></para>
1919
1920 <para>or perhaps (on Sys V based systems):</para>
1921
1922 <para><programlisting>
1923 #!/bin/sh
1924 /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}'
1925 </programlisting></para>
1926
1927 <para>Note that you may have to replace the command names
1928 with full path names on some systems.</para>
1929 </listitem>
1930 </varlistentry>
1931
1932
1933
1934
1935 <varlistentry>
1936 <term><anchor id="DIRECTORY">directory (S)</term>
1937 <listitem><para>Synonym for <link linkend="PATH"><parameter>path
1938 </parameter></link>.</para></listitem>
1939 </varlistentry>
1940
1941
1942
1943 <varlistentry>
1944 <term><anchor id="DIRECTORYMASK">directory mask (S)</term>
1945 <listitem><para>This parameter is the octal modes which are
1946 used when converting DOS modes to UNIX modes when creating UNIX
1947 directories.</para>
1948
1949 <para>When a directory is created, the necessary permissions are
1950 calculated according to the mapping from DOS modes to UNIX permissions,
1951 and the resulting UNIX mode is then bit-wise 'AND'ed with this
1952 parameter. This parameter may be thought of as a bit-wise MASK for
1953 the UNIX modes of a directory. Any bit <emphasis>not</emphasis> set
1954 here will be removed from the modes set on a directory when it is
1955 created.</para>
1956
1957 <para>The default value of this parameter removes the 'group'
1958 and 'other' write bits from the UNIX mode, allowing only the
1959 user who owns the directory to modify it.</para>
1960
1961 <para>Following this Samba will bit-wise 'OR' the UNIX mode
1962 created from this parameter with the value of the <link
1963 linkend="FORCEDIRECTORYMODE"><parameter>force directory mode
1964 </parameter></link> parameter. This parameter is set to 000 by
1965 default (i.e. no extra mode bits are added).</para>
1966
1967 <para>See the <link linkend="FORCEDIRECTORYMODE"><parameter>force
1968 directory mode</parameter></link> parameter to cause particular mode
1969 bits to always be set on created directories.</para>
1970
1971 <para>See also the <link linkend="CREATEMODE"><parameter>create mode
1972 </parameter></link> parameter for masking mode bits on created files,
1973 and the <link linkend="DIRECTORYSECURITYMASK"><parameter>directory
1974 security mask</parameter></link> parameter.</para>
1975
1976 <para>Also refer to the <link linkend="INHERITPERMISSIONS"><parameter>
1977 inherit permissions</parameter></link> parameter.</para>
1978
1979 <para>Default: <command>directory mask = 0755</command></para>
1980 <para>Example: <command>directory mask = 0775</command></para>
1981 </listitem>
1982 </varlistentry>
1983
1984
1985
1986 <varlistentry>
1987 <term><anchor id="DIRECTORYMODE">directory mode (S)</term>
1988 <listitem><para>Synonym for <link linkend="DIRECTORYMASK"><parameter>
1989 directory mask</parameter></link></para></listitem>
1990 </varlistentry>
1991
1992
1993
1994 <varlistentry>
1995 <term><anchor id="DIRECTORYSECURITYMASK">directory security mask (S)</term>
1996 <listitem><para>This parameter controls what UNIX permission bits
1997 can be modified when a Windows NT client is manipulating the UNIX
1998 permission on a directory using the native NT security dialog
1999 box.</para>
2000
2001 <para>This parameter is applied as a mask (AND'ed with) to
2002 the changed permission bits, thus preventing any bits not in
2003 this mask from being modified. Essentially, zero bits in this
2004 mask may be treated as a set of bits the user is not allowed
2005 to change.</para>
2006
2007 <para>If not set explicitly this parameter is set to the same
2008 value as the <link linkend="DIRECTORYMASK"><parameter>directory
2009 mask</parameter></link> parameter. To allow a user to
2010 modify all the user/group/world permissions on a directory, set
2011 this parameter to 0777.</para>
2012
2013 <para><emphasis>Note</emphasis> that users who can access the
2014 Samba server through other means can easily bypass this restriction,
2015 so it is primarily useful for standalone "appliance" systems.
2016 Administrators of most normal systems will probably want to set
2017 it to 0777.</para>
2018
2019 <para>See also the <link linkend="FORCEDIRECTORYSECURITYMODE"><parameter>
2020 force directory security mode</parameter></link>, <link
2021 linkend="SECURITYMASK"><parameter>security mask</parameter></link>,
2022 <link linkend="FORCESECURITYMODE"><parameter>force security mode
2023 </parameter></link> parameters.</para>
2024
2025 <para>Default: <command>directory security mask = &lt;same as
2026 directory mask&gt;</command></para>
2027 <para>Example: <command>directory security mask = 0777</command></para>
2028 </listitem>
2029 </varlistentry>
2030
2031
2032
2033 <varlistentry>
2034 <term><anchor id="DNSPROXY">dns proxy (G)</term>
2035 <listitem><para>Specifies that <ulink url="nmbd.8.html">nmbd(8)</ulink>
2036 when acting as a WINS server and finding that a NetBIOS name has not
2037 been registered, should treat the NetBIOS name word-for-word as a DNS
2038 name and do a lookup with the DNS server for that name on behalf of
2039 the name-querying client.</para>
2040
2041 <para>Note that the maximum length for a NetBIOS name is 15
2042 characters, so the DNS name (or DNS alias) can likewise only be
2043 15 characters, maximum.</para>
2044
2045 <para><command>nmbd</command> spawns a second copy of itself to do the
2046 DNS name lookup requests, as doing a name lookup is a blocking
2047 action.</para>
2048
2049 <para>See also the parameter <link linkend="WINSSUPPORT"><parameter>
2050 wins support</parameter></link>.</para>
2051
2052 <para>Default: <command>dns proxy = yes</command></para></listitem>
2053 </varlistentry>
2054
2055
2056
2057 <varlistentry>
2058 <term><anchor id="DOMAINADMINGROUP">domain admin group (G)</term>
2059 <listitem><para>This is an <emphasis>EXPERIMENTAL</emphasis> parameter
2060 that is part of the unfinished Samba NT Domain Controller Code. It may
2061 be removed in a later release. To work with the latest code builds
2062 that may have more support for Samba NT Domain Controller functionality
2063 please subscribe to the mailing list <ulink
2064 url="mailto:samba-ntdom@samba.org">samba-ntdom</ulink> available by
2065 visiting the web page at <ulink url="http://lists.samba.org/">
2066 http://lists.samba.org/</ulink>.</para></listitem>
2067 </varlistentry>
2068
2069
2070 <varlistentry>
2071 <term><anchor id="DOMAINADMINUSERS">domain admin users (G)</term>
2072 <listitem><para>This is an <emphasis>EXPERIMENTAL</emphasis> parameter
2073 that is part of the unfinished Samba NT Domain Controller Code. It may
2074 be removed in a later release. To work with the latest code builds
2075 that may have more support for Samba NT Domain Controller functionality
2076 please subscribe to the mailing list <ulink
2077 url="mailto:samba-ntdom@samba.org">samba-ntdom</ulink> available by
2078 visiting the web page at <ulink url="http://lists.samba.org/">
2079 http://lists.samba.org/</ulink>.</para></listitem>
2080 </varlistentry>
2081
2082
2083 <varlistentry>
2084 <term><anchor id="DOMAINGROUPS">domain groups (G)</term>
2085 <listitem><para>This is an <emphasis>EXPERIMENTAL</emphasis> parameter
2086 that is part of the unfinished Samba NT Domain Controller Code. It may
2087 be removed in a later release. To work with the latest code builds
2088 that may have more support for Samba NT Domain Controller functionality
2089 please subscribe to the mailing list <ulink
2090 url="mailto:samba-ntdom@samba.org">samba-ntdom</ulink> available by
2091 visiting the web page at <ulink url="http://lists.samba.org/">
2092 http://lists.samba.org/</ulink>.</para></listitem>
2093 </varlistentry>
2094
2095
2096
2097 <varlistentry>
2098 <term><anchor id="DOMAINGUESTGROUP">domain guest group (G)</term>
2099 <listitem><para>This is an <emphasis>EXPERIMENTAL</emphasis> parameter
2100 that is part of the unfinished Samba NT Domain Controller Code. It may
2101 be removed in a later release. To work with the latest code builds
2102 that may have more support for Samba NT Domain Controller functionality
2103 please subscribe to the mailing list <ulink
2104 url="mailto:samba-ntdom@samba.org">samba-ntdom</ulink> available by
2105 visiting the web page at <ulink url="http://lists.samba.org/">
2106 http://lists.samba.org/</ulink>.</para></listitem>
2107 </varlistentry>
2108
2109
2110 <varlistentry>
2111 <term><anchor id="DOMAINGUESTUSERS">domain guest users (G)</term>
2112 <listitem><para>This is an <emphasis>EXPERIMENTAL</emphasis> parameter
2113 that is part of the unfinished Samba NT Domain Controller Code. It may
2114 be removed in a later release. To work with the latest code builds
2115 that may have more support for Samba NT Domain Controller functionality
2116 please subscribe to the mailing list <ulink
2117 url="mailto:samba-ntdom@samba.org">samba-ntdom</ulink> available by
2118 visiting the web page at <ulink url="http://lists.samba.org/">
2119 http://lists.samba.org/</ulink>.</para></listitem>
2120 </varlistentry>
2121
2122
2123 <varlistentry>
2124 <term><anchor id="DOMAINLOGONS">domain logons (G)</term>
2125 <listitem><para>If set to true, the Samba server will serve
2126 Windows 95/98 Domain logons for the <link linkend="WORKGROUP">
2127 <parameter>workgroup</parameter></link> it is in. Samba 2.2 also
2128 has limited capability to act as a domain controller for Windows
2129 NT 4 Domains. For more details on setting up this feature see
2130 the file DOMAINS.txt in the Samba documentation directory <filename>docs/
2131 </filename> shipped with the source code.</para>
2132
2133 <para>Default: <command>domain logons = no</command></para></listitem>
2134 </varlistentry>
2135
2136
2137
2138 <varlistentry>
2139 <term><anchor id="DOMAINMASTER">domain master (G)</term>
2140 <listitem><para>Tell <ulink url="nmbd.8.html"><command>
2141 nmbd(8)</command></ulink> to enable WAN-wide browse list
2142 collation. Setting this option causes <command>nmbd</command> to
2143 claim a special domain specific NetBIOS name that identifies
2144 it as a domain master browser for its given <link linkend="WORKGROUP">
2145 <parameter>workgroup</parameter></link>. Local master browsers
2146 in the same <parameter>workgroup</parameter> on broadcast-isolated
2147 subnets will give this <command>nmbd</command> their local browse lists,
2148 and then ask <ulink url="smbd.8.html"><command>smbd(8)</command></ulink>
2149 for a complete copy of the browse list for the whole wide area
2150 network. Browser clients will then contact their local master browser,
2151 and will receive the domain-wide browse list, instead of just the list
2152 for their broadcast-isolated subnet.</para>
2153
2154 <para>Note that Windows NT Primary Domain Controllers expect to be
2155 able to claim this <parameter>workgroup</parameter> specific special
2156 NetBIOS name that identifies them as domain master browsers for
2157 that <parameter>workgroup</parameter> by default (i.e. there is no
2158 way to prevent a Windows NT PDC from attempting to do this). This
2159 means that if this parameter is set and <command>nmbd</command> claims
2160 the special name for a <parameter>workgroup</parameter> before a Windows
2161 NT PDC is able to do so then cross subnet browsing will behave
2162 strangely and may fail.</para>
2163
2164 <para>If <link linkend="DOMAINLOGONS"><command>domain logons = yes</command>
2165 </link>, then the default behavior is to enable the <parameter>domain
2166 master</parameter> parameter. If <parameter>domain logons</parameter> is
2167 not enabled (the default setting), then neither will <parameter>domain
2168 master</parameter> be enabled by default.</para>
2169
2170 <para>Default: <command>domain master = auto</command></para></listitem>
2171 </varlistentry>
2172
2173
2174
2175
2176 <varlistentry>
2177 <term><anchor id="DONTDESCEND">dont descend (S)</term>
2178 <listitem><para>There are certain directories on some systems
2179 (e.g., the <filename>/proc</filename> tree under Linux) that are either not
2180 of interest to clients or are infinitely deep (recursive). This
2181 parameter allows you to specify a comma-delimited list of directories
2182 that the server should always show as empty.</para>
2183
2184 <para>Note that Samba can be very fussy about the exact format
2185 of the "dont descend" entries. For example you may need <filename>
2186 ./proc</filename> instead of just <filename>/proc</filename>.
2187 Experimentation is the best policy :-) </para>
2188
2189 <para>Default: <emphasis>none (i.e., all directories are OK
2190 to descend)</emphasis></para>
2191 <para>Example: <command>dont descend = /proc,/dev</command></para>
2192 </listitem>
2193 </varlistentry>
2194
2195
2196
2197 <varlistentry>
2198 <term><anchor id="DOSFILEMODE">dos filemode (S)</term>
2199 <listitem><para> The default behavior in Samba is to provide
2200 UNIX-like behavor where only the owner of a file/directory is
2201 able to change the permissions on it. However, this behavior
2202 is often confusing to DOS/Windows users. Enabling this parameter
2203 allows a user who has write access to the file (by whatever
2204 means) to modify the permissions on it. Note that a user
2205 belonging to the group owning the file will not be allowed to
2206 change permissions if the group is only granted read access.
2207 Ownership of the file/directory is not changed, only the permissions
2208 are modified.</para>
2209
2210 <para>Default: <command>dos filemode = no</command></para>
2211 </listitem>
2212 </varlistentry>
2213
2214
2215
2216 <varlistentry>
2217 <term><anchor id="DOSFILETIMERESOLUTION">dos filetime resolution (S)</term>
2218 <listitem><para>Under the DOS and Windows FAT filesystem, the finest
2219 granularity on time resolution is two seconds. Setting this parameter
2220 for a share causes Samba to round the reported time down to the
2221 nearest two second boundary when a query call that requires one second
2222 resolution is made to <ulink url="smbd.8.html"><command>smbd(8)</command>
2223 </ulink>.</para>
2224
2225 <para>This option is mainly used as a compatibility option for Visual
2226 C++ when used against Samba shares. If oplocks are enabled on a
2227 share, Visual C++ uses two different time reading calls to check if a
2228 file has changed since it was last read. One of these calls uses a
2229 one-second granularity, the other uses a two second granularity. As
2230 the two second call rounds any odd second down, then if the file has a
2231 timestamp of an odd number of seconds then the two timestamps will not
2232 match and Visual C++ will keep reporting the file has changed. Setting
2233 this option causes the two timestamps to match, and Visual C++ is
2234 happy.</para>
2235
2236 <para>Default: <command>dos filetime resolution = no</command></para>
2237 </listitem>
2238 </varlistentry>
2239
2240
2241
2242 <varlistentry>
2243 <term><anchor id="DOSFILETIMES">dos filetimes (S)</term>
2244 <listitem><para>Under DOS and Windows, if a user can write to a
2245 file they can change the timestamp on it. Under POSIX semantics,
2246 only the owner of the file or root may change the timestamp. By
2247 default, Samba runs with POSIX semantics and refuses to change the
2248 timestamp on a file if the user <command>smbd</command> is acting
2249 on behalf of is not the file owner. Setting this option to <constant>
2250 True</constant> allows DOS semantics and smbd will change the file
2251 timestamp as DOS requires.</para>
2252
2253 <para>Default: <command>dos filetimes = no</command></para></listitem>
2254 </varlistentry>
2255
2256
2257
2258 <varlistentry>
2259 <term><anchor id="ENCRYPTPASSWORDS">encrypt passwords (G)</term>
2260 <listitem><para>This boolean controls whether encrypted passwords
2261 will be negotiated with the client. Note that Windows NT 4.0 SP3 and
2262 above and also Windows 98 will by default expect encrypted passwords
2263 unless a registry entry is changed. To use encrypted passwords in
2264 Samba see the file ENCRYPTION.txt in the Samba documentation
2265 directory <filename>docs/</filename> shipped with the source code.</para>
2266
2267 <para>In order for encrypted passwords to work correctly
2268 <ulink url="smbd.8.html"><command>smbd(8)</command></ulink> must either
2269 have access to a local <ulink url="smbpasswd.5.html"><filename>smbpasswd(5)
2270 </filename></ulink> file (see the <ulink url="smbpasswd.8.html"><command>
2271 smbpasswd(8)</command></ulink> program for information on how to set up
2272 and maintain this file), or set the <link
2273 linkend="SECURITY">security=[serve|domain]</link> parameter which
2274 causes <command>smbd</command> to authenticate against another
2275 server.</para>
2276
2277 <para>Default: <command>encrypt passwords = no</command></para></listitem>
2278 </varlistentry>
2279
2280
2281 <varlistentry>
2282 <term><anchor id="ENHANCEDBROWSING">enhanced browsing (G)</term>
2283 <listitem><para>This option enables a couple of enhancements to
2284 cross-subnet browse propogation that have been added in Samba
2285 but which are not standard in Microsoft implementations.
2286 <emphasis>These enhancements are currently only available in
2287 the HEAD Samba CVS tree (not Samba 2.2.x).</emphasis></para>
2288
2289 <para>The first enhancement to browse propogation consists of a regular
2290 wildcard query to a Samba WINS server for all Domain Master Browsers,
2291 followed by a browse synchronisation with each of the returned
2292 DMBs. The second enhancement consists of a regular randomised browse
2293 synchronisation with all currently known DMBs.</para>
2294
2295 <para>You may wish to disable this option if you have a problem with empty
2296 workgroups not disappearing from browse lists. Due to the restrictions
2297 of the browse protocols these enhancements can cause a empty workgroup
2298 to stay around forever which can be annoying.</para>
2299
2300 <para>In general you should leave this option enabled as it makes
2301 cross-subnet browse propogation much more reliable.</para>
2302
2303 <para>Default: <command>enhanced browsing = yes</command></para>
2304 </listitem>
2305 </varlistentry>
2306
2307
2308 <varlistentry>
2309 <term><anchor id="ENUMPORTSCOMMAND">enumports command (G)</term>
2310 <listitem><para>The concept of a "port" is fairly foreign
2311 to UNIX hosts. Under Windows NT/2000 print servers, a port
2312 is associated with a port monitor and generally takes the form of
2313 a local port (i.e. LPT1:, COM1:, FILE:) or a remote port
2314 (i.e. LPD Port Monitor, etc...). By default, Samba has only one
2315 port defined--<constant>"Samba Printer Port"</constant>. Under
2316 Windows NT/2000, all printers must have a valid port name.
2317 If you wish to have a list of ports displayed (<command>smbd
2318 </command> does not use a port name for anything) other than
2319 the default <constant>"Samba Printer Port"</constant>, you
2320 can define <parameter>enumports command</parameter> to point to
2321 a program which should generate a list of ports, one per line,
2322 to standard output. This listing will then be used in response
2323 to the level 1 and 2 EnumPorts() RPC.</para>
2324
2325 <para>Default: <emphasis>no enumports command</emphasis></para>
2326 <para>Example: <command>enumports command = /usr/bin/listports
2327 </command></para>
2328 </listitem>
2329 </varlistentry>
2330
2331 <varlistentry>
2332 <term><anchor id="EXEC">exec (S)</term>
2333 <listitem><para>This is a synonym for <link linkend="PREEXEC">
2334 <parameter>preexec</parameter></link>.</para></listitem>
2335 </varlistentry>
2336
2337
2338
2339 <varlistentry>
2340 <term><anchor id="FAKEDIRECTORYCREATETIMES">fake directory create times (S)</term>
2341 <listitem><para>NTFS and Windows VFAT file systems keep a create
2342 time for all files and directories. This is not the same as the
2343 ctime - status change time - that Unix keeps, so Samba by default
2344 reports the earliest of the various times Unix does keep. Setting
2345 this parameter for a share causes Samba to always report midnight
2346 1-1-1980 as the create time for directories.</para>
2347
2348 <para>This option is mainly used as a compatibility option for
2349 Visual C++ when used against Samba shares. Visual C++ generated
2350 makefiles have the object directory as a dependency for each object
2351 file, and a make rule to create the directory. Also, when NMAKE
2352 compares timestamps it uses the creation time when examining a
2353 directory. Thus the object directory will be created if it does not
2354 exist, but once it does exist it will always have an earlier
2355 timestamp than the object files it contains.</para>
2356
2357 <para>However, Unix time semantics mean that the create time
2358 reported by Samba will be updated whenever a file is created or
2359 or deleted in the directory. NMAKE finds all object files in
2360 the object directory. The timestamp of the last one built is then
2361 compared to the timestamp of the object dircetory. If the
2362 directory's timestamp if newer, then all object files
2363 will be rebuilt. Enabling this option
2364 ensures directories always predate their contents and an NMAKE build
2365 will proceed as expected.</para>
2366
2367 <para>Default: <command>fake directory create times = no</command></para>
2368 </listitem>
2369 </varlistentry>
2370
2371
2372
2373 <varlistentry>
2374 <term><anchor id="FAKEOPLOCKS">fake oplocks (S)</term>
2375 <listitem><para>Oplocks are the way that SMB clients get permission
2376 from a server to locally cache file operations. If a server grants
2377 an oplock (opportunistic lock) then the client is free to assume
2378 that it is the only one accessing the file and it will aggressively
2379 cache file data. With some oplock types the client may even cache
2380 file open/close operations. This can give enormous performance benefits.
2381 </para>
2382
2383 <para>When you set <command>fake oplocks = yes</command>, <ulink
2384 url="smbd.8.html"><command>smbd(8)</command></ulink> will
2385 always grant oplock requests no matter how many clients are using
2386 the file.</para>
2387
2388 <para>It is generally much better to use the real <link
2389 linkend="OPLOCKS"><parameter>oplocks</parameter></link> support rather
2390 than this parameter.</para>
2391
2392 <para>If you enable this option on all read-only shares or
2393 shares that you know will only be accessed from one client at a
2394 time such as physically read-only media like CDROMs, you will see
2395 a big performance improvement on many operations. If you enable
2396 this option on shares where multiple clients may be accessing the
2397 files read-write at the same time you can get data corruption. Use
2398 this option carefully!</para>
2399
2400 <para>Default: <command>fake oplocks = no</command></para></listitem>
2401 </varlistentry>
2402
2403
2404
2405 <varlistentry>
2406 <term><anchor id="FOLLOWSYMLINKS">follow symlinks (S)</term>
2407 <listitem><para>This parameter allows the Samba administrator
2408 to stop <ulink url="smbd.8.html"><command>smbd(8)</command></ulink>
2409 from following symbolic links in a particular share. Setting this
2410 parameter to <constant>no</constant> prevents any file or directory
2411 that is a symbolic link from being followed (the user will get an
2412 error). This option is very useful to stop users from adding a
2413 symbolic link to <filename>/etc/passwd</filename> in their home
2414 directory for instance. However it will slow filename lookups
2415 down slightly.</para>
2416
2417 <para>This option is enabled (i.e. <command>smbd</command> will
2418 follow symbolic links) by default.</para>
2419
2420 <para>Default: <command>follow symlinks = yes</command></para></listitem>
2421 </varlistentry>
2422
2423
2424
2425 <varlistentry>
2426 <term><anchor id="FORCECREATEMODE">force create mode (S)</term>
2427 <listitem><para>This parameter specifies a set of UNIX mode bit
2428 permissions that will <emphasis>always</emphasis> be set on a
2429 file created by Samba. This is done by bitwise 'OR'ing these bits onto
2430 the mode bits of a file that is being created or having its
2431 permissions changed. The default for this parameter is (in octal)
2432 000. The modes in this parameter are bitwise 'OR'ed onto the file
2433 mode after the mask set in the <parameter>create mask</parameter>
2434 parameter is applied.</para>
2435
2436 <para>See also the parameter <link linkend="CREATEMASK"><parameter>create
2437 mask</parameter></link> for details on masking mode bits on files.</para>
2438
2439 <para>See also the <link linkend="INHERITPERMISSIONS"><parameter>inherit
2440 permissions</parameter></link> parameter.</para>
2441
2442 <para>Default: <command>force create mode = 000</command></para>
2443 <para>Example: <command>force create mode = 0755</command></para>
2444
2445 <para>would force all created files to have read and execute
2446 permissions set for 'group' and 'other' as well as the
2447 read/write/execute bits set for the 'user'.</para>
2448 </listitem>
2449 </varlistentry>
2450
2451
2452
2453 <varlistentry>
2454 <term><anchor id="FORCEDIRECTORYMODE">force directory mode (S)</term>
2455 <listitem><para>This parameter specifies a set of UNIX mode bit
2456 permissions that will <emphasis>always</emphasis> be set on a directory
2457 created by Samba. This is done by bitwise 'OR'ing these bits onto the
2458 mode bits of a directory that is being created. The default for this
2459 parameter is (in octal) 0000 which will not add any extra permission
2460 bits to a created directory. This operation is done after the mode
2461 mask in the parameter <parameter>directory mask</parameter> is
2462 applied.</para>
2463
2464 <para>See also the parameter <link linkend="DIRECTORYMASK"><parameter>
2465 directory mask</parameter></link> for details on masking mode bits
2466 on created directories.</para>
2467
2468 <para>See also the <link linkend="INHERITPERMISSIONS"><parameter>
2469 inherit permissions</parameter></link> parameter.</para>
2470
2471 <para>Default: <command>force directory mode = 000</command></para>
2472 <para>Example: <command>force directory mode = 0755</command></para>
2473
2474 <para>would force all created directories to have read and execute
2475 permissions set for 'group' and 'other' as well as the
2476 read/write/execute bits set for the 'user'.</para>
2477 </listitem>
2478 </varlistentry>
2479
2480
2481
2482 <varlistentry>
2483 <term><anchor id="FORCEDIRECTORYSECURITYMODE">force directory
2484 security mode (S)</term>
2485 <listitem><para>This parameter controls what UNIX permission bits
2486 can be modified when a Windows NT client is manipulating the UNIX
2487 permission on a directory using the native NT security dialog box.</para>
2488
2489 <para>This parameter is applied as a mask (OR'ed with) to the
2490 changed permission bits, thus forcing any bits in this mask that
2491 the user may have modified to be on. Essentially, one bits in this
2492 mask may be treated as a set of bits that, when modifying security
2493 on a directory, the user has always set to be 'on'.</para>
2494
2495 <para>If not set explicitly this parameter is set to the same
2496 value as the <link linkend="FORCEDIRECTORYMODE"><parameter>force
2497 directory mode</parameter></link> parameter. To allow
2498 a user to modify all the user/group/world permissions on a
2499 directory without restrictions, set this parameter to 000.</para>
2500
2501 <para><emphasis>Note</emphasis> that users who can access the
2502 Samba server through other means can easily bypass this restriction,
2503 so it is primarily useful for standalone "appliance" systems.
2504 Administrators of most normal systems will probably want to set
2505 it to 0000.</para>
2506
2507 <para>See also the <link linkend="DIRECTORYSECURITYMASK"><parameter>
2508 directory security mask</parameter></link>, <link linkend="SECURITYMASK">
2509 <parameter>security mask</parameter></link>,
2510 <link linkend="FORCESECURITYMODE"><parameter>force security mode
2511 </parameter></link> parameters.</para>
2512
2513 <para>Default: <command>force directory security mode = &lt;same as
2514 force directory mode&gt;</command></para>
2515 <para>Example: <command>force directory security mode = 0</command></para>
2516 </listitem>
2517 </varlistentry>
2518
2519
2520
2521
2522 <varlistentry>
2523 <term><anchor id="FORCEGROUP">force group (S)</term>
2524 <listitem><para>This specifies a UNIX group name that will be
2525 assigned as the default primary group for all users connecting
2526 to this service. This is useful for sharing files by ensuring
2527 that all access to files on service will use the named group for
2528 their permissions checking. Thus, by assigning permissions for this
2529 group to the files and directories within this service the Samba
2530 administrator can restrict or allow sharing of these files.</para>
2531
2532 <para>In Samba 2.0.5 and above this parameter has extended
2533 functionality in the following way. If the group name listed here
2534 has a '+' character prepended to it then the current user accessing
2535 the share only has the primary group default assigned to this group
2536 if they are already assigned as a member of that group. This allows
2537 an administrator to decide that only users who are already in a
2538 particular group will create files with group ownership set to that
2539 group. This gives a finer granularity of ownership assignment. For
2540 example, the setting <filename>force group = +sys</filename> means
2541 that only users who are already in group sys will have their default
2542 primary group assigned to sys when accessing this Samba share. All
2543 other users will retain their ordinary primary group.</para>
2544
2545 <para>If the <link linkend="FORCEUSER"><parameter>force user
2546 </parameter></link> parameter is also set the group specified in
2547 <parameter>force group</parameter> will override the primary group
2548 set in <parameter>force user</parameter>.</para>
2549
2550 <para>See also <link linkend="FORCEUSER"><parameter>force
2551 user</parameter></link>.</para>
2552
2553 <para>Default: <emphasis>no forced group</emphasis></para>
2554 <para>Example: <command>force group = agroup</command></para>
2555 </listitem>
2556 </varlistentry>
2557
2558
2559
2560 <varlistentry>
2561 <term><anchor id="FORCESECURITYMODE">force security mode (S)</term>
2562 <listitem><para>This parameter controls what UNIX permission
2563 bits can be modified when a Windows NT client is manipulating
2564 the UNIX permission on a file using the native NT security dialog
2565 box.</para>
2566
2567 <para>This parameter is applied as a mask (OR'ed with) to the
2568 changed permission bits, thus forcing any bits in this mask that
2569 the user may have modified to be on. Essentially, one bits in this
2570 mask may be treated as a set of bits that, when modifying security
2571 on a file, the user has always set to be 'on'.</para>
2572
2573 <para>If not set explicitly this parameter is set to the same
2574 value as the <link linkend="FORCECREATEMODE"><parameter>force
2575 create mode</parameter></link> parameter. To allow a user to
2576 modify all the user/group/world permissions on a file, with no
2577 restrictions set this parameter to 000.</para>
2578
2579 <para><emphasis>Note</emphasis> that users who can access
2580 the Samba server through other means can easily bypass this restriction,
2581 so it is primarily useful for standalone "appliance" systems.
2582 Administrators of most normal systems will probably want to set
2583 it to 0000.</para>
2584
2585 <para>See also the <link linkend="FORCEDIRECTORYSECURITYMODE"><parameter>
2586 force directory security mode</parameter></link>,
2587 <link linkend="DIRECTORYSECURITYMASK"><parameter>directory security
2588 mask</parameter></link>, <link linkend="SECURITYMASK"><parameter>
2589 security mask</parameter></link> parameters.</para>
2590
2591 <para>Default: <command>force security mode = &lt;same as force
2592 create mode&gt;</command></para>
2593 <para>Example: <command>force security mode = 0</command></para>
2594 </listitem>
2595 </varlistentry>
2596
2597
2598
2599 <varlistentry>
2600 <term><anchor id="FORCEUSER">force user (S)</term>
2601 <listitem><para>This specifies a UNIX user name that will be
2602 assigned as the default user for all users connecting to this service.
2603 This is useful for sharing files. You should also use it carefully
2604 as using it incorrectly can cause security problems.</para>
2605
2606 <para>This user name only gets used once a connection is established.
2607 Thus clients still need to connect as a valid user and supply a
2608 valid password. Once connected, all file operations will be performed
2609 as the "forced user", no matter what username the client connected
2610 as. This can be very useful.</para>
2611
2612 <para>In Samba 2.0.5 and above this parameter also causes the
2613 primary group of the forced user to be used as the primary group
2614 for all file activity. Prior to 2.0.5 the primary group was left
2615 as the primary group of the connecting user (this was a bug).</para>
2616
2617 <para>See also <link linkend="FORCEGROUP"><parameter>force group
2618 </parameter></link></para>
2619
2620 <para>Default: <emphasis>no forced user</emphasis></para>
2621 <para>Example: <command>force user = auser</command></para>
2622 </listitem>
2623 </varlistentry>
2624
2625
2626
2627 <varlistentry>
2628 <term><anchor id="FSTYPE">fstype (S)</term>
2629 <listitem><para>This parameter allows the administrator to
2630 configure the string that specifies the type of filesystem a share
2631 is using that is reported by <ulink url="smbd.8.html"><command>smbd(8)
2632 </command></ulink> when a client queries the filesystem type
2633 for a share. The default type is <constant>NTFS</constant> for
2634 compatibility with Windows NT but this can be changed to other
2635 strings such as <constant>Samba</constant> or <constant>FAT
2636 </constant> if required.</para>
2637
2638 <para>Default: <command>fstype = NTFS</command></para>
2639 <para>Example: <command>fstype = Samba</command></para></listitem>
2640 </varlistentry>
2641
2642
2643
2644 <varlistentry>
2645 <term><anchor id="GETWDCACHE">getwd cache (G)</term>
2646 <listitem><para>This is a tuning option. When this is enabled a
2647 caching algorithm will be used to reduce the time taken for getwd()
2648 calls. This can have a significant impact on performance, especially
2649 when the <link linkend="WIDELINKS"><parameter>wide links</parameter>
2650 </link>parameter is set to <constant>False</constant>.</para>
2651
2652 <para>Default: <command>getwd cache = yes</command></para>
2653 </listitem>
2654 </varlistentry>
2655
2656
2657
2658 <varlistentry>
2659 <term><anchor id="GROUP">group (S)</term>
2660 <listitem><para>Synonym for <link linkend="FORCEGROUP"><parameter>force
2661 group</parameter></link>.</para></listitem>
2662 </varlistentry>
2663
2664
2665
2666 <varlistentry>
2667 <term><anchor id="GUESTACCOUNT">guest account (S)</term>
2668 <listitem><para>This is a username which will be used for access
2669 to services which are specified as <link linkend="GUESTOK"><parameter>
2670 guest ok</parameter></link> (see below). Whatever privileges this
2671 user has will be available to any client connecting to the guest service.
2672 Typically this user will exist in the password file, but will not
2673 have a valid login. The user account "ftp" is often a good choice
2674 for this parameter. If a username is specified in a given service,
2675 the specified username overrides this one.</para>
2676
2677 <para>One some systems the default guest account "nobody" may not
2678 be able to print. Use another account in this case. You should test
2679 this by trying to log in as your guest user (perhaps by using the
2680 <command>su -</command> command) and trying to print using the
2681 system print command such as <command>lpr(1)</command> or <command>
2682 lp(1)</command>.</para>
2683
2684 <para>Default: <emphasis>specified at compile time, usually
2685 "nobody"</emphasis></para>
2686
2687 <para>Example: <command>guest account = ftp</command></para></listitem>
2688 </varlistentry>
2689
2690
2691
2692 <varlistentry>
2693 <term><anchor id="GUESTOK">guest ok (S)</term>
2694 <listitem><para>If this parameter is <constant>yes</constant> for
2695 a service, then no password is required to connect to the service.
2696 Privileges will be those of the <link linkend="GUESTACCOUNT"><parameter>
2697 guest account</parameter></link>.</para>
2698
2699 <para>See the section below on <link linkend="SECURITY"><parameter>
2700 security</parameter></link> for more information about this option.
2701 </para>
2702
2703 <para>Default: <command>guest ok = no</command></para></listitem>
2704 </varlistentry>
2705
2706
2707
2708 <varlistentry>
2709 <term><anchor id="GUESTONLY">guest only (S)</term>
2710 <listitem><para>If this parameter is <constant>yes</constant> for
2711 a service, then only guest connections to the service are permitted.
2712 This parameter will have no effect if <link linkend="GUESTOK">
2713 <parameter>guest ok</parameter></link> is not set for the service.</para>
2714
2715 <para>See the section below on <link linkend="SECURITY"><parameter>
2716 security</parameter></link> for more information about this option.
2717 </para>
2718
2719 <para>Default: <command>guest only = no</command></para></listitem>
2720 </varlistentry>
2721
2722
2723
2724 <varlistentry>
2725 <term><anchor id="HIDEDOTFILES">hide dot files (S)</term>
2726 <listitem><para>This is a boolean parameter that controls whether
2727 files starting with a dot appear as hidden files.</para>
2728
2729 <para>Default: <command>hide dot files = yes</command></para></listitem>
2730 </varlistentry>
2731
2732
2733
2734 <varlistentry>
2735 <term><anchor id="HIDEFILES">hide files(S)</term>
2736 <listitem><para>This is a list of files or directories that are not
2737 visible but are accessible. The DOS 'hidden' attribute is applied
2738 to any files or directories that match.</para>
2739
2740 <para>Each entry in the list must be separated by a '/',
2741 which allows spaces to be included in the entry. '*'
2742 and '?' can be used to specify multiple files or directories
2743 as in DOS wildcards.</para>
2744
2745 <para>Each entry must be a Unix path, not a DOS path and must
2746 not include the Unix directory separator '/'.</para>
2747
2748 <para>Note that the case sensitivity option is applicable
2749 in hiding files.</para>
2750
2751 <para>Setting this parameter will affect the performance of Samba,
2752 as it will be forced to check all files and directories for a match
2753 as they are scanned.</para>
2754
2755 <para>See also <link linkend="HIDEDOTFILES"><parameter>hide
2756 dot files</parameter></link>, <link linkend="VETOFILES"><parameter>
2757 veto files</parameter></link> and <link linkend="CASESENSITIVE">
2758 <parameter>case sensitive</parameter></link>.</para>
2759
2760 <para>Default: <emphasis>no file are hidden</emphasis></para>
2761 <para>Example: <command>hide files =
2762 /.*/DesktopFolderDB/TrashFor%m/resource.frk/</command></para>
2763
2764 <para>The above example is based on files that the Macintosh
2765 SMB client (DAVE) available from <ulink url="http://www.thursby.com">
2766 Thursby</ulink> creates for internal use, and also still hides
2767 all files beginning with a dot.</para></listitem>
2768 </varlistentry>
2769
2770
2771
2772 <varlistentry>
2773 <term><anchor id="HIDELOCALUSERS">hide local users(G)</term>
2774 <listitem><para>This parameter toggles the hiding of local UNIX
2775 users (root, wheel, floppy, etc) from remote clients.</para>
2776
2777 <para>Default: <command>hide local users = no</command></para></listitem>
2778 </varlistentry>
2779
2780
2781
2782 <varlistentry>
2783 <term><anchor id="HOMEDIRMAP">homedir map (G)</term>
2784 <listitem><para>If<link linkend="NISHOMEDIR"><parameter>nis homedir
2785 </parameter></link> is <constant>True</constant>, and <ulink
2786 url="smbd.8.html"><command>smbd(8)</command></ulink> is also acting
2787 as a Win95/98 <parameter>logon server</parameter> then this parameter
2788 specifies the NIS (or YP) map from which the server for the user's
2789 home directory should be extracted. At present, only the Sun
2790 auto.home map format is understood. The form of the map is:</para>
2791
2792 <para><command>username server:/some/file/system</command></para>
2793
2794 <para>and the program will extract the servername from before
2795 the first ':'. There should probably be a better parsing system
2796 that copes with different map formats and also Amd (another
2797 automounter) maps.</para>
2798
2799 <para><emphasis>NOTE :</emphasis>A working NIS client is required on
2800 the system for this option to work.</para>
2801
2802 <para>See also <link linkend="NISHOMEDIR"><parameter>nis homedir</parameter>
2803 </link>, <link linkend="DOMAINLOGONS"><parameter>domain logons</parameter>
2804 </link>.</para>
2805
2806 <para>Default: <command>homedir map = &lt;empty string&gt;</command></para>
2807 <para>Example: <command>homedir map = amd.homedir</command></para>
2808 </listitem>
2809 </varlistentry>
2810
2811
2812
2813
2814
2815 <varlistentry>
2816 <term><anchor id="HOSTMSDFS">host msdfs (G)</term>
2817 <listitem><para>This boolean parameter is only available
2818 if Samba has been configured and compiled with the <command>
2819 --with-msdfs</command> option. If set to <constant>yes</constant>,
2820 Samba will act as a Dfs server, and allow Dfs-aware clients
2821 to browse Dfs trees hosted on the server.</para>
2822
2823 <para>See also the <link linkend="MSDFSROOT"><parameter>
2824 msdfs root</parameter></link> share level parameter. For
2825 more information on setting up a Dfs tree on Samba,
2826 refer to <ulink url="msdfs_setup.html">msdfs_setup.html</ulink>.
2827 </para>
2828
2829 <para>Default: <command>host msdfs = no</command></para>
2830 </listitem>
2831 </varlistentry>
2832
2833
2834 <varlistentry>
2835 <term><anchor id="HOSTSALLOW">hosts allow (S)</term>
2836 <listitem><para>A synonym for this parameter is <parameter>allow
2837 hosts</parameter>.</para>
2838
2839 <para>This parameter is a comma, space, or tab delimited
2840 set of hosts which are permitted to access a service.</para>
2841
2842 <para>If specified in the [global] section then it will
2843 apply to all services, regardless of whether the individual
2844 service has a different setting.</para>
2845
2846 <para>You can specify the hosts by name or IP number. For
2847 example, you could restrict access to only the hosts on a
2848 Class C subnet with something like <command>allow hosts = 150.203.5.
2849 </command>. The full syntax of the list is described in the man
2850 page <filename>hosts_access(5)</filename>. Note that this man
2851 page may not be present on your system, so a brief description will
2852 be given here also.</para>
2853
2854 <para>Note that the localhost address 127.0.0.1 will always
2855 be allowed access unless specifically denied by a <link
2856 linkend="HOSTSDENY"><parameter>hosts deny</parameter></link> option.</para>
2857
2858 <para>You can also specify hosts by network/netmask pairs and
2859 by netgroup names if your system supports netgroups. The
2860 <emphasis>EXCEPT</emphasis> keyword can also be used to limit a
2861 wildcard list. The following examples may provide some help:</para>
2862
2863 <para>Example 1: allow all IPs in 150.203.*.*; except one</para>
2864
2865 <para><command>hosts allow = 150.203. EXCEPT 150.203.6.66</command></para>
2866
2867 <para>Example 2: allow hosts that match the given network/netmask</para>
2868
2869 <para><command>hosts allow = 150.203.15.0/255.255.255.0</command></para>
2870
2871 <para>Example 3: allow a couple of hosts</para>
2872
2873 <para><command>hosts allow = lapland, arvidsjaur</command></para>
2874
2875 <para>Example 4: allow only hosts in NIS netgroup "foonet", but
2876 deny access from one particular host</para>
2877
2878 <para><command>hosts allow = @foonet</command></para>
2879
2880 <para><command>hosts deny = pirate</command></para>
2881
2882 <para>Note that access still requires suitable user-level passwords.</para>
2883
2884 <para>See <ulink url="testparm.1.html"><command>testparm(1)</command>
2885 </ulink> for a way of testing your host access to see if it does
2886 what you expect.</para>
2887
2888 <para>Default: <emphasis>none (i.e., all hosts permitted access)
2889 </emphasis></para>
2890
2891 <para>Example: <command>allow hosts = 150.203.5. myhost.mynet.edu.au
2892 </command></para>
2893 </listitem>
2894 </varlistentry>
2895
2896
2897
2898 <varlistentry>
2899 <term><anchor id="HOSTSDENY">hosts deny (S)</term>
2900 <listitem><para>The opposite of <parameter>hosts allow</parameter>
2901 - hosts listed here are <emphasis>NOT</emphasis> permitted access to
2902 services unless the specific services have their own lists to override
2903 this one. Where the lists conflict, the <parameter>allow</parameter>
2904 list takes precedence.</para>
2905
2906 <para>Default: <emphasis>none (i.e., no hosts specifically excluded)
2907 </emphasis></para>
2908
2909 <para>Example: <command>hosts deny = 150.203.4. badhost.mynet.edu.au
2910 </command></para></listitem>
2911 </varlistentry>
2912
2913
2914
2915 <varlistentry>
2916 <term><anchor id="HOSTSEQUIV">hosts equiv (G)</term>
2917 <listitem><para>If this global parameter is a non-null string,
2918 it specifies the name of a file to read for the names of hosts
2919 and users who will be allowed access without specifying a password.
2920 </para>
2921
2922 <para>This is not be confused with <link linkend="HOSTSALLOW">
2923 <parameter>hosts allow</parameter></link> which is about hosts
2924 access to services and is more useful for guest services. <parameter>
2925 hosts equiv</parameter> may be useful for NT clients which will
2926 not supply passwords to samba.</para>
2927
2928 <para><emphasis>NOTE :</emphasis> The use of <parameter>hosts equiv
2929 </parameter> can be a major security hole. This is because you are
2930 trusting the PC to supply the correct username. It is very easy to
2931 get a PC to supply a false username. I recommend that the
2932 <parameter>hosts equiv</parameter> option be only used if you really
2933 know what you are doing, or perhaps on a home network where you trust
2934 your spouse and kids. And only if you <emphasis>really</emphasis> trust
2935 them :-).</para>
2936
2937 <para>Default: <emphasis>no host equivalences</emphasis></para>
2938 <para>Example: <command>hosts equiv = /etc/hosts.equiv</command></para>
2939 </listitem>
2940 </varlistentry>
2941
2942
2943
2944 <varlistentry>
2945 <term><anchor id="INCLUDE">include (G)</term>
2946 <listitem><para>This allows you to include one config file
2947 inside another. The file is included literally, as though typed
2948 in place.</para>
2949
2950 <para>It takes the standard substitutions, except <parameter>%u
2951 </parameter>, <parameter>%P</parameter> and <parameter>%S</parameter>.
2952 </para>
2953
2954 <para>Default: <emphasis>no file included</emphasis></para>
2955 <para>Example: <command>include = /usr/local/samba/lib/admin_smb.conf
2956 </command></para></listitem>
2957 </varlistentry>
2958
2959
2960
2961 <varlistentry>
2962 <term><anchor id="INHERITPERMISSIONS">inherit permissions (S)</term>
2963 <listitem><para>The permissions on new files and directories
2964 are normally governed by <link linkend="CREATEMASK"><parameter>
2965 create mask</parameter></link>, <link linkend="DIRECTORYMASK">
2966 <parameter>directory mask</parameter></link>, <link
2967 linkend="FORCECREATEMODE"><parameter>force create mode</parameter>
2968 </link> and <link linkend="FORCEDIRECTORYMODE"><parameter>force
2969 directory mode</parameter></link> but the boolean inherit
2970 permissions parameter overrides this.</para>
2971
2972 <para>New directories inherit the mode of the parent directory,
2973 including bits such as setgid.</para>
2974
2975 <para>New files inherit their read/write bits from the parent
2976 directory. Their execute bits continue to be determined by
2977 <link linkend="MAPARCHIVE"><parameter>map archive</parameter>
2978 </link>, <link linkend="MAPHIDDEN"><parameter>map hidden</parameter>
2979 </link> and <link linkend="MAPSYSTEM"><parameter>map system</parameter>
2980 </link> as usual.</para>
2981
2982 <para>Note that the setuid bit is <emphasis>never</emphasis> set via
2983 inheritance (the code explicitly prohibits this).</para>
2984
2985 <para>This can be particularly useful on large systems with
2986 many users, perhaps several thousand,to allow a single [homes]
2987 share to be used flexibly by each user.</para>
2988
2989 <para>See also <link linkend="CREATEMASK"><parameter>create mask
2990 </parameter></link>, <link linkend="DIRECTORYMASK"><parameter>
2991 directory mask</parameter></link>, <link linkend="FORCECREATEMODE">
2992 <parameter>force create mode</parameter></link> and <link
2993 linkend="FORCEDIRECTORYMODE"><parameter>force directory mode</parameter>
2994 </link>.</para>
2995
2996 <para>Default: <command>inherit permissions = no</command></para>
2997 </listitem>
2998 </varlistentry>
2999
3000
3001
3002 <varlistentry>
3003 <term><anchor id="INTERFACES">interfaces (G)</term>
3004 <listitem><para>This option allows you to override the default
3005 network interfaces list that Samba will use for browsing, name
3006 registration and other NBT traffic. By default Samba will query
3007 the kernel for the list of all active interfaces and use any
3008 interfaces except 127.0.0.1 that are broadcast capable.</para>
3009
3010 <para>The option takes a list of interface strings. Each string
3011 can be in any of the following forms:</para>
3012
3013 <itemizedlist>
3014 <listitem><para>a network interface name (such as eth0).
3015 This may include shell-like wildcards so eth* will match
3016 any interface starting with the substring "eth"</para></listitem>
3017
3018 <listitem><para>an IP address. In this case the netmask is
3019 determined from the list of interfaces obtained from the
3020 kernel</para></listitem>
3021
3022 <listitem><para>an IP/mask pair. </para></listitem>
3023
3024 <listitem><para>a broadcast/mask pair.</para></listitem>
3025 </itemizedlist>
3026
3027 <para>The "mask" parameters can either be a bit length (such
3028 as 24 for a C class network) or a full netmask in dotted
3029 decimal form.</para>
3030
3031 <para>The "IP" parameters above can either be a full dotted
3032 decimal IP address or a hostname which will be looked up via
3033 the OS's normal hostname resolution mechanisms.</para>
3034
3035 <para>For example, the following line:</para>
3036
3037 <para><command>interfaces = eth0 192.168.2.10/24 192.168.3.10/255.255.255.0
3038 </command></para>
3039
3040 <para>would configure three network interfaces corresponding
3041 to the eth0 device and IP addresses 192.168.2.10 and 192.168.3.10.
3042 The netmasks of the latter two interfaces would be set to 255.255.255.0.</para>
3043
3044 <para>See also <link linkend="BINDINTERFACESONLY"><parameter>bind
3045 interfaces only</parameter></link>.</para>
3046
3047 <para>Default: <emphasis>all active interfaces except 127.0.0.1
3048 that are broadcast capable</emphasis></para>
3049 </listitem>
3050 </varlistentry>
3051
3052
3053
3054 <varlistentry>
3055 <term><anchor id="INVALIDUSERS">invalid users (S)</term>
3056 <listitem><para>This is a list of users that should not be allowed
3057 to login to this service. This is really a <emphasis>paranoid</emphasis>
3058 check to absolutely ensure an improper setting does not breach
3059 your security.</para>
3060
3061 <para>A name starting with a '@' is interpreted as an NIS
3062 netgroup first (if your system supports NIS), and then as a UNIX
3063 group if the name was not found in the NIS netgroup database.</para>
3064
3065 <para>A name starting with '+' is interpreted only
3066 by looking in the UNIX group database. A name starting with
3067 '&' is interpreted only by looking in the NIS netgroup database
3068 (this requires NIS to be working on your system). The characters
3069 '+' and '&' may be used at the start of the name in either order
3070 so the value <parameter>+&amp;group</parameter> means check the
3071 UNIX group database, followed by the NIS netgroup database, and
3072 the value <parameter>&+group"</parameter> means check the NIS
3073 netgroup database, followed by the UNIX group database (the
3074 same as the '@' prefix).</para>
3075
3076 <para>The current servicename is substituted for <parameter>%S</parameter>.
3077 This is useful in the [homes] section.</para>
3078
3079 <para>See also <link linkend="VALIDUSERS"><parameter>valid users
3080 </parameter></link>.</para>
3081
3082 <para>Default: <emphasis>no invalid users</emphasis></para>
3083 <para>Example: <command>invalid users = root fred admin @wheel
3084 </command></para>
3085 </listitem>
3086 </varlistentry>
3087
3088
3089
3090 <varlistentry>
3091 <term><anchor id="KEEPALIVE">keepalive (G)</term>
3092 <listitem><para>The value of the parameter (an integer) represents
3093 the number of seconds between <parameter>keepalive</parameter>
3094 packets. If this parameter is zero, no keepalive packets will be
3095 sent. Keepalive packets, if sent, allow the server to tell whether
3096 a client is still present and responding.</para>
3097
3098 <para>Keepalives should, in general, not be needed if the socket
3099 being used has the SO_KEEPALIVE attribute set on it (see <link
3100 linkend="SOCKETOPTIONS"><parameter>socket options</parameter></link>).
3101 Basically you should only use this option if you strike difficulties.</para>
3102
3103 <para>Default: <command>keepalive = 300</command></para>
3104 <para>Example: <command>keepalive = 600</command></para>
3105 </listitem>
3106 </varlistentry>
3107
3108
3109
3110 <varlistentry>
3111 <term><anchor id="KERNELOPLOCKS">kernel oplocks (G)</term>
3112 <listitem><para>For UNIXes that support kernel based <link
3113 linkend="OPLOCKS"><parameter>oplocks</parameter></link>
3114 (currently only IRIX and the Linux 2.4 kernel), this parameter
3115 allows the use of them to be turned on or off.</para>
3116
3117 <para>Kernel oplocks support allows Samba <parameter>oplocks
3118 </parameter> to be broken whenever a local UNIX process or NFS operation
3119 accesses a file that <ulink url="smbd.8.html"><command>smbd(8)</command>
3120 </ulink> has oplocked. This allows complete data consistency between
3121 SMB/CIFS, NFS and local file access (and is a <emphasis>very</emphasis>
3122 cool feature :-).</para>
3123
3124 <para>This parameter defaults to <constant>on</constant> on systems
3125 that have the support, and <constant>off</constant> on systems that
3126 don't. You should never need to touch this parameter.</para>
3127
3128 <para>See also the <link linkend="OPLOCKS"><parameter>oplocks</parameter>
3129 </link> and <link linkend="LEVEL2OPLOCKS"><parameter>level2 oplocks
3130 </parameter></link> parameters.</para>
3131
3132 <para>Default: <command>kernel oplocks = yes</command></para>
3133 </listitem>
3134 </varlistentry>
3135
3136
3137
3138
3139 <varlistentry>
3140 <term><anchor id="LANMANAUTH">lanman auth (G)</term>
3141 <listitem><para>This parameter determines whether or not smbd will
3142 attempt to authentication users using the LANMAN password hash.
3143 If disabled, only clients which support NT password hashes (e.g. Windows
3144 NT/2000 clients, smbclient, etc... but not Windows 95/98 or the MS DOS
3145 network client) will be able to connect to the Samba host.</para>
3146
3147 <para>Default : <command>lanman auth = yes</command></para>
3148 </listitem>
3149 </varlistentry>
3150
3151
3152
3153
3154 <varlistentry>
3155 <term><anchor id="LEVEL2OPLOCKS">level2 oplocks (S)</term>
3156 <listitem><para>This parameter controls whether Samba supports
3157 level2 (read-only) oplocks on a share.</para>
3158
3159 <para>Level2, or read-only oplocks allow Windows NT clients
3160 that have an oplock on a file to downgrade from a read-write oplock
3161 to a read-only oplock once a second client opens the file (instead
3162 of releasing all oplocks on a second open, as in traditional,
3163 exclusive oplocks). This allows all openers of the file that
3164 support level2 oplocks to cache the file for read-ahead only (ie.
3165 they may not cache writes or lock requests) and increases performance
3166 for many accesses of files that are not commonly written (such as
3167 application .EXE files).</para>
3168
3169 <para>Once one of the clients which have a read-only oplock
3170 writes to the file all clients are notified (no reply is needed
3171 or waited for) and told to break their oplocks to "none" and
3172 delete any read-ahead caches.</para>
3173
3174 <para>It is recommended that this parameter be turned on
3175 to speed access to shared executables.</para>
3176
3177 <para>For more discussions on level2 oplocks see the CIFS spec.</para>
3178
3179 <para>Currently, if <link linkend="KERNELOPLOCKS"><parameter>kernel
3180 oplocks</parameter></link> are supported then level2 oplocks are
3181 not granted (even if this parameter is set to <constant>yes</constant>).
3182 Note also, the <link linkend="OPLOCKS"><parameter>oplocks</parameter>
3183 </link> parameter must be set to "true" on this share in order for
3184 this parameter to have any effect.</para>
3185
3186 <para>See also the <link linkend="OPLOCKS"><parameter>oplocks</parameter>
3187 </link> and <link linkend="OPLOCKS"><parameter>kernel oplocks</parameter>
3188 </link> parameters.</para>
3189
3190 <para>Default: <command>level2 oplocks = yes</command></para>
3191 </listitem>
3192 </varlistentry>
3193
3194
3195
3196
3197
3198 <varlistentry>
3199 <term><anchor id="LMANNOUNCE">lm announce (G)</term>
3200 <listitem><para>This parameter determines if <ulink url="nmbd.8.html">
3201 <command>nmbd(8)</command></ulink> will produce Lanman announce
3202 broadcasts that are needed by OS/2 clients in order for them to see
3203 the Samba server in their browse list. This parameter can have three
3204 values, <constant>true</constant>, <constant>false</constant>, or
3205 <constant>auto</constant>. The default is <constant>auto</constant>.
3206 If set to <constant>false</constant> Samba will never produce these
3207 broadcasts. If set to <constant>true</constant> Samba will produce
3208 Lanman announce broadcasts at a frequency set by the parameter
3209 <parameter>lm interval</parameter>. If set to <constant>auto</constant>
3210 Samba will not send Lanman announce broadcasts by default but will
3211 listen for them. If it hears such a broadcast on the wire it will
3212 then start sending them at a frequency set by the parameter
3213 <parameter>lm interval</parameter>.</para>
3214
3215 <para>See also <link linkend="LMINTERVAL"><parameter>lm interval
3216 </parameter></link>.</para>
3217
3218 <para>Default: <command>lm announce = auto</command></para>
3219 <para>Example: <command>lm announce = yes</command></para>
3220 </listitem>
3221 </varlistentry>
3222
3223
3224
3225 <varlistentry>
3226 <term><anchor id="LMINTERVAL">lm interval (G)</term>
3227 <listitem><para>If Samba is set to produce Lanman announce
3228 broadcasts needed by OS/2 clients (see the <link linkend="LMANNOUNCE">
3229 <parameter>lm announce</parameter></link> parameter) then this
3230 parameter defines the frequency in seconds with which they will be
3231 made. If this is set to zero then no Lanman announcements will be
3232 made despite the setting of the <parameter>lm announce</parameter>
3233 parameter.</para>
3234
3235 <para>See also <link linkend="LMANNOUNCE"><parameter>lm
3236 announce</parameter></link>.</para>
3237
3238 <para>Default: <command>lm interval = 60</command></para>
3239 <para>Example: <command>lm interval = 120</command></para>
3240 </listitem>
3241 </varlistentry>
3242
3243
3244
3245 <varlistentry>
3246 <term><anchor id="LOADPRINTERS">load printers (G)</term>
3247 <listitem><para>A boolean variable that controls whether all
3248 printers in the printcap will be loaded for browsing by default.
3249 See the <link linkend="PRINTERSSECT">printers</link> section for
3250 more details.</para>
3251
3252 <para>Default: <command>load printers = yes</command></para></listitem>
3253 </varlistentry>
3254
3255
3256
3257
3258 <varlistentry>
3259 <term><anchor id="LOCALMASTER">local master (G)</term>
3260 <listitem><para>This option allows <ulink url="nmbd.8.html"><command>
3261 nmbd(8)</command></ulink> to try and become a local master browser
3262 on a subnet. If set to <constant>False</constant> then <command>
3263 nmbd</command> will not attempt to become a local master browser
3264 on a subnet and will also lose in all browsing elections. By
3265 default this value is set to true. Setting this value to true doesn't
3266 mean that Samba will <emphasis>become</emphasis> the local master
3267 browser on a subnet, just that <command>nmbd</command> will <emphasis>
3268 participate</emphasis> in elections for local master browser.</para>
3269
3270 <para>Setting this value to False will cause <command>nmbd</command>
3271 <emphasis>never</emphasis> to become a local master browser.</para>
3272
3273 <para>Default: <command>local master = yes</command></para>
3274 </listitem>
3275 </varlistentry>
3276
3277
3278
3279 <varlistentry>
3280 <term><anchor id="LOCKDIR">lock dir (G)</term>
3281 <listitem><para>Synonym for <link linkend="LOCKDIRECTORY"><parameter>
3282 lock directory</parameter></link>.</para></listitem>
3283 </varlistentry>
3284
3285
3286
3287 <varlistentry>
3288 <term><anchor id="LOCKDIRECTORY">lock directory (G)</term>
3289 <listitem><para>This option specifies the directory where lock
3290 files will be placed. The lock files are used to implement the
3291 <link linkend="MAXCONNECTIONS"><parameter>max connections</parameter>
3292 </link> option.</para>
3293
3294 <para>Default: <command>lock directory = ${prefix}/var/locks</command></para>
3295 <para>Example: <command>lock directory = /var/run/samba/locks</command>
3296 </para></listitem>
3297 </varlistentry>
3298
3299
3300
3301 <varlistentry>
3302 <term><anchor id="LOCKING">locking (S)</term>
3303 <listitem><para>This controls whether or not locking will be
3304 performed by the server in response to lock requests from the
3305 client.</para>
3306
3307 <para>If <command>locking = no</command>, all lock and unlock
3308 requests will appear to succeed and all lock queries will report
3309 that the file in question is available for locking.</para>
3310
3311 <para>If <command>locking = yes</command>, real locking will be performed
3312 by the server.</para>
3313
3314 <para>This option <emphasis>may</emphasis> be useful for read-only
3315 filesystems which <emphasis>may</emphasis> not need locking (such as
3316 cdrom drives), although setting this parameter of <constant>no</constant>
3317 is not really recommended even in this case.</para>
3318
3319 <para>Be careful about disabling locking either globally or in a
3320 specific service, as lack of locking may result in data corruption.
3321 You should never need to set this parameter.</para>
3322
3323 <para>Default: <command>locking = yes</command></para>
3324 </listitem>
3325 </varlistentry>
3326
3327
3328
3329 <varlistentry>
3330 <term><anchor id="LOGFILE">log file (G)</term>
3331 <listitem><para>This option allows you to override the name
3332 of the Samba log file (also known as the debug file).</para>
3333
3334 <para>This option takes the standard substitutions, allowing
3335 you to have separate log files for each user or machine.</para>
3336
3337 <para>Example: <command>log file = /usr/local/samba/var/log.%m
3338 </command></para></listitem>
3339 </varlistentry>
3340
3341
3342
3343 <varlistentry>
3344 <term><anchor id="LOGLEVEL">log level (G)</term>
3345 <listitem><para>Synonym for <link linkend="DEBUGLEVEL"><parameter>
3346 debug level</parameter></link>.</para>
3347 </listitem>
3348 </varlistentry>
3349
3350
3351
3352 <varlistentry>
3353 <term><anchor id="LOGONDRIVE">logon drive (G)</term>
3354 <listitem><para>This parameter specifies the local path to
3355 which the home directory will be connected (see <link
3356 linkend="LOGONHOME"><parameter>logon home</parameter></link>)
3357 and is only used by NT Workstations. </para>
3358
3359 <para>Note that this option is only useful if Samba is set up as a
3360 logon server.</para>
3361
3362 <para>Default: <command>logon drive = z:</command></para>
3363 <para>Example: <command>logon drive = h:</command></para>
3364 </listitem>
3365 </varlistentry>
3366
3367
3368
3369 <varlistentry>
3370 <term><anchor id="LOGONHOME">logon home (G)</term>
3371 <listitem><para>This parameter specifies the home directory
3372 location when a Win95/98 or NT Workstation logs into a Samba PDC.
3373 It allows you to do </para>
3374
3375 <para><prompt>C:\> </prompt><userinput>NET USE H: /HOME</userinput>
3376 </para>
3377
3378 <para>from a command prompt, for example.</para>
3379
3380 <para>This option takes the standard substitutions, allowing
3381 you to have separate logon scripts for each user or machine.</para>
3382
3383 <para>This parameter can be used with Win9X workstations to ensure
3384 that roaming profiles are stored in a subdirectory of the user's
3385 home directory. This is done in the following way:</para>
3386
3387 <para><command>logon home = \\%N\%U\profile</command></para>
3388
3389 <para>This tells Samba to return the above string, with
3390 substitutions made when a client requests the info, generally
3391 in a NetUserGetInfo request. Win9X clients truncate the info to
3392 \\server\share when a user does <command>net use /home"</command>
3393 but use the whole string when dealing with profiles.</para>
3394
3395 <para>Note that in prior versions of Samba, the <link linkend="LOGONPATH">
3396 <parameter>logon path</parameter></link> was returned rather than
3397 <parameter>logon home</parameter>. This broke <command>net use
3398 /home</command> but allowed profiles outside the home directory.
3399 The current implementation is correct, and can be used for
3400 profiles if you use the above trick.</para>
3401
3402 <para>This option is only useful if Samba is set up as a logon
3403 server.</para>
3404
3405 <para>Default: <command>logon home = "\\%N\%U"</command></para>
3406 <para>Example: <command>logon home = "\\remote_smb_server\%U"</command>
3407 </para></listitem>
3408 </varlistentry>
3409
3410
3411 <varlistentry>
3412 <term><anchor id="LOGONPATH">logon path (G)</term>
3413 <listitem><para>This parameter specifies the home directory
3414 where roaming profiles (NTuser.dat etc files for Windows NT) are
3415 stored. Contrary to previous versions of these manual pages, it has
3416 nothing to do with Win 9X roaming profiles. To find out how to
3417 handle roaming profiles for Win 9X system, see the <link linkend="LOGONHOME">
3418 <parameter>logon home</parameter></link> parameter.</para>
3419
3420 <para>This option takes the standard substitutions, allowing you
3421 to have separate logon scripts for each user or machine. It also
3422 specifies the directory from which the "Application Data",
3423 (<filename>desktop</filename>, <filename>start menu</filename>,
3424 <filename>network neighborhood</filename>, <filename>programs</filename>
3425 and other folders, and their contents, are loaded and displayed on
3426 your Windows NT client.</para>
3427
3428 <para>The share and the path must be readable by the user for
3429 the preferences and directories to be loaded onto the Windows NT
3430 client. The share must be writeable when the logs in for the first
3431 time, in order that the Windows NT client can create the NTuser.dat
3432 and other directories.</para>
3433
3434 <para>Thereafter, the directories and any of the contents can,
3435 if required, be made read-only. It is not advisable that the
3436 NTuser.dat file be made read-only - rename it to NTuser.man to
3437 achieve the desired effect (a <emphasis>MAN</emphasis>datory
3438 profile). </para>
3439
3440 <para>Windows clients can sometimes maintain a connection to
3441 the [homes] share, even though there is no user logged in.
3442 Therefore, it is vital that the logon path does not include a
3443 reference to the homes share (i.e. setting this parameter to
3444 \%N\%U\profile_path will cause problems).</para>
3445
3446 <para>This option takes the standard substitutions, allowing
3447 you to have separate logon scripts for each user or machine.</para>
3448
3449 <para>Note that this option is only useful if Samba is set up
3450 as a logon server.</para>
3451
3452 <para>Default: <command>logon path = \\%N\%U\profile</command></para>
3453 <para>Example: <command>logon path = \\PROFILESERVER\PROFILE\%U</command></para>
3454 </listitem>
3455 </varlistentry>
3456
3457
3458
3459 <varlistentry>
3460 <term><anchor id="LOGONSCRIPT">logon script (G)</term>
3461 <listitem><para>This parameter specifies the batch file (.bat) or
3462 NT command file (.cmd) to be downloaded and run on a machine when
3463 a user successfully logs in. The file must contain the DOS
3464 style cr/lf line endings. Using a DOS-style editor to create the
3465 file is recommended.</para>
3466
3467 <para>The script must be a relative path to the [netlogon]
3468 service. If the [netlogon] service specifies a <link linkend="PATH">
3469 <parameter>path</parameter></link> of <filename>/usr/local/samba/netlogon
3470 </filename>, and <command>logon script = STARTUP.BAT</command>, then
3471 the file that will be downloaded is:</para>
3472
3473 <para><filename>/usr/local/samba/netlogon/STARTUP.BAT</filename></para>
3474
3475 <para>The contents of the batch file is entirely your choice. A
3476 suggested command would be to add <command>NET TIME \\SERVER /SET
3477 /YES</command>, to force every machine to synchronize clocks with
3478 the same time server. Another use would be to add <command>NET USE
3479 U: \\SERVER\UTILS</command> for commonly used utilities, or <command>
3480 NET USE Q: \\SERVER\ISO9001_QA</command> for example.</para>
3481
3482 <para>Note that it is particularly important not to allow write
3483 access to the [netlogon] share, or to grant users write permission
3484 on the batch files in a secure environment, as this would allow
3485 the batch files to be arbitrarily modified and security to be
3486 breached.</para>
3487
3488 <para>This option takes the standard substitutions, allowing you
3489 to have separate logon scripts for each user or machine.</para>
3490
3491 <para>This option is only useful if Samba is set up as a logon
3492 server.</para>
3493
3494 <para>Default: <emphasis>no logon script defined</emphasis></para>
3495 <para>Example: <command>logon script = scripts\%U.bat</command></para>
3496 </listitem>
3497 </varlistentry>
3498
3499
3500
3501 <varlistentry>
3502 <term><anchor id="LPPAUSECOMMAND">lppause command (S)</term>
3503 <listitem><para>This parameter specifies the command to be
3504 executed on the server host in order to stop printing or spooling
3505 a specific print job.</para>
3506
3507 <para>This command should be a program or script which takes
3508 a printer name and job number to pause the print job. One way
3509 of implementing this is by using job priorities, where jobs
3510 having a too low priority won't be sent to the printer.</para>
3511
3512 <para>If a <parameter>%p</parameter> is given then the printername
3513 is put in its place. A <parameter>%j</parameter> is replaced with
3514 the job number (an integer). On HPUX (see <parameter>printing=hpux
3515 </parameter>), if the <parameter>-p%p</parameter> option is added
3516 to the lpq command, the job will show up with the correct status, i.e.
3517 if the job priority is lower than the set fence priority it will
3518 have the PAUSED status, whereas if the priority is equal or higher it
3519 will have the SPOOLED or PRINTING status.</para>
3520
3521 <para>Note that it is good practice to include the absolute path
3522 in the lppause command as the PATH may not be available to the server.</para>
3523
3524 <para>See also the <link linkend="PRINTING"><parameter>printing
3525 </parameter></link> parameter.</para>
3526
3527 <para>Default: Currently no default value is given to
3528 this string, unless the value of the <parameter>printing</parameter>
3529 parameter is <constant>SYSV</constant>, in which case the default is :</para>
3530
3531 <para><command>lp -i %p-%j -H hold</command></para>
3532
3533 <para>or if the value of the <parameter>printing</parameter> parameter
3534 is <constant>SOFTQ</constant>, then the default is:</para>
3535
3536 <para><command>qstat -s -j%j -h</command></para>
3537
3538 <para>Example for HPUX: <command>lppause command = /usr/bin/lpalt
3539 %p-%j -p0</command></para>
3540 </listitem>
3541 </varlistentry>
3542
3543
3544
3545 <varlistentry>
3546 <term><anchor id="LPQCACHETIME">lpq cache time (G)</term>
3547 <listitem><para>This controls how long lpq info will be cached
3548 for to prevent the <command>lpq</command> command being called too
3549 often. A separate cache is kept for each variation of the <command>
3550 lpq</command> command used by the system, so if you use different
3551 <command>lpq</command> commands for different users then they won't
3552 share cache information.</para>
3553
3554 <para>The cache files are stored in <filename>/tmp/lpq.xxxx</filename>
3555 where xxxx is a hash of the <command>lpq</command> command in use.</para>
3556
3557 <para>The default is 10 seconds, meaning that the cached results
3558 of a previous identical <command>lpq</command> command will be used
3559 if the cached data is less than 10 seconds old. A large value may
3560 be advisable if your <command>lpq</command> command is very slow.</para>
3561
3562 <para>A value of 0 will disable caching completely.</para>
3563
3564 <para>See also the <link linkend="PRINTING"><parameter>printing
3565 </parameter></link> parameter.</para>
3566
3567 <para>Default: <command>lpq cache time = 10</command></para>
3568 <para>Example: <command>lpq cache time = 30</command></para>
3569 </listitem>
3570 </varlistentry>
3571
3572
3573
3574 <varlistentry>
3575 <term><anchor id="LPQCOMMAND">lpq command (S)</term>
3576 <listitem><para>This parameter specifies the command to be
3577 executed on the server host in order to obtain <command>lpq
3578 </command>-style printer status information.</para>
3579
3580 <para>This command should be a program or script which
3581 takes a printer name as its only parameter and outputs printer
3582 status information.</para>
3583
3584 <para>Currently eight styles of printer status information
3585 are supported; BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX and SOFTQ.
3586 This covers most UNIX systems. You control which type is expected
3587 using the <parameter>printing =</parameter> option.</para>
3588
3589 <para>Some clients (notably Windows for Workgroups) may not
3590 correctly send the connection number for the printer they are
3591 requesting status information about. To get around this, the
3592 server reports on the first printer service connected to by the
3593 client. This only happens if the connection number sent is invalid.</para>
3594
3595 <para>If a <parameter>%p</parameter> is given then the printername
3596 is put in its place. Otherwise it is placed at the end of the
3597 command.</para>
3598
3599 <para>Note that it is good practice to include the absolute path
3600 in the <parameter>lpq command</parameter> as the <envar>$PATH
3601 </envar> may not be available to the server.</para>
3602
3603 <para>See also the <link linkend="PRINTING"><parameter>printing
3604 </parameter></link> parameter.</para>
3605
3606 <para>Default: <emphasis>depends on the setting of <parameter>
3607 printing</parameter></emphasis></para>
3608
3609 <para>Example: <command>lpq command = /usr/bin/lpq -P%p</command></para>
3610 </listitem>
3611 </varlistentry>
3612
3613
3614
3615 <varlistentry>
3616 <term><anchor id="LPRESUMECOMMAND">lpresume command (S)</term>
3617 <listitem><para>This parameter specifies the command to be
3618 executed on the server host in order to restart or continue
3619 printing or spooling a specific print job.</para>
3620
3621 <para>This command should be a program or script which takes
3622 a printer name and job number to resume the print job. See
3623 also the <link linkend="LPPAUSECOMMAND"><parameter>lppause command
3624 </parameter></link> parameter.</para>
3625
3626 <para>If a <parameter>%p</parameter> is given then the printername
3627 is put in its place. A <parameter>%j</parameter> is replaced with
3628 the job number (an integer).</para>
3629
3630 <para>Note that it is good practice to include the absolute path
3631 in the <parameter>lpresume command</parameter> as the PATH may not
3632 be available to the server.</para>
3633
3634 <para>See also the <link linkend="PRINTING"><parameter>printing
3635 </parameter></link> parameter.</para>
3636
3637 <para>Default: Currently no default value is given
3638 to this string, unless the value of the <parameter>printing</parameter>
3639 parameter is <constant>SYSV</constant>, in which case the default is :</para>
3640
3641 <para><command>lp -i %p-%j -H resume</command></para>
3642
3643 <para>or if the value of the <parameter>printing</parameter> parameter
3644 is <constant>SOFTQ</constant>, then the default is:</para>
3645
3646 <para><command>qstat -s -j%j -r</command></para>
3647
3648 <para>Example for HPUX: <command>lpresume command = /usr/bin/lpalt
3649 %p-%j -p2</command></para>
3650 </listitem>
3651 </varlistentry>
3652
3653
3654
3655 <varlistentry>
3656 <term><anchor id="LPRMCOMMAND">lprm command (S)</term>
3657 <listitem><para>This parameter specifies the command to be
3658 executed on the server host in order to delete a print job.</para>
3659
3660 <para>This command should be a program or script which takes
3661 a printer name and job number, and deletes the print job.</para>
3662
3663 <para>If a <parameter>%p</parameter> is given then the printername
3664 is put in its place. A <parameter>%j</parameter> is replaced with
3665 the job number (an integer).</para>
3666
3667 <para>Note that it is good practice to include the absolute
3668 path in the <parameter>lprm command</parameter> as the PATH may not be
3669 available to the server.</para>
3670
3671 <para>See also the <link linkend="PRINTING"><parameter>printing
3672 </parameter></link> parameter.</para>
3673
3674 <para>Default: <emphasis>depends on the setting of <parameter>printing
3675 </parameter></emphasis></para>
3676
3677 <para>Example 1: <command>lprm command = /usr/bin/lprm -P%p %j
3678 </command></para>
3679 <para>Example 2: <command>lprm command = /usr/bin/cancel %p-%j
3680 </command></para></listitem>
3681 </varlistentry>
3682
3683
3684
3685 <varlistentry>
3686 <term><anchor id="MACHINEPASSWORDTIMEOUT">machine password timeout (G)</term>
3687 <listitem><para>If a Samba server is a member of an Windows
3688 NT Domain (see the <link linkend="SECURITYEQUALSDOMAIN">security=domain</link>)
3689 parameter) then periodically a running <ulink url="smbd.8.html">
3690 smbd(8)</ulink> process will try and change the MACHINE ACCOUNT
3691 PASSWORD stored in the TDB called <filename>private/secrets.tdb
3692 </filename>. This parameter specifies how often this password
3693 will be changed, in seconds. The default is one week (expressed in
3694 seconds), the same as a Windows NT Domain member server.</para>
3695
3696 <para>See also <ulink url="smbpasswd.8.html"><command>smbpasswd(8)
3697 </command></ulink>, and the <link linkend="SECURITYEQUALSDOMAIN">
3698 security=domain</link>) parameter.</para>
3699
3700 <para>Default: <command>machine password timeout = 604800</command></para>
3701 </listitem>
3702 </varlistentry>
3703
3704
3705 <varlistentry>
3706 <term><anchor id="MAGICOUTPUT">magic output (S)</term>
3707 <listitem><para>This parameter specifies the name of a file
3708 which will contain output created by a magic script (see the
3709 <link linkend="MAGICSCRIPT"><parameter>magic script</parameter></link>
3710 parameter below).</para>
3711
3712 <para>Warning: If two clients use the same <parameter>magic script
3713 </parameter> in the same directory the output file content
3714 is undefined.</para>
3715
3716 <para>Default: <command>magic output = &lt;magic script name&gt;.out
3717 </command></para>
3718
3719 <para>Example: <command>magic output = myfile.txt</command></para>
3720 </listitem>
3721 </varlistentry>
3722
3723
3724
3725 <varlistentry>
3726 <term><anchor id="MAGICSCRIPT">magic script (S)</term>
3727 <listitem><para>This parameter specifies the name of a file which,
3728 if opened, will be executed by the server when the file is closed.
3729 This allows a UNIX script to be sent to the Samba host and
3730 executed on behalf of the connected user.</para>
3731
3732 <para>Scripts executed in this way will be deleted upon
3733 completion assuming that the user has the appripriate level
3734 of priviledge and the ile permissions allow the deletion.</para>
3735
3736 <para>If the script generates output, output will be sent to
3737 the file specified by the <link linkend="MAGICOUTPUT"><parameter>
3738 magic output</parameter></link> parameter (see above).</para>
3739
3740 <para>Note that some shells are unable to interpret scripts
3741 containing CR/LF instead of CR as
3742 the end-of-line marker. Magic scripts must be executable
3743 <emphasis>as is</emphasis> on the host, which for some hosts and
3744 some shells will require filtering at the DOS end.</para>
3745
3746 <para>Magic scripts are <emphasis>EXPERIMENTAL</emphasis> and
3747 should <emphasis>NOT</emphasis> be relied upon.</para>
3748
3749 <para>Default: <emphasis>None. Magic scripts disabled.</emphasis></para>
3750 <para>Example: <command>magic script = user.csh</command></para>
3751 </listitem>
3752 </varlistentry>
3753
3754
3755
3756 <varlistentry>
3757 <term><anchor id="MANGLECASE">mangle case (S)</term>
3758 <listitem><para>See the section on <link linkend="NAMEMANGLINGSECT">
3759 NAME MANGLING</link></para>
3760
3761 <para>Default: <command>mangle case = no</command></para>
3762 </listitem>
3763 </varlistentry>
3764
3765
3766 <varlistentry>
3767 <term><anchor id="MANGLEDMAP">mangled map (S)</term>
3768 <listitem><para>This is for those who want to directly map UNIX
3769 file names which can not be represented on Windows/DOS. The mangling
3770 of names is not always what is needed. In particular you may have
3771 documents with file extensions that differ between DOS and UNIX.
3772 For example, under UNIX it is common to use <filename>.html</filename>
3773 for HTML files, whereas under Windows/DOS <filename>.htm</filename>
3774 is more commonly used.</para>
3775
3776 <para>So to map <filename>html</filename> to <filename>htm</filename>
3777 you would use:</para>
3778
3779 <para><command>mangled map = (*.html *.htm)</command></para>
3780
3781 <para>One very useful case is to remove the annoying <filename>;1
3782 </filename> off the ends of filenames on some CDROMS (only visible
3783 under some UNIXes). To do this use a map of (*;1 *;).</para>
3784
3785 <para>Default: <emphasis>no mangled map</emphasis></para>
3786 <para>Example: <command>mangled map = (*;1 *;)</command></para>
3787 </listitem>
3788 </varlistentry>
3789
3790
3791 <varlistentry>
3792 <term><anchor id="MANGLEDNAMES">mangled names (S)</term>
3793 <listitem><para>This controls whether non-DOS names under UNIX
3794 should be mapped to DOS-compatible names ("mangled") and made visible,
3795 or whether non-DOS names should simply be ignored.</para>
3796
3797 <para>See the section on <link linkend="NAMEMANGLINGSECT">
3798 NAME MANGLING</link> for details on how to control the mangling process.</para>
3799
3800 <para>If mangling is used then the mangling algorithm is as follows:</para>
3801
3802 <itemizedlist>
3803 <listitem><para>The first (up to) five alphanumeric characters
3804 before the rightmost dot of the filename are preserved, forced
3805 to upper case, and appear as the first (up to) five characters
3806 of the mangled name.</para></listitem>
3807
3808 <listitem><para>A tilde "~" is appended to the first part of the mangled
3809 name, followed by a two-character unique sequence, based on the
3810 original root name (i.e., the original filename minus its final
3811 extension). The final extension is included in the hash calculation
3812 only if it contains any upper case characters or is longer than three
3813 characters.</para>
3814
3815 <para>Note that the character to use may be specified using
3816 the <link linkend="MANGLINGCHAR"><parameter>mangling char</parameter>
3817 </link> option, if you don't like '~'.</para></listitem>
3818
3819 <listitem><para>The first three alphanumeric characters of the final
3820 extension are preserved, forced to upper case and appear as the
3821 extension of the mangled name. The final extension is defined as that
3822 part of the original filename after the rightmost dot. If there are no
3823 dots in the filename, the mangled name will have no extension (except
3824 in the case of "hidden files" - see below).</para></listitem>
3825
3826 <listitem><para>Files whose UNIX name begins with a dot will be
3827 presented as DOS hidden files. The mangled name will be created as
3828 for other filenames, but with the leading dot removed and "___" as
3829 its extension regardless of actual original extension (that's three
3830 underscores).</para></listitem>
3831 </itemizedlist>
3832
3833 <para>The two-digit hash value consists of upper case
3834 alphanumeric characters.</para>
3835
3836 <para>This algorithm can cause name collisions only if files
3837 in a directory share the same first five alphanumeric characters.
3838 The probability of such a clash is 1/1300.</para>
3839
3840 <para>The name mangling (if enabled) allows a file to be
3841 copied between UNIX directories from Windows/DOS while retaining
3842 the long UNIX filename. UNIX files can be renamed to a new extension
3843 from Windows/DOS and will retain the same basename. Mangled names
3844 do not change between sessions.</para>
3845
3846 <para>Default: <command>mangled names = yes</command></para>
3847 </listitem>
3848 </varlistentry>
3849
3850
3851
3852 <varlistentry>
3853 <term><anchor id="MANGLEDSTACK">mangled stack (G)</term>
3854 <listitem><para>This parameter controls the number of mangled names
3855 that should be cached in the Samba server <ulink url="smbd.8.html">
3856 smbd(8)</ulink>.</para>
3857
3858 <para>This stack is a list of recently mangled base names
3859 (extensions are only maintained if they are longer than 3 characters
3860 or contains upper case characters).</para>
3861
3862 <para>The larger this value, the more likely it is that mangled
3863 names can be successfully converted to correct long UNIX names.
3864 However, large stack sizes will slow most directory access. Smaller
3865 stacks save memory in the server (each stack element costs 256 bytes).
3866 </para>
3867
3868 <para>It is not possible to absolutely guarantee correct long
3869 file names, so be prepared for some surprises!</para>
3870
3871 <para>Default: <command>mangled stack = 50</command></para>
3872 <para>Example: <command>mangled stack = 100</command></para>
3873 </listitem>
3874 </varlistentry>
3875
3876
3877
3878
3879 <varlistentry>
3880 <term><anchor id="MANGLINGCHAR">mangling char (S)</term>
3881 <listitem><para>This controls what character is used as
3882 the <emphasis>magic</emphasis> character in <link
3883 linkend="NAMEMANGLINGSECT">name mangling</link>. The default is a '~'
3884 but this may interfere with some software. Use this option to set
3885 it to whatever you prefer.</para>
3886
3887 <para>Default: <command>mangling char = ~</command></para>
3888 <para>Example: <command>mangling char = ^</command></para>
3889 </listitem>
3890 </varlistentry>
3891
3892
3893
3894
3895
3896 <varlistentry>
3897 <term><anchor id="MAPARCHIVE">map archive (S)</term>
3898 <listitem><para>This controls whether the DOS archive attribute
3899 should be mapped to the UNIX owner execute bit. The DOS archive bit
3900 is set when a file has been modified since its last backup. One
3901 motivation for this option it to keep Samba/your PC from making
3902 any file it touches from becoming executable under UNIX. This can
3903 be quite annoying for shared source code, documents, etc...</para>
3904
3905 <para>Note that this requires the <parameter>create mask</parameter>
3906 parameter to be set such that owner execute bit is not masked out
3907 (i.e. it must include 100). See the parameter <link linkend="CREATEMASK">
3908 <parameter>create mask</parameter></link> for details.</para>
3909
3910 <para>Default: <command>map archive = yes</command></para>
3911 </listitem>
3912 </varlistentry>
3913
3914
3915
3916 <varlistentry>
3917 <term><anchor id="MAPHIDDEN">map hidden (S)</term>
3918 <listitem><para>This controls whether DOS style hidden files
3919 should be mapped to the UNIX world execute bit.</para>
3920
3921 <para>Note that this requires the <parameter>create mask</parameter>
3922 to be set such that the world execute bit is not masked out (i.e.
3923 it must include 001). See the parameter <link linkend="CREATEMASK">
3924 <parameter>create mask</parameter></link> for details.</para>
3925
3926 <para>Default: <command>map hidden = no</command></para>
3927 </listitem>
3928 </varlistentry>
3929
3930
3931 <varlistentry>
3932 <term><anchor id="MAPSYSTEM">map system (S)</term>
3933 <listitem><para>This controls whether DOS style system files
3934 should be mapped to the UNIX group execute bit.</para>
3935
3936 <para>Note that this requires the <parameter>create mask</parameter>
3937 to be set such that the group execute bit is not masked out (i.e.
3938 it must include 010). See the parameter <link linkend="CREATEMASK">
3939 <parameter>create mask</parameter></link> for details.</para>
3940
3941 <para>Default: <command>map system = no</command></para>
3942 </listitem>
3943 </varlistentry>
3944
3945
3946 <varlistentry>
3947 <term><anchor id="MAPTOGUEST">map to guest (G)</term>
3948 <listitem><para>This parameter is only useful in <link linkend="SECURITY">
3949 security</link> modes other than <parameter>security=share</parameter>
3950 - i.e. <constant>user</constant>, <constant>server</constant>,
3951 and <constant>domain</constant>.</para>
3952
3953 <para>This parameter can take three different values, which tell
3954 <ulink url="smbd.8.html">smbd(8)</ulink> what to do with user
3955 login requests that don't match a valid UNIX user in some way.</para>
3956
3957 <para>The three settings are :</para>
3958
3959 <itemizedlist>
3960 <listitem><para><constant>Never</constant> - Means user login
3961 requests with an invalid password are rejected. This is the
3962 default.</para></listitem>
3963
3964 <listitem><para><constant>Bad User</constant> - Means user
3965 logins with an invalid password are rejected, unless the username
3966 does not exist, in which case it is treated as a guest login and
3967 mapped into the <link linkend="GUESTACCOUNT"><parameter>
3968 guest account</parameter></link>.</para></listitem>
3969
3970 <listitem><para><constant>Bad Password</constant> - Means user logins
3971 with an invalid password are treated as a guest login and mapped
3972 into the <link linkend="GUESTACCOUNT">guest account</link>. Note that
3973 this can cause problems as it means that any user incorrectly typing
3974 their password will be silently logged on as "guest" - and
3975 will not know the reason they cannot access files they think
3976 they should - there will have been no message given to them
3977 that they got their password wrong. Helpdesk services will
3978 <emphasis>hate</emphasis> you if you set the <parameter>map to
3979 guest</parameter> parameter this way :-).</para></listitem>
3980 </itemizedlist>
3981
3982 <para>Note that this parameter is needed to set up "Guest"
3983 share services when using <parameter>security</parameter> modes other than
3984 share. This is because in these modes the name of the resource being
3985 requested is <emphasis>not</emphasis> sent to the server until after
3986 the server has successfully authenticated the client so the server
3987 cannot make authentication decisions at the correct time (connection
3988 to the share) for "Guest" shares.</para>
3989
3990 <para>For people familiar with the older Samba releases, this
3991 parameter maps to the old compile-time setting of the <constant>
3992 GUEST_SESSSETUP</constant> value in local.h.</para>
3993
3994 <para>Default: <command>map to guest = Never</command></para>
3995 <para>Example: <command>map to guest = Bad User</command></para>
3996 </listitem>
3997 </varlistentry>
3998
3999
4000
4001 <varlistentry>
4002 <term><anchor id="MAXCONNECTIONS">max connections (S)</term>
4003 <listitem><para>This option allows the number of simultaneous
4004 connections to a service to be limited. If <parameter>max connections
4005 </parameter> is greater than 0 then connections will be refused if
4006 this number of connections to the service are already open. A value
4007 of zero mean an unlimited number of connections may be made.</para>
4008
4009 <para>Record lock files are used to implement this feature. The
4010 lock files will be stored in the directory specified by the <link
4011 linkend="LOCKDIRECTORY"><parameter>lock directory</parameter></link>
4012 option.</para>
4013
4014 <para>Default: <command>max connections = 0</command></para>
4015 <para>Example: <command>max connections = 10</command></para>
4016 </listitem>
4017 </varlistentry>
4018
4019
4020
4021 <varlistentry>
4022 <term><anchor id="MAXDISKSIZE">max disk size (G)</term>
4023 <listitem><para>This option allows you to put an upper limit
4024 on the apparent size of disks. If you set this option to 100
4025 then all shares will appear to be not larger than 100 MB in
4026 size.</para>
4027
4028 <para>Note that this option does not limit the amount of
4029 data you can put on the disk. In the above case you could still
4030 store much more than 100 MB on the disk, but if a client ever asks
4031 for the amount of free disk space or the total disk size then the
4032 result will be bounded by the amount specified in <parameter>max
4033 disk size</parameter>.</para>
4034
4035 <para>This option is primarily useful to work around bugs
4036 in some pieces of software that can't handle very large disks,
4037 particularly disks over 1GB in size.</para>
4038
4039 <para>A <parameter>max disk size</parameter> of 0 means no limit.</para>
4040
4041 <para>Default: <command>max disk size = 0</command></para>
4042 <para>Example: <command>max disk size = 1000</command></para>
4043 </listitem>
4044 </varlistentry>
4045
4046
4047
4048 <varlistentry>
4049 <term><anchor id="MAXLOGSIZE">max log size (G)</term>
4050 <listitem><para>This option (an integer in kilobytes) specifies
4051 the max size the log file should grow to. Samba periodically checks
4052 the size and if it is exceeded it will rename the file, adding
4053 a <filename>.old</filename> extension.</para>
4054
4055 <para>A size of 0 means no limit.</para>
4056
4057 <para>Default: <command>max log size = 5000</command></para>
4058 <para>Example: <command>max log size = 1000</command></para>
4059 </listitem>
4060 </varlistentry>
4061
4062
4063
4064 <varlistentry>
4065 <term><anchor id="MAXMUX">max mux (G)</term>
4066 <listitem><para>This option controls the maximum number of
4067 outstanding simultaneous SMB operations that samba tells the client
4068 it will allow. You should never need to set this parameter.</para>
4069
4070 <para>Default: <command>max mux = 50</command></para>
4071 </listitem>
4072 </varlistentry>
4073
4074
4075
4076 <varlistentry>
4077 <term><anchor id="MAXOPENFILES">max open files (G)</term>
4078 <listitem><para>This parameter limits the maximum number of
4079 open files that one <ulink url="smbd.8.html">smbd(8)</ulink> file
4080 serving process may have open for a client at any one time. The
4081 default for this parameter is set very high (10,000) as Samba uses
4082 only one bit per unopened file.</para>
4083
4084 <para>The limit of the number of open files is usually set
4085 by the UNIX per-process file descriptor limit rather than
4086 this parameter so you should never need to touch this parameter.</para>
4087
4088 <para>Default: <command>max open files = 10000</command></para>
4089 </listitem>
4090 </varlistentry>
4091
4092
4093
4094 <varlistentry>
4095 <term><anchor id="MAXPRINTJOBS">max print jobs (S)</term>
4096 <listitem><para>This parameter limits the maximum number of
4097 jobs allowable in a Samba printer queue at any given moment.
4098 If this number is exceeded, <ulink url="smbd.8.html"><command>
4099 smbd(8)</command></ulink> will remote "Out of Space" to the client.
4100 See all <link linkend="TOTALPRINTJOBS"><parameter>total
4101 print jobs</parameter></link>.
4102 </para>
4103
4104 <para>Default: <command>max print jobs = 1000</command></para>
4105 <para>Example: <command>max print jobs = 5000</command></para>
4106 </listitem>
4107 </varlistentry>
4108
4109
4110 <varlistentry>
4111 <term><anchor id="MAXPROTOCOL">max protocol (G)</term>
4112 <listitem><para>The value of the parameter (a string) is the highest
4113 protocol level that will be supported by the server.</para>
4114
4115 <para>Possible values are :</para>
4116 <itemizedlist>
4117 <listitem><para><constant>CORE</constant>: Earliest version. No
4118 concept of user names.</para></listitem>
4119
4120 <listitem><para><constant>COREPLUS</constant>: Slight improvements on
4121 CORE for efficiency.</para></listitem>
4122
4123 <listitem><para><constant>LANMAN1</constant>: First <emphasis>
4124 modern</emphasis> version of the protocol. Long filename
4125 support.</para></listitem>
4126
4127 <listitem><para><constant>LANMAN2</constant>: Updates to Lanman1 protocol.
4128 </para></listitem>
4129
4130 <listitem><para><constant>NT1</constant>: Current up to date version of
4131 the protocol. Used by Windows NT. Known as CIFS.</para></listitem>
4132 </itemizedlist>
4133
4134 <para>Normally this option should not be set as the automatic
4135 negotiation phase in the SMB protocol takes care of choosing
4136 the appropriate protocol.</para>
4137
4138 <para>See also <link linkend="MINPROTOCOL"><parameter>min
4139 protocol</parameter></link></para>
4140
4141 <para>Default: <command>max protocol = NT1</command></para>
4142 <para>Example: <command>max protocol = LANMAN1</command></para>
4143 </listitem>
4144 </varlistentry>
4145
4146
4147
4148 <varlistentry>
4149 <term><anchor id="MAXSMBDPROCESSES">max smbd processes (G)</term>
4150 <listitem><para>This parameter limits the maximum number of
4151 <ulink url="smbd.8.html"><command>smbd(8)</command></ulink>
4152 processes concurrently running on a system and is intended
4153 as a stop gap to prevent degrading service to clients in the event
4154 that the server has insufficient resources to handle more than this
4155 number of connections. Remember that under normal operating
4156 conditions, each user will have an smbd associated with him or her
4157 to handle connections to all shares from a given host.
4158 </para>
4159
4160 <para>Default: <command>max smbd processes = 0</command> ## no limit</para>
4161 <para>Example: <command>max smbd processes = 1000</command></para>
4162 </listitem>
4163 </varlistentry>
4164
4165
4166
4167
4168 <varlistentry>
4169 <term><anchor id="MAXTTL">max ttl (G)</term>
4170 <listitem><para>This option tells <ulink url="nmbd.8.html">nmbd(8)</ulink>
4171 what the default 'time to live' of NetBIOS names should be (in seconds)
4172 when <command>nmbd</command> is requesting a name using either a
4173 broadcast packet or from a WINS server. You should never need to
4174 change this parameter. The default is 3 days.</para>
4175
4176 <para>Default: <command>max ttl = 259200</command></para>
4177 </listitem>
4178 </varlistentry>
4179
4180
4181
4182 <varlistentry>
4183 <term><anchor id="MAXWINSTTL">max wins ttl (G)</term>
4184 <listitem><para>This option tells <ulink url="nmbd.8.html">nmbd(8)
4185 </ulink> when acting as a WINS server (<link linkend="WINSSUPPORT">
4186 <parameter>wins support=yes</parameter></link>) what the maximum
4187 'time to live' of NetBIOS names that <command>nmbd</command>
4188 will grant will be (in seconds). You should never need to change this
4189 parameter. The default is 6 days (518400 seconds).</para>
4190
4191 <para>See also the <link linkend="MINWINSTTL"><parameter>min
4192 wins ttl"</parameter></link> parameter.</para>
4193
4194 <para>Default: <command>max wins ttl = 518400</command></para>
4195 </listitem>
4196 </varlistentry>
4197
4198
4199
4200 <varlistentry>
4201 <term><anchor id="MAXXMIT">max xmit (G)</term>
4202 <listitem><para>This option controls the maximum packet size
4203 that will be negotiated by Samba. The default is 65535, which
4204 is the maximum. In some cases you may find you get better performance
4205 with a smaller value. A value below 2048 is likely to cause problems.
4206 </para>
4207
4208 <para>Default: <command>max xmit = 65535</command></para>
4209 <para>Example: <command>max xmit = 8192</command></para>
4210 </listitem>
4211 </varlistentry>
4212
4213
4214
4215 <varlistentry>
4216 <term><anchor id="MESSAGECOMMAND">message command (G)</term>
4217 <listitem><para>This specifies what command to run when the
4218 server receives a WinPopup style message.</para>
4219
4220 <para>This would normally be a command that would
4221 deliver the message somehow. How this is to be done is
4222 up to your imagination.</para>
4223
4224 <para>An example is:</para>
4225
4226 <para><command>message command = csh -c 'xedit %s;rm %s' &</command>
4227 </para>
4228
4229 <para>This delivers the message using <command>xedit</command>, then
4230 removes it afterwards. <emphasis>NOTE THAT IT IS VERY IMPORTANT
4231 THAT THIS COMMAND RETURN IMMEDIATELY</emphasis>. That's why I
4232 have the '&' on the end. If it doesn't return immediately then
4233 your PCs may freeze when sending messages (they should recover
4234 after 30secs, hopefully).</para>
4235
4236 <para>All messages are delivered as the global guest user.
4237 The command takes the standard substitutions, although <parameter>
4238 %u</parameter> won't work (<parameter>%U</parameter> may be better
4239 in this case).</para>
4240
4241 <para>Apart from the standard substitutions, some additional
4242 ones apply. In particular:</para>
4243
4244 <itemizedlist>
4245 <listitem><para><parameter>%s</parameter> = the filename containing
4246 the message.</para></listitem>
4247
4248 <listitem><para><parameter>%t</parameter> = the destination that
4249 the message was sent to (probably the server name).</para></listitem>
4250
4251 <listitem><para><parameter>%f</parameter> = who the message
4252 is from.</para></listitem>
4253 </itemizedlist>
4254
4255 <para>You could make this command send mail, or whatever else
4256 takes your fancy. Please let us know of any really interesting
4257 ideas you have.</para>
4258
4259
4260 <para>Here's a way of sending the messages as mail to root:</para>
4261
4262 <para><command>message command = /bin/mail -s 'message from %f on
4263 %m' root &lt; %s; rm %s</command></para>
4264
4265 <para>If you don't have a message command then the message
4266 won't be delivered and Samba will tell the sender there was
4267 an error. Unfortunately WfWg totally ignores the error code
4268 and carries on regardless, saying that the message was delivered.
4269 </para>
4270
4271 <para>If you want to silently delete it then try:</para>
4272
4273 <para><command>message command = rm %s</command></para>
4274
4275 <para>Default: <emphasis>no message command</emphasis></para>
4276 <para>Example: <command>message command = csh -c 'xedit %s;
4277 rm %s' &</command></para>
4278 </listitem>
4279 </varlistentry>
4280
4281
4282
4283
4284 <varlistentry>
4285 <term><anchor id="MINPASSWDLENGTH">min passwd length (G)</term>
4286 <listitem><para>Synonym for <link linkend="MINPASSWORDLENGTH">
4287 <parameter>min password length</parameter></link>.</para>
4288 </listitem>
4289 </varlistentry>
4290
4291
4292
4293 <varlistentry>
4294 <term><anchor id="MINPASSWORDLENGTH">min password length (G)</term>
4295 <listitem><para>This option sets the minimum length in characters
4296 of a plaintext password that <command>smbd</command> will accept when performing
4297 UNIX password changing.</para>
4298
4299 <para>See also <link linkend="UNIXPASSWORDSYNC"><parameter>unix
4300 password sync</parameter></link>, <link linkend="PASSWDPROGRAM">
4301 <parameter>passwd program</parameter></link> and <link
4302 linkend="PASSWDCHATDEBUG"><parameter>passwd chat debug</parameter>
4303 </link>.</para>
4304
4305 <para>Default: <command>min password length = 5</command></para>
4306 </listitem>
4307 </varlistentry>
4308
4309
4310
4311 <varlistentry>
4312 <term><anchor id="MINPRINTSPACE">min print space (S)</term>
4313 <listitem><para>This sets the minimum amount of free disk
4314 space that must be available before a user will be able to spool
4315 a print job. It is specified in kilobytes. The default is 0, which
4316 means a user can always spool a print job.</para>
4317
4318 <para>See also the <link linkend="PRINTING"><parameter>printing
4319 </parameter></link> parameter.</para>
4320
4321 <para>Default: <command>min print space = 0</command></para>
4322 <para>Example: <command>min print space = 2000</command></para>
4323 </listitem>
4324 </varlistentry>
4325
4326
4327
4328
4329 <varlistentry>
4330 <term><anchor id="MINPROTOCOL">min protocol (G)</term>
4331 <listitem><para>The value of the parameter (a string) is the
4332 lowest SMB protocol dialect than Samba will support. Please refer
4333 to the <link linkend="MAXPROTOCOL"><parameter>max protocol</parameter></link>
4334 parameter for a list of valid protocol names and a brief description
4335 of each. You may also wish to refer to the C source code in
4336 <filename>source/smbd/negprot.c</filename> for a listing of known protocol
4337 dialects supported by clients.</para>
4338
4339 <para>If you are viewing this parameter as a security measure, you should
4340 also refer to the <link linkend="LANMANAUTH"><parameter>lanman
4341 auth</parameter></link> parameter. Otherwise, you should never need
4342 to change this parameter.</para>
4343
4344 <para>Default : <command>min protocol = CORE</command></para>
4345 <para>Example : <command>min protocol = NT1</command> # disable DOS
4346 clients</para>
4347 </listitem>
4348 </varlistentry>
4349
4350
4351
4352
4353 <varlistentry>
4354 <term><anchor id="MINWINSTTL">min wins ttl (G)</term>
4355 <listitem><para>This option tells <ulink url="nmbd.8.html">nmbd(8)</ulink>
4356 when acting as a WINS server (<link linkend="WINSSUPPORT"><parameter>
4357 wins support = yes</parameter></link>) what the minimum 'time to live'
4358 of NetBIOS names that <command>nmbd</command> will grant will be (in
4359 seconds). You should never need to change this parameter. The default
4360 is 6 hours (21600 seconds).</para>
4361
4362 <para>Default: <command>min wins ttl = 21600</command></para>
4363 </listitem>
4364 </varlistentry>
4365
4366
4367
4368
4369 <varlistentry>
4370 <term><anchor id="MSDFSROOT">msdfs root (S)</term>
4371 <listitem><para>This boolean parameter is only available if
4372 Samba is configured and compiled with the <command>
4373 --with-msdfs</command> option. If set to <constant>yes></constant>,
4374 Samba treats the share as a Dfs root and allows clients to browse
4375 the distributed file system tree rooted at the share directory.
4376 Dfs links are specified in the share directory by symbolic
4377 links of the form <filename>msdfs:serverA\shareA,serverB\shareB
4378 </filename> and so on. For more information on setting up a Dfs tree
4379 on Samba, refer to <ulink url="msdfs_setup.html">msdfs_setup.html
4380 </ulink>.</para>
4381
4382 <para>See also <link linkend="HOSTMSDFS"><parameter>host msdfs
4383 </parameter></link></para>
4384
4385 <para>Default: <command>msdfs root = no</command></para>
4386 </listitem>
4387 </varlistentry>
4388
4389
4390 <varlistentry>
4391 <term><anchor id="NAMERESOLVEORDER">name resolve order (G)</term>
4392 <listitem><para>This option is used by the programs in the Samba
4393 suite to determine what naming services to use and in what order
4394 to resolve host names to IP addresses. The option takes a space
4395 separated string of name resolution options.</para>
4396
4397 <para>The options are :"lmhosts", "host", "wins" and "bcast". They
4398 cause names to be resolved as follows :</para>
4399
4400 <itemizedlist>
4401 <listitem><para><constant>lmhosts</constant> : Lookup an IP
4402 address in the Samba lmhosts file. If the line in lmhosts has
4403 no name type attached to the NetBIOS name (see the <ulink
4404 url="lmhosts.5.html">lmhosts(5)</ulink> for details) then
4405 any name type matches for lookup.</para></listitem>
4406
4407 <listitem><para><constant>host</constant> : Do a standard host
4408 name to IP address resolution, using the system <filename>/etc/hosts
4409 </filename>, NIS, or DNS lookups. This method of name resolution
4410 is operating system depended for instance on IRIX or Solaris this
4411 may be controlled by the <filename>/etc/nsswitch.conf</filename>
4412 file). Note that this method is only used if the NetBIOS name
4413 type being queried is the 0x20 (server) name type, otherwise
4414 it is ignored.</para></listitem>
4415
4416 <listitem><para><constant>wins</constant> : Query a name with
4417 the IP address listed in the <link linkend="WINSSERVER"><parameter>
4418 wins server</parameter></link> parameter. If no WINS server has
4419 been specified this method will be ignored.</para></listitem>
4420
4421 <listitem><para><constant>bcast</constant> : Do a broadcast on
4422 each of the known local interfaces listed in the <link
4423 linkend="INTERFACES"><parameter>interfaces</parameter></link>
4424 parameter. This is the least reliable of the name resolution
4425 methods as it depends on the target host being on a locally
4426 connected subnet.</para></listitem>
4427 </itemizedlist>
4428
4429 <para>Default: <command>name resolve order = lmhosts host wins bcast
4430 </command></para>
4431 <para>Example: <command>name resolve order = lmhosts bcast host
4432 </command></para>
4433
4434 <para>This will cause the local lmhosts file to be examined
4435 first, followed by a broadcast attempt, followed by a normal
4436 system hostname lookup.</para>
4437 </listitem>
4438 </varlistentry>
4439
4440
4441
4442
4443 <varlistentry>
4444 <term><anchor id="NETBIOSALIASES">netbios aliases (G)</term>
4445 <listitem><para>This is a list of NetBIOS names that <ulink
4446 url="nmbd.8.html">nmbd(8)</ulink> will advertise as additional
4447 names by which the Samba server is known. This allows one machine
4448 to appear in browse lists under multiple names. If a machine is
4449 acting as a browse server or logon server none
4450 of these names will be advertised as either browse server or logon
4451 servers, only the primary name of the machine will be advertised
4452 with these capabilities.</para>
4453
4454 <para>See also <link linkend="NETBIOSNAME"><parameter>netbios
4455 name</parameter></link>.</para>
4456
4457 <para>Default: <emphasis>empty string (no additional names)</emphasis></para>
4458 <para>Example: <command>netbios aliases = TEST TEST1 TEST2</command></para>
4459 </listitem>
4460 </varlistentry>
4461
4462
4463
4464 <varlistentry>
4465 <term><anchor id="NETBIOSNAME">netbios name (G)</term>
4466 <listitem><para>This sets the NetBIOS name by which a Samba
4467 server is known. By default it is the same as the first component
4468 of the host's DNS name. If a machine is a browse server or
4469 logon server this name (or the first component
4470 of the hosts DNS name) will be the name that these services are
4471 advertised under.</para>
4472
4473 <para>See also <link linkend="NETBIOSALIASES"><parameter>netbios
4474 aliases</parameter></link>.</para>
4475
4476 <para>Default: <emphasis>machine DNS name</emphasis></para>
4477 <para>Example: <command>netbios name = MYNAME</command></para>
4478 </listitem>
4479 </varlistentry>
4480
4481
4482
4483 <varlistentry>
4484 <term><anchor id="NETBIOSSCOPE">netbios scope (G)</term>
4485 <listitem><para>This sets the NetBIOS scope that Samba will
4486 operate under. This should not be set unless every machine
4487 on your LAN also sets this value.</para>
4488 </listitem>
4489 </varlistentry>
4490
4491
4492 <varlistentry>
4493 <term><anchor id="NISHOMEDIR">nis homedir (G)</term>
4494 <listitem><para>Get the home share server from a NIS map. For
4495 UNIX systems that use an automounter, the user's home directory
4496 will often be mounted on a workstation on demand from a remote
4497 server. </para>
4498
4499 <para>When the Samba logon server is not the actual home directory
4500 server, but is mounting the home directories via NFS then two
4501 network hops would be required to access the users home directory
4502 if the logon server told the client to use itself as the SMB server
4503 for home directories (one over SMB and one over NFS). This can
4504 be very slow.</para>
4505
4506 <para>This option allows Samba to return the home share as
4507 being on a different server to the logon server and as
4508 long as a Samba daemon is running on the home directory server,
4509 it will be mounted on the Samba client directly from the directory
4510 server. When Samba is returning the home share to the client, it
4511 will consult the NIS map specified in <link linkend="HOMEDIRMAP">
4512 <parameter>homedir map</parameter></link> and return the server
4513 listed there.</para>
4514
4515 <para>Note that for this option to work there must be a working
4516 NIS system and the Samba server with this option must also
4517 be a logon server.</para>
4518
4519 <para>Default: <command>nis homedir = no</command></para>
4520 </listitem>
4521 </varlistentry>
4522
4523
4524
4525 <varlistentry>
4526 <term><anchor id="NTACLSUPPORT">nt acl support (G)</term>
4527 <listitem><para>This boolean parameter controls whether
4528 <ulink url="smbd.8.html">smbd(8)</ulink> will attempt to map
4529 UNIX permissions into Windows NT access control lists.</para>
4530
4531 <para>Default: <command>nt acl support = yes</command></para>
4532 </listitem>
4533 </varlistentry>
4534
4535
4536
4537 <varlistentry>
4538 <term><anchor id="NTPIPESUPPORT">nt pipe support (G)</term>
4539 <listitem><para>This boolean parameter controls whether
4540 <ulink url="smbd.8.html">smbd(8)</ulink> will allow Windows NT
4541 clients to connect to the NT SMB specific <constant>IPC$</constant>
4542 pipes. This is a developer debugging option and can be left
4543 alone.</para>
4544
4545 <para>Default: <command>nt pipe support = yes</command></para>
4546 </listitem>
4547 </varlistentry>
4548
4549
4550
4551 <varlistentry>
4552 <term><anchor id="NTSMBSUPPORT">nt smb support (G)</term>
4553 <listitem><para>This boolean parameter controls whether <ulink
4554 url="smbd.8.html">smbd(8)</ulink> will negotiate NT specific SMB
4555 support with Windows NT clients. Although this is a developer
4556 debugging option and should be left alone, benchmarking has discovered
4557 that Windows NT clients give faster performance with this option
4558 set to <constant>no</constant>. This is still being investigated.
4559 If this option is set to <constant>no</constant> then Samba offers
4560 exactly the same SMB calls that versions prior to Samba 2.0 offered.
4561 This information may be of use if any users are having problems
4562 with NT SMB support.</para>
4563
4564 <para>You should not need to ever disable this parameter.</para>
4565
4566 <para>Default: <command>nt smb support = yes</command></para>
4567 </listitem>
4568 </varlistentry>
4569
4570
4571
4572 <varlistentry>
4573 <term><anchor id="NULLPASSWORDS">null passwords (G)</term>
4574 <listitem><para>Allow or disallow client access to accounts
4575 that have null passwords. </para>
4576
4577 <para>See also <ulink url="smbpasswd.5.html">smbpasswd (5)</ulink>.</para>
4578
4579 <para>Default: <command>null passwords = no</command></para>
4580 </listitem>
4581 </varlistentry>
4582
4583
4584
4585 <varlistentry>
4586 <term><anchor id="ONLYUSER">only user (S)</term>
4587 <listitem><para>This is a boolean option that controls whether
4588 connections with usernames not in the <parameter>user</parameter>
4589 list will be allowed. By default this option is disabled so that a
4590 client can supply a username to be used by the server. Enabling
4591 this parameter will force the server to only user the login
4592 names from the <parameter>user</parameter> list and is only really
4593 useful in <link linkend="SECURITYEQUALSSHARE">shave level</link>
4594 security.</para>
4595
4596 <para>Note that this also means Samba won't try to deduce
4597 usernames from the service name. This can be annoying for
4598 the [homes] section. To get around this you could use <command>user =
4599 %S</command> which means your <parameter>user</parameter> list
4600 will be just the service name, which for home directories is the
4601 name of the user.</para>
4602
4603 <para>See also the <link linkend="USER"><parameter>user</parameter>
4604 </link> parameter.</para>
4605
4606 <para>Default: <command>only user = no</command></para>
4607 </listitem>
4608 </varlistentry>
4609
4610
4611
4612
4613
4614 <varlistentry>
4615 <term><anchor id="OLELOCKINGCOMPATIBILITY">ole locking compatibility (G)</term>
4616 <listitem><para>This parameter allows an administrator to turn
4617 off the byte range lock manipulation that is done within Samba to
4618 give compatibility for OLE applications. Windows OLE applications
4619 use byte range locking as a form of inter-process communication, by
4620 locking ranges of bytes around the 2^32 region of a file range. This
4621 can cause certain UNIX lock managers to crash or otherwise cause
4622 problems. Setting this parameter to <constant>no</constant> means you
4623 trust your UNIX lock manager to handle such cases correctly.</para>
4624
4625 <para>Default: <command>ole locking compatibility = yes</command></para>
4626 </listitem>
4627 </varlistentry>
4628
4629
4630
4631 <varlistentry>
4632 <term><anchor id="ONLYGUEST">only guest (S)</term>
4633 <listitem><para>A synonym for <link linkend="GUESTONLY"><parameter>
4634 guest only</parameter></link>.</para>
4635 </listitem>
4636 </varlistentry>
4637
4638
4639
4640 <varlistentry>
4641 <term><anchor id="OPLOCKBREAKWAITTIME">oplock break wait time (G)</term>
4642 <listitem><para>This is a tuning parameter added due to bugs in
4643 both Windows 9x and WinNT. If Samba responds to a client too
4644 quickly when that client issues an SMB that can cause an oplock
4645 break request, then the network client can fail and not respond
4646 to the break request. This tuning parameter (which is set in milliseconds)
4647 is the amount of time Samba will wait before sending an oplock break
4648 request to such (broken) clients.</para>
4649
4650 <para><emphasis>DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ
4651 AND UNDERSTOOD THE SAMBA OPLOCK CODE</emphasis>.</para>
4652
4653 <para>Default: <command>oplock break wait time = 0</command></para>
4654 </listitem>
4655 </varlistentry>
4656
4657
4658 <varlistentry>
4659 <term><anchor id="OPLOCKCONTENTIONLIMIT">oplock contention limit (S)</term>
4660 <listitem><para>This is a <emphasis>very</emphasis> advanced
4661 <ulink url="smbd.8.html">smbd(8)</ulink> tuning option to
4662 improve the efficiency of the granting of oplocks under multiple
4663 client contention for the same file.</para>
4664
4665 <para>In brief it specifies a number, which causes smbd not to
4666 grant an oplock even when requested if the approximate number of
4667 clients contending for an oplock on the same file goes over this
4668 limit. This causes <command>smbd</command> to behave in a similar
4669 way to Windows NT.</para>
4670
4671 <para><emphasis>DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ
4672 AND UNDERSTOOD THE SAMBA OPLOCK CODE</emphasis>.</para>
4673
4674 <para>Default: <command>oplock contention limit = 2</command></para>
4675 </listitem>
4676 </varlistentry>
4677
4678
4679
4680
4681
4682 <varlistentry>
4683 <term><anchor id="OPLOCKS">oplocks (S)</term>
4684 <listitem><para>This boolean option tells smbd whether to
4685 issue oplocks (opportunistic locks) to file open requests on this
4686 share. The oplock code can dramatically (approx. 30% or more) improve
4687 the speed of access to files on Samba servers. It allows the clients
4688 to aggressively cache files locally and you may want to disable this
4689 option for unreliable network environments (it is turned on by
4690 default in Windows NT Servers). For more information see the file
4691 <filename>Speed.txt</filename> in the Samba <filename>docs/</filename>
4692 directory.</para>
4693
4694 <para>Oplocks may be selectively turned off on certain files with a
4695 share. See the <link linkend="VETOOPLOCKFILES"><parameter>
4696 veto oplock files</parameter></link> parameter. On some systems
4697 oplocks are recognized by the underlying operating system. This
4698 allows data synchronization between all access to oplocked files,
4699 whether it be via Samba or NFS or a local UNIX process. See the
4700 <parameter>kernel oplocks</parameter> parameter for details.</para>
4701
4702 <para>See also the <link linkend="KERNELOPLOCKS"><parameter>kernel
4703 oplocks</parameter></link> and <link linkend="LEVEL2OPLOCKS"><parameter>
4704 level2 oplocks</parameter></link> parameters.</para>
4705
4706 <para>Default: <command>oplocks = yes</command></para>
4707 </listitem>
4708 </varlistentry>
4709
4710
4711
4712 <varlistentry>
4713 <term><anchor id="OSLEVEL">os level (G)</term>
4714 <listitem><para>This integer value controls what level Samba
4715 advertises itself as for browse elections. The value of this
4716 parameter determines whether <ulink url="nmbd.8.html">nmbd(8)</ulink>
4717 has a chance of becoming a local master browser for the <parameter>
4718 WORKGROUP</parameter> in the local broadcast area.</para>
4719
4720 <para><emphasis>Note :</emphasis>By default, Samba will win
4721 a local master browsing election over all Microsoft operating
4722 systems except a Windows NT 4.0/2000 Domain Controller. This
4723 means that a misconfigured Samba host can effectively isolate
4724 a subnet for browsing purposes. See <filename>BROWSING.txt
4725 </filename> in the Samba <filename>docs/</filename> directory
4726 for details.</para>
4727
4728 <para>Default: <command>os level = 20</command></para>
4729 <para>Example: <command>os level = 65 </command></para>
4730 </listitem>
4731 </varlistentry>
4732
4733
4734
4735 <varlistentry>
4736 <term><anchor id="OS2DRIVERMAP">os2 driver map (G)</term>
4737 <listitem><para>The parameter is used to define the absolute
4738 path to a file containing a mapping of Windows NT printer driver
4739 names to OS/2 printer driver names. The format is:</para>
4740
4741 <para>&lt;nt driver name&gt; = &lt;os2 driver
4742 name&gt;.&lt;device name&gt;</para>
4743
4744 <para>For example, a valid entry using the HP LaserJet 5
4745 printer driver woudl appear as <command>HP LaserJet 5L = LASERJET.HP
4746 LaserJet 5L</command>.</para>
4747
4748 <para>The need for the file is due to the printer driver namespace
4749 problem described in the <ulink url="printer_driver2.html">Samba
4750 Printing HOWTO</ulink>. For more details on OS/2 clients, please
4751 refer to the <ulink url="OS2-Client-HOWTO.html">OS2-Client-HOWTO
4752 </ulink> containing in the Samba documentation.</para>
4753
4754 <para>Default: <command>os2 driver map = &lt;empty string&gt;
4755 </command></para>
4756 </listitem>
4757 </varlistentry>
4758
4759
4760
4761 <varlistentry>
4762 <term><anchor id="PANICACTION">panic action (G)</term>
4763 <listitem><para>This is a Samba developer option that allows a
4764 system command to be called when either <ulink url="smbd.8.html">
4765 smbd(8)</ulink> or <ulink url="nmbd.8.html">nmbd(8)</ulink>
4766 crashes. This is usually used to draw attention to the fact that
4767 a problem occurred.</para>
4768
4769 <para>Default: <command>panic action = &lt;empty string&gt;</command></para>
4770 <para>Example: <command>panic action = "/bin/sleep 90000"</command></para>
4771 </listitem>
4772 </varlistentry>
4773
4774
4775 <varlistentry>
4776 <term><anchor id="PASSWDCHAT">passwd chat (G)</term>
4777 <listitem><para>This string controls the <emphasis>"chat"</emphasis>
4778 conversation that takes places between <ulink
4779 url="smbd.8.html">smbd</ulink> and the local password changing
4780 program to change the users password. The string describes a
4781 sequence of response-receive pairs that <ulink url="smbd.8.html">
4782 smbd(8)</ulink> uses to determine what to send to the
4783 <link linkend="PASSWDPROGRAM"><parameter>passwd program</parameter>
4784 </link> and what to expect back. If the expected output is not
4785 received then the password is not changed.</para>
4786
4787 <para>This chat sequence is often quite site specific, depending
4788 on what local methods are used for password control (such as NIS
4789 etc).</para>
4790
4791 <para>The string can contain the macros <parameter>%o</parameter>
4792 and <parameter>%n</parameter> which are substituted for the old
4793 and new passwords respectively. It can also contain the standard
4794 macros <constant>\n</constant>, <constant>\r</constant>, <constant>
4795 \t</constant> and <constant>%s</constant> to give line-feed,
4796 carriage-return, tab and space.</para>
4797
4798 <para>The string can also contain a '*' which matches
4799 any sequence of characters.</para>
4800
4801 <para>Double quotes can be used to collect strings with spaces
4802 in them into a single string.</para>
4803
4804 <para>If the send string in any part of the chat sequence
4805 is a fullstop ".", then no string is sent. Similarly,
4806 if the expect string is a fullstop then no string is expected.</para>
4807
4808 <para>Note that if the <link linkend="UNIXPASSWORDSYNC"><parameter>unix
4809 password sync</parameter></link> parameter is set to true, then this
4810 sequence is called <emphasis>AS ROOT</emphasis> when the SMB password
4811 in the smbpasswd file is being changed, without access to the old
4812 password cleartext. In this case the old password cleartext is set
4813 to "" (the empty string).</para>
4814
4815 <para>See also <link linkend="UNIXPASSWORDSYNC"><parameter>unix password
4816 sync</parameter></link>, <link linkend="PASSWDPROGRAM"><parameter>
4817 passwd program</parameter></link> and <link linkend="PASSWDCHATDEBUG">
4818 <parameter>passwd chat debug</parameter></link>.</para>
4819
4820 <para>Default: <command>passwd chat = *new*password* %n\n
4821 *new*password* %n\n *changed*</command></para>
4822 <para>Example: <command>passwd chat = "*Enter OLD password*" %o\n
4823 "*Enter NEW password*" %n\n "*Reenter NEW password*" %n\n "*Password
4824 changed*"</command></para>
4825 </listitem>
4826 </varlistentry>
4827
4828
4829
4830 <varlistentry>
4831 <term><anchor id="PASSWDCHATDEBUG">passwd chat debug (G)</term>
4832 <listitem><para>This boolean specifies if the passwd chat script
4833 parameter is run in <emphasis>debug</emphasis> mode. In this mode the
4834 strings passed to and received from the passwd chat are printed
4835 in the <ulink url="smbd.8.html">smbd(8)</ulink> log with a
4836 <link linkend="DEBUGLEVEL"><parameter>debug level</parameter></link>
4837 of 100. This is a dangerous option as it will allow plaintext passwords
4838 to be seen in the <command>smbd</command> log. It is available to help
4839 Samba admins debug their <parameter>passwd chat</parameter> scripts
4840 when calling the <parameter>passwd program</parameter> and should
4841 be turned off after this has been done. This parameter is off by
4842 default.</para>
4843
4844 <para>See also <<link linkend="PASSWDCHAT"><parameter>passwd chat</parameter>
4845 </link>, <link linkend="PASSWDPROGRAM"><parameter>passwd program</parameter>
4846 </link>.</para>
4847
4848 <para>Default: <command>passwd chat debug = no</command></para>
4849 </listitem>
4850 </varlistentry>
4851
4852
4853
4854 <varlistentry>
4855 <term><anchor id="PASSWDPROGRAM">passwd program (G)</term>
4856 <listitem><para>The name of a program that can be used to set
4857 UNIX user passwords. Any occurrences of <parameter>%u</parameter>
4858 will be replaced with the user name. The user name is checked for
4859 existence before calling the password changing program.</para>
4860
4861 <para>Also note that many passwd programs insist in <emphasis>reasonable
4862 </emphasis> passwords, such as a minimum length, or the inclusion
4863 of mixed case chars and digits. This can pose a problem as some clients
4864 (such as Windows for Workgroups) uppercase the password before sending
4865 it.</para>
4866
4867 <para><emphasis>Note</emphasis> that if the <parameter>unix
4868 password sync</parameter> parameter is set to <constant>True
4869 </constant> then this program is called <emphasis>AS ROOT</emphasis>
4870 before the SMB password in the <ulink url="smbpasswd.5.html">smbpasswd(5)
4871 </ulink> file is changed. If this UNIX password change fails, then
4872 <command>smbd</command> will fail to change the SMB password also
4873 (this is by design).</para>
4874
4875 <para>If the <parameter>unix password sync</parameter> parameter
4876 is set this parameter <emphasis>MUST USE ABSOLUTE PATHS</emphasis>
4877 for <emphasis>ALL</emphasis> programs called, and must be examined
4878 for security implications. Note that by default <parameter>unix
4879 password sync</parameter> is set to <constant>False</constant>.</para>
4880
4881 <para>See also <link linkend="UNIXPASSWORDSYNC"><parameter>unix
4882 password sync</parameter></link>.</para>
4883
4884 <para>Default: <command>passwd program = /bin/passwd</command></para>
4885 <para>Example: <command>passwd program = /sbin/npasswd %u</command>
4886 </para>
4887 </listitem>
4888 </varlistentry>
4889
4890
4891
4892 <varlistentry>
4893 <term><anchor id="PASSWORDLEVEL">password level (G)</term>
4894 <listitem><para>Some client/server combinations have difficulty
4895 with mixed-case passwords. One offending client is Windows for
4896 Workgroups, which for some reason forces passwords to upper
4897 case when using the LANMAN1 protocol, but leaves them alone when
4898 using COREPLUS! Another problem child is the Windows 95/98
4899 family of operating systems. These clients upper case clear
4900 text passwords even when NT LM 0.12 selected by the protocol
4901 negotiation request/response.</para>
4902
4903 <para>This parameter defines the maximum number of characters
4904 that may be upper case in passwords.</para>
4905
4906 <para>For example, say the password given was "FRED". If <parameter>
4907 password level</parameter> is set to 1, the following combinations
4908 would be tried if "FRED" failed:</para>
4909
4910 <para>"Fred", "fred", "fRed", "frEd","freD"</para>
4911
4912 <para>If <parameter>password level</parameter> was set to 2,
4913 the following combinations would also be tried: </para>
4914
4915 <para>"FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ..</para>
4916
4917 <para>And so on.</para>
4918
4919 <para>The higher value this parameter is set to the more likely
4920 it is that a mixed case password will be matched against a single
4921 case password. However, you should be aware that use of this
4922 parameter reduces security and increases the time taken to
4923 process a new connection.</para>
4924
4925 <para>A value of zero will cause only two attempts to be
4926 made - the password as is and the password in all-lower case.</para>
4927
4928 <para>Default: <command>password level = 0</command></para>
4929 <para>Example: <command>password level = 4</command</para>
4930 </listitem>
4931 </varlistentry>
4932
4933
4934
4935 <varlistentry>
4936 <term><anchor id="PASSWORDSERVER">password server (G)</term>
4937 <listitem><para>By specifying the name of another SMB server (such
4938 as a WinNT box) with this option, and using <command>security = domain
4939 </command> or <command>security = server</command> you can get Samba
4940 to do all its username/password validation via a remote server.</para>
4941
4942 <para>This option sets the name of the password server to use.
4943 It must be a NetBIOS name, so if the machine's NetBIOS name is
4944 different from its Internet name then you may have to add its NetBIOS
4945 name to the lmhosts file which is stored in the same directory
4946 as the <filename>smb.conf</filename> file.</para>
4947
4948 <para>The name of the password server is looked up using the
4949 parameter <link linkend="NAMERESOLVEORDER"><parameter>name
4950 resolve order</parameter></link> and so may resolved
4951 by any method and order described in that parameter.</para>
4952
4953 <para>The password server much be a machine capable of using
4954 the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in
4955 user level security mode.</para>
4956
4957 <para><emphasis>NOTE:</emphasis> Using a password server
4958 means your UNIX box (running Samba) is only as secure as your
4959 password server. <emphasis>DO NOT CHOOSE A PASSWORD SERVER THAT
4960 YOU DON'T COMPLETELY TRUST</emphasis>.</para>
4961
4962 <para>Never point a Samba server at itself for password
4963 serving. This will cause a loop and could lock up your Samba
4964 server!</para>
4965
4966 <para>The name of the password server takes the standard
4967 substitutions, but probably the only useful one is <parameter>%m
4968 </parameter>, which means the Samba server will use the incoming
4969 client as the password server. If you use this then you better
4970 trust your clients, and you had better restrict them with hosts allow!</para>
4971
4972 <para>If the <parameter>security</parameter> parameter is set to
4973 <constant>domain</constant>, then the list of machines in this
4974 option must be a list of Primary or Backup Domain controllers for the
4975 Domain or the character '*', as the Samba server is effectively
4976 in that domain, and will use cryptographically authenticated RPC calls
4977 to authenticate the user logging on. The advantage of using <command>
4978 security = domain</command> is that if you list several hosts in the
4979 <parameter>password server</parameter> option then <command>smbd
4980 </command> will try each in turn till it finds one that responds. This
4981 is useful in case your primary server goes down.</para>
4982
4983 <para>If the <parameter>password server</parameter> option is set
4984 to the character '*', then Samba will attempt to auto-locate the
4985 Primary or Backup Domain controllers to authenticate against by
4986 doing a query for the name <constant>WORKGROUP&lt;1C&gt;</constant>
4987 and then contacting each server returned in the list of IP
4988 addresses from the name resolution source. </para>
4989
4990 <para>If the <parameter>security</parameter> parameter is
4991 set to <constant>server</constant>, then there are different
4992 restrictions that <command>security = domain</command> doesn't
4993 suffer from:</para>
4994
4995 <itemizedlist>
4996 <listitem><para>You may list several password servers in
4997 the <parameter>password server</parameter> parameter, however if an
4998 <command>smbd</command> makes a connection to a password server,
4999 and then the password server fails, no more users will be able
5000 to be authenticated from this <command>smbd</command>. This is a
5001 restriction of the SMB/CIFS protocol when in <command>security=server
5002 </command> mode and cannot be fixed in Samba.</para></listitem>
5003
5004 <listitem><para>If you are using a Windows NT server as your
5005 password server then you will have to ensure that your users
5006 are able to login from the Samba server, as when in <command>
5007 security=server</command> mode the network logon will appear to
5008 come from there rather than from the users workstation.</para></listitem>
5009 </itemizedlist>
5010
5011 <para>See also the <link linkend="SECURITY"><parameter>security
5012 </parameter></link> parameter.</para>
5013
5014 <para>Default: <command>password server = &lt;empty string&gt;</command>
5015 </para>
5016 <para>Example: <command>password server = NT-PDC, NT-BDC1, NT-BDC2
5017 </command></para>
5018 <para>Example: <command>password server = *</command></para>
5019 </listitem>
5020 </varlistentry>
5021
5022
5023
5024 <varlistentry>
5025 <term><anchor id="PATH">path (S)</term>
5026 <listitem><para>This parameter specifies a directory to which
5027 the user of the service is to be given access. In the case of
5028 printable services, this is where print data will spool prior to
5029 being submitted to the host for printing.</para>
5030
5031 <para>For a printable service offering guest access, the service
5032 should be readonly and the path should be world-writeable and
5033 have the sticky bit set. This is not mandatory of course, but
5034 you probably won't get the results you expect if you do
5035 otherwise.</para>
5036
5037 <para>Any occurrences of <parameter>%u</parameter> in the path
5038 will be replaced with the UNIX username that the client is using
5039 on this connection. Any occurrences of <parameter>%m</parameter>
5040 will be replaced by the NetBIOS name of the machine they are
5041 connecting from. These replacements are very useful for setting
5042 up pseudo home directories for users.</para>
5043
5044 <para>Note that this path will be based on <link linkend="ROOTDIR">
5045 <parameter>root dir</parameter></link> if one was specified.</para>
5046
5047 <para>Default: <emphasis>none</emphasis></para>
5048 <para>Example: <command>path = /home/fred</command></para>
5049 </listitem>
5050 </varlistentry>
5051
5052
5053
5054
5055 <varlistentry>
5056 <term><anchor id="POSIXLOCKING">posix locking (S)</term>
5057 <listitem><para>The <ulink url="smbd.8.html"><command>smbd(8)</command></ulink>
5058 daemon maintains an database of file locks obtained by SMB clients.
5059 The default behavior is to map this internal database to POSIX
5060 locks. This means that file locks obtained by SMB clients are
5061 consistent with those seen by POSIX compliant applications accessing
5062 the files via a non-SMB method (e.g. NFS or local file access).
5063 You should never need to disable this parameter.</para>
5064
5065 <para>Default: <command>posix locking = yes</command></para>
5066 </listitem>
5067 </varlistentry>
5068
5069
5070
5071
5072 <varlistentry>
5073 <term><anchor id="POSTEXEC">postexec (S)</term>
5074 <listitem><para>This option specifies a command to be run
5075 whenever the service is disconnected. It takes the usual
5076 substitutions. The command may be run as the root on some
5077 systems.</para>
5078
5079 <para>An interesting example may be do unmount server
5080 resources:</para>
5081
5082 <para><command>postexec = /etc/umount /cdrom</command></para>
5083
5084 <para>See also <link linkend="PREEXEC"><parameter>preexec</parameter>
5085 </link>.</para>
5086
5087 <para>Default: <emphasis>none (no command executed)</emphasis>
5088 </para>
5089
5090 <para>Example: <command>postexec = echo \"%u disconnected from %S
5091 from %m (%I)\" &gt;&gt; /tmp/log</command></para>
5092 </listitem>
5093 </varlistentry>
5094
5095
5096
5097 <varlistentry>
5098 <term><anchor id="POSTSCRIPT">postscript (S)</term>
5099 <listitem><para>This parameter forces a printer to interpret
5100 the print files as postscript. This is done by adding a <constant>%!
5101 </constant> to the start of print output.</para>
5102
5103 <para>This is most useful when you have lots of PCs that persist
5104 in putting a control-D at the start of print jobs, which then
5105 confuses your printer.</para>
5106
5107 <para>Default: <command>postscript = no</command></para>
5108 </listitem>
5109 </varlistentry>
5110
5111
5112
5113 <varlistentry>
5114 <term><anchor id="PREEXEC">preexec (S)</term>
5115 <listitem><para>This option specifies a command to be run whenever
5116 the service is connected to. It takes the usual substitutions.</para>
5117
5118 <para>An interesting example is to send the users a welcome
5119 message every time they log in. Maybe a message of the day? Here
5120 is an example:</para>
5121
5122 <para><command>preexec = csh -c 'echo \"Welcome to %S!\" |
5123 /usr/local/samba/bin/smbclient -M %m -I %I' & </command></para>
5124
5125 <para>Of course, this could get annoying after a while :-)</para>
5126
5127 <para>See also <link linkend="PREEXECCLOSE"><parameter>preexec close
5128 </parameter</link> and <link linkend="POSTEXEC"><parameter>postexec
5129 </parameter></link>.</para>
5130
5131 <para>Default: <emphasis>none (no command executed)</emphasis></para>
5132 <para>Example: <command>preexec = echo \"%u connected to %S from %m
5133 (%I)\" &gt;&gt; /tmp/log</command></para>
5134 </listitem>
5135 </varlistentry>
5136
5137
5138
5139 <varlistentry>
5140 <term><anchor id="PREEXECCLOSE">preexec close (S)</term>
5141 <listitem><para>This boolean option controls whether a non-zero
5142 return code from <link linkend="PREEXEC"><parameter>preexec
5143 </parameter></link> should close the service being connected to.</para>
5144
5145 <para>Default: <command>preexec close = no</command></para>
5146 </listitem>
5147 </varlistentry>
5148
5149
5150 <varlistentry>
5151 <term><anchor id="PREFERREDMASTER">preferred master (G)</term>
5152 <listitem><para>This boolean parameter controls if <ulink
5153 url="nmbd.8.html">nmbd(8)</ulink> is a preferred master browser
5154 for its workgroup.</para>
5155
5156 <para>If this is set to true, on startup, <command>nmbd</command>
5157 will force an election, and it will have a slight advantage in
5158 winning the election. It is recommended that this parameter is
5159 used in conjunction with <command><link linkend="DOMAINMASTER"><parameter>
5160 domain master</parameter></link> = yes</command>, so that <command>
5161 nmbd</command> can guarantee becoming a domain master.</para>
5162
5163 <para>Use this option with caution, because if there are several
5164 hosts (whether Samba servers, Windows 95 or NT) that are preferred
5165 master browsers on the same subnet, they will each periodically
5166 and continuously attempt to become the local master browser.
5167 This will result in unnecessary broadcast traffic and reduced browsing
5168 capabilities.</para>
5169
5170 <para>See also <link linkend="OSLEVEL"><parameter>os level</parameter>
5171 </link>.</para>
5172
5173 <para>Default: <command>preferred master = auto</command></para>
5174 </listitem>
5175 </varlistentry>
5176
5177
5178
5179 <varlistentry>
5180 <term><anchor id="PREFEREDMASTER">prefered master (G)</term>
5181 <listitem><para>Synonym for <link linkend="PREFERREDMASTER"><parameter>
5182 preferred master</parameter></link> for people who cannot spell :-).</para>
5183 </listitem>
5184 </varlistentry>
5185
5186
5187
5188 <varlistentry>
5189 <term><anchor id="PRELOAD">preload</term>
5190 <listitem><para>This is a list of services that you want to be
5191 automatically added to the browse lists. This is most useful
5192 for homes and printers services that would otherwise not be
5193 visible.</para>
5194
5195 <para>Note that if you just want all printers in your
5196 printcap file loaded then the <link linkend="LOADPRINTERS">
5197 <parameter>load printers</parameter></link> option is easier.</para>
5198
5199 <para>Default: <emphasis>no preloaded services</emphasis></para>
5200
5201 <para>Example: <command>preload = fred lp colorlp</command></para>
5202 </listitem>
5203 </varlistentry>
5204
5205
5206 <varlistentry>
5207 <term><anchor id="PRESERVECASE">preserve case (S)</term>
5208 <listitem><para> This controls if new filenames are created
5209 with the case that the client passes, or if they are forced to
5210 be the <link linkend="DEFAULTCASE"><parameter>default case
5211 </parameter></link>.</para>
5212
5213 <para>Default: <command>preserve case = yes</command></para>
5214
5215 <para>See the section on <link linkend="NAMEMANGLINGSECT">NAME
5216 MANGLING</link> for a fuller discussion.</para>
5217 </listitem>
5218 </varlistentry>
5219
5220
5221
5222 <varlistentry>
5223 <term><anchor id="PRINTCOMMAND">print command (S)</term>
5224 <listitem><para>After a print job has finished spooling to
5225 a service, this command will be used via a <command>system()</command>
5226 call to process the spool file. Typically the command specified will
5227 submit the spool file to the host's printing subsystem, but there
5228 is no requirement that this be the case. The server will not remove
5229 the spool file, so whatever command you specify should remove the
5230 spool file when it has been processed, otherwise you will need to
5231 manually remove old spool files.</para>
5232
5233 <para>The print command is simply a text string. It will be used
5234 verbatim, with two exceptions: All occurrences of <parameter>%s
5235 </parameter> and <parameter>%f</parameter> will be replaced by the
5236 appropriate spool file name, and all occurrences of <parameter>%p
5237 </parameter> will be replaced by the appropriate printer name. The
5238 spool file name is generated automatically by the server, the printer
5239 name is discussed below.</para>
5240
5241 <para>The print command <emphasis>MUST</emphasis> contain at least
5242 one occurrence of <parameter>%s</parameter> or <parameter>%f
5243 </parameter> - the <parameter>%p</parameter> is optional. At the time
5244 a job is submitted, if no printer name is supplied the <parameter>%p
5245 </parameter> will be silently removed from the printer command.</para>
5246
5247 <para>If specified in the [global] section, the print command given
5248 will be used for any printable service that does not have its own
5249 print command specified.</para>
5250
5251 <para>If there is neither a specified print command for a
5252 printable service nor a global print command, spool files will
5253 be created but not processed and (most importantly) not removed.</para>
5254
5255 <para>Note that printing may fail on some UNIXes from the
5256 <constant>nobody</constant> account. If this happens then create
5257 an alternative guest account that can print and set the <link
5258 linkend="GUESTACCOUNT"><parameter>guest account</parameter></link>
5259 in the [global] section.</para>
5260
5261 <para>You can form quite complex print commands by realizing
5262 that they are just passed to a shell. For example the following
5263 will log a print job, print the file, then remove it. Note that
5264 ';' is the usual separator for command in shell scripts.</para>
5265
5266 <para><command>print command = echo Printing %s &gt;&gt;
5267 /tmp/print.log; lpr -P %p %s; rm %s</command></para>
5268
5269 <para>You may have to vary this command considerably depending
5270 on how you normally print files on your system. The default for
5271 the parameter varies depending on the setting of the <link linkend="PRINTING">
5272 <parameter>printing</parameter></link> parameter.</para>
5273
5274 <para>Default: For <command>printing= BSD, AIX, QNX, LPRNG
5275 or PLP :</command></para>
5276 <para><command>print command = lpr -r -P%p %s</command></para>
5277
5278 <para>For <command>printing= SYS or HPUX :</command></para>
5279 <para><command>print command = lp -c -d%p %s; rm %s</command></para>
5280
5281 <para>For <command>printing=SOFTQ :</command></para>
5282 <para><command>print command = lp -d%p -s %s; rm %s</command></para>
5283
5284 <para>Example: <command>print command = /usr/local/samba/bin/myprintscript
5285 %p %s</command></para>
5286 </listitem>
5287 </varlistentry>
5288
5289
5290
5291 <varlistentry>
5292 <term><anchor id="PRINTOK">print ok (S)</term>
5293 <listitem><para>Synonym for <link linkend="PRINTABLE">
5294 <parameter>printable</parameter></link>.</para>
5295 </listitem>
5296 </varlistentry>
5297
5298
5299
5300
5301 <varlistentry>
5302 <term><anchor id="PRINTABLE">printable (S)</term>
5303 <listitem><para>If this parameter is <constant>yes</constant>, then
5304 clients may open, write to and submit spool files on the directory
5305 specified for the service. </para>
5306
5307 <para>Note that a printable service will ALWAYS allow writing
5308 to the service path (user privileges permitting) via the spooling
5309 of print data. The <link linkend="WRITEABLE"><parameter>writeable
5310 </parameter></link> parameter controls only non-printing access to
5311 the resource.</para>
5312
5313 <para>Default: <command>printable = no</command></para>
5314 </listitem>
5315 </varlistentry>
5316
5317
5318
5319 <varlistentry>
5320 <term><anchor id="PRINTCAP">printcap (G)</term>
5321 <listitem><para>Synonym for <link linkend="PRINTCAPNAME"><parameter>
5322 printcap name</parameter></link>.</para>
5323 </listitem>
5324 </varlistentry>
5325
5326
5327
5328
5329 <varlistentry>
5330 <term><anchor id="PRINTCAPNAME">printcap name (G)</term>
5331 <listitem><para>This parameter may be used to override the
5332 compiled-in default printcap name used by the server (usually <filename>
5333 /etc/printcap</filename>). See the discussion of the <link
5334 linkend="PRINTERSSECT">[printers]</link> section above for reasons
5335 why you might want to do this.</para>
5336
5337 <para>On System V systems that use <command>lpstat</command> to
5338 list available printers you can use <command>printcap name = lpstat
5339 </command> to automatically obtain lists of available printers. This
5340 is the default for systems that define SYSV at configure time in
5341 Samba (this includes most System V based systems). If <parameter>
5342 printcap name</parameter> is set to <command>lpstat</command> on
5343 these systems then Samba will launch <command>lpstat -v</command> and
5344 attempt to parse the output to obtain a printer list.</para>
5345
5346 <para>A minimal printcap file would look something like this:</para>
5347
5348 <para><programlisting>
5349 print1|My Printer 1
5350 print2|My Printer 2
5351 print3|My Printer 3
5352 print4|My Printer 4
5353 print5|My Printer 5
5354 </programlisting></para>
5355
5356 <para>where the '|' separates aliases of a printer. The fact
5357 that the second alias has a space in it gives a hint to Samba
5358 that it's a comment.</para>
5359
5360 <para><emphasis>NOTE</emphasis>: Under AIX the default printcap
5361 name is <filename>/etc/qconfig</filename>. Samba will assume the
5362 file is in AIX <filename>qconfig</filename> format if the string
5363 <filename>qconfig</filename> appears in the printcap filename.</para>
5364
5365 <para>Default: <command>printcap name = /etc/printcap</command></para>
5366 <para>Example: <command>printcap name = /etc/myprintcap</command></para>
5367 </listitem>
5368 </varlistentry>
5369
5370
5371
5372
5373
5374 <varlistentry>
5375 <term><anchor id="PRINTERADMIN">printer admin (S)</term>
5376 <listitem><para>This is a list of users that can do anything to
5377 printers via the remote administration interfaces offered by MS-RPC
5378 (usually using a NT workstation). Note that the root user always
5379 has admin rights.</para>
5380
5381 <para>Default: <command>printer admin = &lt;empty string&gt;</command>
5382 </para>
5383 <para>Example: <command>printer admin = admin, @staff</command></para>
5384 </listitem>
5385 </varlistentry>
5386
5387
5388
5389
5390
5391 <varlistentry>
5392 <term><anchor id="PRINTERDRIVER">printer driver (S)</term>
5393 <listitem><para><emphasis>Note :</emphasis>This is a depreciated
5394 parameter and will be removed in the next major release
5395 following version 2.2. Please see the instructions in
5396 <filename>PRINTER_DRIVER2.txt</filename> in the <filename>docs
5397 </filename> of the Samba distribution for more information
5398 on the new method of loading printer drivers onto a Samba server.
5399 </para>
5400
5401 <para>This option allows you to control the string
5402 that clients receive when they ask the server for the printer driver
5403 associated with a printer. If you are using Windows95 or Windows NT
5404 then you can use this to automate the setup of printers on your
5405 system.</para>
5406
5407 <para>You need to set this parameter to the exact string (case
5408 sensitive) that describes the appropriate printer driver for your
5409 system. If you don't know the exact string to use then you should
5410 first try with no <link linkend="PRINTERDRIVER"><parameter>
5411 printer driver</parameter></link> option set and the client will
5412 give you a list of printer drivers. The appropriate strings are
5413 shown in a scroll box after you have chosen the printer manufacturer.</para>
5414
5415 <para>See also <link linkend="PRINTERDRIVERFILE"><parameter>printer
5416 driver file</parameter></link>.</para>
5417
5418 <para>Example: <command>printer driver = HP LaserJet 4L</command></para>
5419 </listitem>
5420 </varlistentry>
5421
5422
5423
5424 <varlistentry>
5425 <term><anchor id="PRINTERDRIVERFILE">printer driver file (G)</term>
5426 <listitem><para><emphasis>Note :</emphasis>This is a depreciated
5427 parameter and will be removed in the next major release
5428 following version 2.2. Please see the instructions in
5429 <filename>PRINTER_DRIVER2.txt</filename> in the <filename>docs
5430 </filename> of the Samba distribution for more information
5431 on the new method of loading printer drivers onto a Samba server.
5432 </para>
5433
5434 <para>This parameter tells Samba where the printer driver
5435 definition file, used when serving drivers to Windows 95 clients, is
5436 to be found. If this is not set, the default is :</para>
5437
5438 <para><filename><replaceable>SAMBA_INSTALL_DIRECTORY</replaceable>
5439 /lib/printers.def</filename></para>
5440
5441 <para>This file is created from Windows 95 <filename>msprint.inf
5442 </filename> files found on the Windows 95 client system. For more
5443 details on setting up serving of printer drivers to Windows 95
5444 clients, see the documentation file in the <filename>docs/</filename>
5445 directory, <filename>PRINTER_DRIVER.txt</filename>.</para>
5446
5447 <para>See also <link linkend="PRINTERDRIVERLOCATION"><parameter>
5448 printer driver location</parameter></link>.</para>
5449
5450 <para>Default: <emphasis>None (set in compile).</emphasis></para>
5451
5452 <para>Example: <command>printer driver file =
5453 /usr/local/samba/printers/drivers.def</command></para>
5454 </listitem>
5455 </varlistentry>
5456
5457
5458
5459
5460 <varlistentry>
5461 <term><anchor id="PRINTERDRIVERLOCATION">printer driver location (S)</term>
5462 <listitem><para><emphasis>Note :</emphasis>This is a depreciated
5463 parameter and will be removed in the next major release
5464 following version 2.2. Please see the instructions in
5465 <filename>PRINTER_DRIVER2.txt</filename> in the <filename>docs
5466 </filename> of the Samba distribution for more information
5467 on the new method of loading printer drivers onto a Samba server.
5468 </para>
5469
5470 <para>This parameter tells clients of a particular printer
5471 share where to find the printer driver files for the automatic
5472 installation of drivers for Windows 95 machines. If Samba is set up
5473 to serve printer drivers to Windows 95 machines, this should be set to</para>
5474
5475 <para><command>\\MACHINE\PRINTER$</command></para>
5476
5477 <para>Where MACHINE is the NetBIOS name of your Samba server,
5478 and PRINTER$ is a share you set up for serving printer driver
5479 files. For more details on setting this up see the documentation
5480 file in the <filename>docs/</filename> directory, <filename>
5481 PRINTER_DRIVER.txt</filename>.</para>
5482
5483 <para>See also <link linkend="PRINTERDRIVERFILE"><parameter>
5484 printer driver file</parameter></link>.</para>
5485
5486 <para>Default: <command>none</command></para>
5487 <para>Example: <command>printer driver location = \\MACHINE\PRINTER$
5488 </command></para>
5489 </listitem>
5490 </varlistentry>
5491
5492
5493
5494 <varlistentry>
5495 <term><anchor id="PRINTERNAME">printer name (S)</term>
5496 <listitem><para>This parameter specifies the name of the printer
5497 to which print jobs spooled through a printable service will be sent.</para>
5498
5499 <para>If specified in the [global] section, the printer
5500 name given will be used for any printable service that does
5501 not have its own printer name specified.</para>
5502
5503 <para>Default: <emphasis>none (but may be <constant>lp</constant>
5504 on many systems)</emphasis></para>
5505
5506 <para>Example: <command>printer name = laserwriter</command></para>
5507 </listitem>
5508 </varlistentry>
5509
5510
5511 <varlistentry>
5512 <term><anchor id="PRINTER">printer (S)</term>
5513 <listitem><para>Synonym for <link linkend="PRINTERNAME"><parameter>
5514 printer name</parameter></link>.</para>
5515 </listitem>
5516 </varlistentry>
5517
5518
5519
5520 <varlistentry>
5521 <term><anchor id="PRINTING">printing (S)</term>
5522 <listitem><para>This parameters controls how printer status
5523 information is interpreted on your system. It also affects the
5524 default values for the <parameter>print command</parameter>,
5525 <parameter>lpq command</parameter>, <parameter>lppause command
5526 </parameter>, <parameter>lpresume command</parameter>, and
5527 <parameter>lprm command</parameter> if specified in the
5528 [global]f> section.</para>
5529
5530 <para>Currently eight printing styles are supported. They are
5531 <constant>BSD</constant>, <constant>AIX</constant>,
5532 <constant>LPRNG</constant>, <constant>PLP</constant>,
5533 <constant>SYSV</constant>, <constant>HPUX</constant>,
5534 <constant>QNX</constant>, <constant>SOFTQ</constant>,
5535 and <constant>CUPS</constant>.</para>
5536
5537 <para>To see what the defaults are for the other print
5538 commands when using the various options use the <ulink
5539 url="testparm.1.html">testparm(1)</ulink> program.</para>
5540
5541 <para>This option can be set on a per printer basis</para>
5542
5543 <para>See also the discussion in the <link linkend="PRINTERSSECT">
5544 [printers]</link> section.</para>
5545 </listitem>
5546 </varlistentry>
5547
5548
5549
5550
5551 <varlistentry>
5552 <term><anchor id="PROTOCOL">protocol (G)</term>
5553 <listitem><para>Synonym for <link linkend="MAXPROTOCOL">
5554 <parameter>max protocol</parameter></link>.</para></listitem>
5555 </varlistentry>
5556
5557
5558
5559
5560 <varlistentry>
5561 <term><anchor id="PUBLIC">public (S)</term>
5562 <listitem><para>Synonym for <link linkend="GUESTOK"><parameter>guest
5563 ok</parameter></link>.</para>
5564 </listitem>
5565 </varlistentry>
5566
5567
5568
5569 <varlistentry>
5570 <term><anchor id="QUEUEPAUSECOMMAND">queuepause command (S)</term>
5571 <listitem><para>This parameter specifies the command to be
5572 executed on the server host in order to pause the printerqueue.</para>
5573
5574 <para>This command should be a program or script which takes
5575 a printer name as its only parameter and stops the printerqueue,
5576 such that no longer jobs are submitted to the printer.</para>
5577
5578 <para>This command is not supported by Windows for Workgroups,
5579 but can be issued from the Printer's window under Windows 95
5580 and NT.</para>
5581
5582 <para>If a <parameter>%p</parameter> is given then the printername
5583 is put in its place. Otherwise it is placed at the end of the command.
5584 </para>
5585
5586 <para>Note that it is good practice to include the absolute
5587 path in the command as the PATH may not be available to the
5588 server.</para>
5589
5590 <para>Default: <emphasis>depends on the setting of <parameter>printing
5591 </parameter></emphasis></para>
5592 <para>Example: <command>queuepause command = disable %p</command></para>
5593 </listitem>
5594 </varlistentry>
5595
5596
5597
5598 <varlistentry>
5599 <term><anchor id="QUEUERESUMECOMMAND">queueresume command (S)</term>
5600 <listitem><para>This parameter specifies the command to be
5601 executed on the server host in order to resume the printerqueue. It
5602 is the command to undo the behavior that is caused by the
5603 previous parameter (<link linkend="QUEUEPAUSECOMMAND"><parameter>
5604 queuepause command</parameter></link>).</para>
5605
5606 <para>This command should be a program or script which takes
5607 a printer name as its only parameter and resumes the printerqueue,
5608 such that queued jobs are resubmitted to the printer.</para>
5609
5610 <para>This command is not supported by Windows for Workgroups,
5611 but can be issued from the Printer's window under Windows 95
5612 and NT.</para>
5613
5614 <para>If a <parameter>%p</parameter> is given then the printername
5615 is put in its place. Otherwise it is placed at the end of the
5616 command.</para>
5617
5618 <para>Note that it is good practice to include the absolute
5619 path in the command as the PATH may not be available to the
5620 server.</para>
5621
5622 <para>Default: <emphasis>depends on the setting of <link
5623 linkend="PRINTING"><parameter>printing</parameter></link></emphasis>
5624 </para>
5625
5626 <para>Example: <command>queuepause command = enable %p
5627 </command></para>
5628 </listitem>
5629 </varlistentry>
5630
5631
5632
5633 <varlistentry>
5634 <term><anchor id="READBMPX">read bmpx (G)</term>
5635 <listitem><para>This boolean parameter controls whether <ulink
5636 url="smbd.8.html">smbd(8)</ulink> will support the "Read
5637 Block Multiplex" SMB. This is now rarely used and defaults to
5638 <constant>no</constant>. You should never need to set this
5639 parameter.</para>
5640
5641 <para>Default: <command>read bmpx = no</command></para>
5642 </listitem>
5643 </varlistentry>
5644
5645
5646
5647
5648 <varlistentry>
5649 <term><anchor id="READLIST">read list (S)</term>
5650 <listitem><para>This is a list of users that are given read-only
5651 access to a service. If the connecting user is in this list then
5652 they will not be given write access, no matter what the <link
5653 linkend="WRITEABLE"><parameter>writeable</parameter></link>
5654 option is set to. The list can include group names using the
5655 syntax described in the <link linkend="INVALIDUSERS"><parameter>
5656 invalid users</parameter></link> parameter.</para>
5657
5658 <para>See also the <link linkend="WRITELIST"><parameter>
5659 write list</parameter></link> parameter and the <link
5660 linkend="INVALIDUSERS"><parameter>invalid users</parameter>
5661 </link> parameter.</para>
5662
5663 <para>Default: <command>read list = &lt;empty string&gt;</command></para>
5664 <para>Example: <command>read list = mary, @students</command></para>
5665 </listitem>
5666 </varlistentry>
5667
5668
5669
5670 <varlistentry>
5671 <term><anchor id="READONLY">read only (S)</term>
5672 <listitem><para>Note that this is an inverted synonym for <link
5673 linkend="WRITEABLE"><parameter>writeable</parameter></link>.</para>
5674 </listitem>
5675 </varlistentry>
5676
5677
5678
5679 <varlistentry>
5680 <term><anchor id="READRAW">read raw (G)</term>
5681 <listitem><para>This parameter controls whether or not the server
5682 will support the raw read SMB requests when transferring data
5683 to clients.</para>
5684
5685 <para>If enabled, raw reads allow reads of 65535 bytes in
5686 one packet. This typically provides a major performance benefit.
5687 </para>
5688
5689 <para>However, some clients either negotiate the allowable
5690 block size incorrectly or are incapable of supporting larger block
5691 sizes, and for these clients you may need to disable raw reads.</para>
5692
5693 <para>In general this parameter should be viewed as a system tuning
5694 tool and left severely alone. See also <link linkend="WRITERAW">
5695 <parameter>write raw</parameter></link>.</para>
5696
5697 <para>Default: <command>read raw = yes</command></para>
5698 </listitem>
5699 </varlistentry>
5700
5701
5702 <varlistentry>
5703 <term><anchor id="READSIZE">read size (G)</term>
5704 <listitem><para>The option <parameter>read size</parameter>
5705 affects the overlap of disk reads/writes with network reads/writes.
5706 If the amount of data being transferred in several of the SMB
5707 commands (currently SMBwrite, SMBwriteX and SMBreadbraw) is larger
5708 than this value then the server begins writing the data before it
5709 has received the whole packet from the network, or in the case of
5710 SMBreadbraw, it begins writing to the network before all the data
5711 has been read from disk.</para>
5712
5713 <para>This overlapping works best when the speeds of disk and
5714 network access are similar, having very little effect when the
5715 speed of one is much greater than the other.</para>
5716
5717 <para>The default value is 16384, but very little experimentation
5718 has been done yet to determine the optimal value, and it is likely
5719 that the best value will vary greatly between systems anyway.
5720 A value over 65536 is pointless and will cause you to allocate
5721 memory unnecessarily.</para>
5722
5723 <para>Default: <command>read size = 16384</command></para>
5724 <para>Example: <command>read size = 8192</command></para>
5725 </listitem>
5726 </varlistentry>
5727
5728
5729
5730 <varlistentry>
5731 <term><anchor id="REMOTEANNOUNCE">remote announce (G)</term>
5732 <listitem><para>This option allows you to setup <ulink
5733 url="nmbd.8.html">nmbd(8)</ulink> to periodically announce itself
5734 to arbitrary IP addresses with an arbitrary workgroup name.</para>
5735
5736 <para>This is useful if you want your Samba server to appear
5737 in a remote workgroup for which the normal browse propagation
5738 rules don't work. The remote workgroup can be anywhere that you
5739 can send IP packets to.</para>
5740
5741 <para>For example:</para>
5742
5743 <para><command>remote announce = 192.168.2.255/SERVERS
5744 192.168.4.255/STAFF</command></para>
5745
5746 <para>the above line would cause nmbd to announce itself
5747 to the two given IP addresses using the given workgroup names.
5748 If you leave out the workgroup name then the one given in
5749 the <link linkend="WORKGROUP"><parameter>workgroup</parameter></link>
5750 parameter is used instead.</para>
5751
5752 <para>The IP addresses you choose would normally be the broadcast
5753 addresses of the remote networks, but can also be the IP addresses
5754 of known browse masters if your network config is that stable.</para>
5755
5756 <para>See the documentation file <filename>BROWSING.txt</filename>
5757 in the <filename>docs/</filename> directory.</para>
5758
5759 <para>Default: <command>remote announce = &lt;empty string&gt;
5760 </command></para>
5761 </listitem>
5762 </varlistentry>
5763
5764
5765
5766 <varlistentry>
5767 <term><anchor id="REMOTEBROWSESYNC">remote browse sync (G)</term>
5768 <listitem><para>This option allows you to setup <ulink
5769 url="nmbd.8.html">nmbd(8)</ulink> to periodically request
5770 synchronization of browse lists with the master browser of a samba
5771 server that is on a remote segment. This option will allow you to
5772 gain browse lists for multiple workgroups across routed networks. This
5773 is done in a manner that does not work with any non-samba servers.</para>
5774
5775 <para>This is useful if you want your Samba server and all local
5776 clients to appear in a remote workgroup for which the normal browse
5777 propagation rules don't work. The remote workgroup can be anywhere
5778 that you can send IP packets to.</para>
5779
5780 <para>For example:</para>
5781
5782 <para><command>remote browse sync = 192.168.2.255 192.168.4.255
5783 </command></para>
5784
5785 <para>the above line would cause <command>nmbd</command> to request
5786 the master browser on the specified subnets or addresses to
5787 synchronize their browse lists with the local server.</para>
5788
5789 <para>The IP addresses you choose would normally be the broadcast
5790 addresses of the remote networks, but can also be the IP addresses
5791 of known browse masters if your network config is that stable. If
5792 a machine IP address is given Samba makes NO attempt to validate
5793 that the remote machine is available, is listening, nor that it
5794 is in fact the browse master on it's segment.</para>
5795
5796 <para>Default: <command>remote browse sync = &lt;empty string&gt;
5797 </command></para>
5798 </listitem>
5799 </varlistentry>
5800
5801
5802
5803 <varlistentry>
5804 <term><anchor id="RESTRICTANONYMOUS">restrict anonymous (G)</term>
5805 <listitem><para>This is a boolean parameter. If it is true, then
5806 anonymous access to the server will be restricted, namely in the
5807 case where the server is expecting the client to send a username,
5808 but it doesn't. Setting it to true will force these anonymous
5809 connections to be denied, and the client will be required to always
5810 supply a username and password when connecting. Use of this parameter
5811 is only recommended for homogeneous NT client environments.</para>
5812
5813 <para>This parameter makes the use of macro expansions that rely
5814 on the username (%U, %G, etc) consistent. NT 4.0
5815 likes to use anonymous connections when refreshing the share list,
5816 and this is a way to work around that.</para>
5817
5818 <para>When restrict anonymous is true, all anonymous connections
5819 are denied no matter what they are for. This can effect the ability
5820 of a machine to access the samba Primary Domain Controller to revalidate
5821 it's machine account after someone else has logged on the client
5822 interactively. The NT client will display a message saying that
5823 the machine's account in the domain doesn't exist or the password is
5824 bad. The best way to deal with this is to reboot NT client machines
5825 between interactive logons, using "Shutdown and Restart", rather
5826 than "Close all programs and logon as a different user".</para>
5827
5828 <para>Default: <command>restrict anonymous = no</command></para>
5829 </listitem>
5830 </varlistentry>
5831
5832
5833
5834 <varlistentry>
5835 <term><anchor id="ROOT">root (G)</term>
5836 <listitem><para>Synonym for <link linkend="ROOTDIRECTORY">
5837 <parameter>root directory"</parameter></link>.</para>
5838 </listitem>
5839 </varlistentry>
5840
5841
5842
5843 <varlistentry>
5844 <term><anchor id="ROOTDIR">root dir (G)</term>
5845 <listitem><para>Synonym for <link linkend="ROOTDIRECTORY">
5846 <parameter>root directory"</parameter></link>.</para>
5847 </listitem>
5848 </varlistentry>
5849
5850
5851 <varlistentry>
5852 <term><anchor id="ROOTDIRECTORY">root directory (G)</term>
5853 <listitem><para>The server will <command>chroot()</command> (i.e.
5854 Change it's root directory) to this directory on startup. This is
5855 not strictly necessary for secure operation. Even without it the
5856 server will deny access to files not in one of the service entries.
5857 It may also check for, and deny access to, soft links to other
5858 parts of the filesystem, or attempts to use ".." in file names
5859 to access other directories (depending on the setting of the <link
5860 linkend="WIDELINKS"><parameter>wide links</parameter></link>
5861 parameter).</para>
5862
5863 <para>Adding a <parameter>root directory</parameter> entry other
5864 than "/" adds an extra level of security, but at a price. It
5865 absolutely ensures that no access is given to files not in the
5866 sub-tree specified in the <parameter>root directory</parameter>
5867 option, <emphasis>including</emphasis> some files needed for
5868 complete operation of the server. To maintain full operability
5869 of the server you will need to mirror some system files
5870 into the <parameter>root directory</parameter> tree. In particular
5871 you will need to mirror <filename>/etc/passwd</filename> (or a
5872 subset of it), and any binaries or configuration files needed for
5873 printing (if required). The set of files that must be mirrored is
5874 operating system dependent.</para>
5875
5876 <para>Default: <command>root directory = /</command></para>
5877 <para>Example: <command>root directory = /homes/smb</command></para>
5878 </listitem>
5879 </varlistentry>
5880
5881
5882
5883 <varlistentry>
5884 <term><anchor id="ROOTPOSTEXEC">root postexec (S)</term>
5885 <listitem><para>This is the same as the <parameter>postexec</parameter>
5886 parameter except that the command is run as root. This
5887 is useful for unmounting filesystems
5888 (such as cdroms) after a connection is closed.</para>
5889
5890 <para>See also <link linkend="POSTEXEC"><parameter>
5891 postexec</parameter></link>.</para>
5892
5893 <para>Default: <command>root postexec = &lt;empty string&gt;
5894 </command></para>
5895 </listitem>
5896 </varlistentry>
5897
5898 <varlistentry>
5899 <term><anchor id="ROOTPREEXEC">root preexec (S)</term>
5900 <listitem><para>This is the same as the <parameter>preexec</parameter>
5901 parameter except that the command is run as root. This
5902 is useful for mounting filesystems (such as cdroms) after a
5903 connection is closed.</para>
5904
5905 <para>See also <link linkend="PREEXEC"><parameter>
5906 preexec</parameter></link> and <link linkend="PREEXECCLOSE">
5907 <parameter>preexec close</parameter></link>.</para>
5908
5909 <para>Default: <command>root preexec = &lt;empty string&gt;
5910 </command></para>
5911 </listitem>
5912 </varlistentry>
5913
5914
5915
5916 <varlistentry>
5917 <term><anchor id="ROOTPREEXECCLOSE">root preexec close (S)</term>
5918 <listitem><para>This is the same as the <parameter>preexec close
5919 </parameter> parameter except that the command is run as root.</para>
5920
5921 <para>See also <link linkend="PREEXEC"><parameter>
5922 preexec</parameter></link> and <link linkend="PREEXECCLOSE">
5923 <parameter>preexec close</parameter></link>.</para>
5924
5925 <para>Default: <command>root preexec close = no</command></para>
5926 </listitem>
5927 </varlistentry>
5928
5929
5930 <varlistentry>
5931 <term><anchor id="SECURITY">security (G)</term>
5932 <listitem><para>This option affects how clients respond to
5933 Samba and is one of the most important settings in the <filename>
5934 smb.conf</filename> file.</para>
5935
5936 <para>The option sets the "security mode bit" in replies to
5937 protocol negotiations with <ulink url="smbd.8.html">smbd(8)
5938 </ulink> to turn share level security on or off. Clients decide
5939 based on this bit whether (and how) to transfer user and password
5940 information to the server.</para>
5941
5942
5943 <para>The default is <command>security = user</command>, as this is
5944 the most common setting needed when talking to Windows 98 and
5945 Windows NT.</para>
5946
5947 <para>The alternatives are <command>security = share</command>,
5948 <command>security = server</command> or <command>security=domain
5949 </command>.</para>
5950
5951 <para>In versions of Samba prior to 2..0, the default was
5952 <command>security = share</command> mainly because that was
5953 the only option at one stage.</para>
5954
5955 <para>There is a bug in WfWg that has relevance to this
5956 setting. When in user or server level security a WfWg client
5957 will totally ignore the password you type in the "connect
5958 drive" dialog box. This makes it very difficult (if not impossible)
5959 to connect to a Samba service as anyone except the user that
5960 you are logged into WfWg as.</para>
5961
5962 <para>If your PCs use usernames that are the same as their
5963 usernames on the UNIX machine then you will want to use
5964 <command>security = user</command>. If you mostly use usernames
5965 that don't exist on the UNIX box then use <command>security =
5966 share</command>.</para>
5967
5968 <para>You should also use <command>security = share</command> if you
5969 want to mainly setup shares without a password (guest shares). This
5970 is commonly used for a shared printer server. It is more difficult
5971 to setup guest shares with <command>security = user</command>, see
5972 the <link linkend="MAPTOGUEST"><parameter>map to guest</parameter>
5973 </link>parameter for details.</para>
5974
5975 <para>It is possible to use <command>smbd</command> in a <emphasis>
5976 hybrid mode</emphasis> where it is offers both user and share
5977 level security under different <link linkend="NETBIOSALIASES">
5978 <parameter>NetBIOS aliases</parameter></link>. </para>
5979
5980 <para>The different settings will now be explained.</para>
5981
5982
5983 <para><anchor id="SECURITYEQUALSSHARE"><emphasis>SECURITY = SHARE
5984 </emphasis></para>
5985
5986 <para>When clients connect to a share level security server then
5987 need not log onto the server with a valid username and password before
5988 attempting to connect to a shared resource (although modern clients
5989 such as Windows 95/98 and Windows NT will send a logon request with
5990 a username but no password when talking to a <command>security = share
5991 </command> server). Instead, the clients send authentication information
5992 (passwords) on a per-share basis, at the time they attempt to connect
5993 to that share.</para>
5994
5995 <para>Note that <command>smbd</command> <emphasis>ALWAYS</emphasis>
5996 uses a valid UNIX user to act on behalf of the client, even in
5997 <command>security = share</command> level security.</para>
5998
5999 <para>As clients are not required to send a username to the server
6000 in share level security, <command>smbd</command> uses several
6001 techniques to determine the correct UNIX user to use on behalf
6002 of the client.</para>
6003
6004 <para>A list of possible UNIX usernames to match with the given
6005 client password is constructed using the following methods :</para>
6006
6007 <itemizedlist>
6008 <listitem><para>If the <link linkend="GUESTONLY"><parameter>guest
6009 only</parameter></link> parameter is set, then all the other
6010 stages are missed and only the <link linkend="GUESTACCOUNT">
6011 <parameter>guest account</parameter></link> username is checked.
6012 </para></listitem>
6013
6014 <listitem><para>Is a username is sent with the share connection
6015 request, then this username (after mapping - see <link
6016 linkend="USERNAMEMAP"><parameter>username map</parameter></link>),
6017 is added as a potential username.</para></listitem>
6018
6019 <listitem><para>If the client did a previous <emphasis>logon
6020 </emphasis> request (the SessionSetup SMB call) then the
6021 username sent in this SMB will be added as a potential username.
6022 </para></listitem>
6023
6024 <listitem><para>The name of the service the client requested is
6025 added as a potential username.</para></listitem>
6026
6027 <listitem><para>The NetBIOS name of the client is added to
6028 the list as a potential username.</para></listitem>
6029
6030 <listitem><para>Any users on the <link linkend="USER"><parameter>
6031 user</parameter></link> list are added as potential usernames.
6032 </para></listitem>
6033 </itemizedlist>
6034
6035 <para>If the <parameter>guest only</parameter> parameter is
6036 not set, then this list is then tried with the supplied password.
6037 The first user for whom the password matches will be used as the
6038 UNIX user.</para>
6039
6040 <para>If the <parameter>guest only</parameter> parameter is
6041 set, or no username can be determined then if the share is marked
6042 as available to the <parameter>guest account</parameter>, then this
6043 guest user will be used, otherwise access is denied.</para>
6044
6045 <para>Note that it can be <emphasis>very</emphasis> confusing
6046 in share-level security as to which UNIX username will eventually
6047 be used in granting access.</para>
6048
6049 <para>See also the section <link linkend="VALIDATIONSECT">
6050 NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
6051
6052 <para><anchor id="SECURITYEQUALSUSER"><emphasis>SECURIYT = USER
6053 </emphasis></para>
6054
6055 <para>This is the default security setting in Samba 2.2.
6056 With user-level security a client must first "log=on" with a
6057 valid username and password (which can be mapped using the <link
6058 linkend="USERNAMEMAP"><parameter>username map</parameter></link>
6059 parameter). Encrypted passwords (see the <link linkend="ENCRYPTPASSWORDS">
6060 <parameter>encrypted passwords</parameter></link> parameter) can also
6061 be used in this security mode. Parameters such as <link linkend="USER">
6062 <parameter>user</parameter></link> and <link linkend="GUESTONLY">
6063 <parameter>guest only</parameter></link> if set are then applied and
6064 may change the UNIX user to use on this connection, but only after
6065 the user has been successfully authenticated.</para>
6066
6067 <para><emphasis>Note</emphasis> that the name of the resource being
6068 requested is <emphasis>not</emphasis> sent to the server until after
6069 the server has successfully authenticated the client. This is why
6070 guest shares don't work in user level security without allowing
6071 the server to automatically map unknown users into the <link
6072 linkend="GUESTACCOUNT"><parameter>guest account</parameter></link>.
6073 See the <link linkend="MAPTOGUEST"><parameter>map to guest</parameter>
6074 </link> parameter for details on doing this.</para>
6075
6076 <para>See also the section <link linkend="VALIDATIONSECT">
6077 NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
6078
6079 <para><anchor id="SECURITYEQUALSSERVER"><emphasis>SECURITY = SERVER
6080 </emphasis></para>
6081
6082 <para>In this mode Samba will try to validate the username/password
6083 by passing it to another SMB server, such as an NT box. If this
6084 fails it will revert to <command>security = user</command>, but note
6085 that if encrypted passwords have been negotiated then Samba cannot
6086 revert back to checking the UNIX password file, it must have a valid
6087 <filename>smbpasswd</filename> file to check users against. See the
6088 documentation file in the <filename>docs/</filename> directory
6089 <filename>ENCRYPTION.txt</filename> for details on how to set this
6090 up.</para>
6091
6092 <para><emphasis>Note</emphasis> that from the clients point of
6093 view <command>security = server</command> is the same as <command>
6094 security = user</command>. It only affects how the server deals
6095 with the authentication, it does not in any way affect what the
6096 client sees.</para>
6097
6098 <para><emphasis>Note</emphasis> that the name of the resource being
6099 requested is <emphasis>not</emphasis> sent to the server until after
6100 the server has successfully authenticated the client. This is why
6101 guest shares don't work in user level security without allowing
6102 the server to automatically map unknown users into the <link
6103 linkend="GUESTACCOUNT"><parameter>guest account</parameter></link>.
6104 See the <link linkend="MAPTOGUEST"><parameter>map to guest</parameter>
6105 </link> parameter for details on doing this.</para>
6106
6107 <para>See also the section <link linkend="VALIDATIONSECT">
6108 NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
6109
6110 <para>See also the <link linkend="PASSWORDSERVER"><parameter>password
6111 server</parameter></link> parameter and the <link
6112 linkend="ENCRYPTPASSWORDS"><parameter>encrypted passwords</parameter>
6113 </link> parameter.</para>
6114
6115 <para><anchor id="SECURITYEQUALSDOMAIN"><emphasis>SECURITY = DOMAIN
6116 </emphasis></para>
6117
6118 <para>This mode will only work correctly if <ulink
6119 url="smbpasswd.8.html">smbpasswd(8)</ulink> has been used to add this
6120 machine into a Windows NT Domain. It expects the <link
6121 linkend="ENCRYPTPASSWORDS"><parameter>encrypted passwords</parameter>
6122 </link> parameter to be set to <constant>true</constant>. In this
6123 mode Samba will try to validate the username/password by passing
6124 it to a Windows NT Primary or Backup Domain Controller, in exactly
6125 the same way that a Windows NT Server would do.</para>
6126
6127 <para><emphasis>Note</emphasis> that a valid UNIX user must still
6128 exist as well as the account on the Domain Controller to allow
6129 Samba to have a valid UNIX account to map file access to.</para>
6130
6131 <para><emphasis>Note</emphasis> that from the clients point
6132 of view <command>security = domain</command> is the same as <command>security = user
6133 </command>. It only affects how the server deals with the authentication,
6134 it does not in any way affect what the client sees.</para>
6135
6136 <para><emphasis>Note</emphasis> that the name of the resource being
6137 requested is <emphasis>not</emphasis> sent to the server until after
6138 the server has successfully authenticated the client. This is why
6139 guest shares don't work in user level security without allowing
6140 the server to automatically map unknown users into the <link
6141 linkend="GUESTACCOUNT"><parameter>guest account</parameter></link>.
6142 See the <link linkend="MAPTOGUEST"><parameter>map to guest</parameter>
6143 </link> parameter for details on doing this.</para>
6144
6145 <para><emphasis>BUG:</emphasis> There is currently a bug in the
6146 implementation of <command>security = domain</command> with respect
6147 to multi-byte character set usernames. The communication with a
6148 Domain Controller must be done in UNICODE and Samba currently
6149 does not widen multi-byte user names to UNICODE correctly, thus
6150 a multi-byte username will not be recognized correctly at the
6151 Domain Controller. This issue will be addressed in a future release.</para>
6152
6153 <para>See also the section <link linkend="VALIDATIONSECT">
6154 NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
6155
6156 <para>See also the <link linkend="PASSWORDSERVER"><parameter>password
6157 server</parameter></link> parameter and the <link
6158 linkend="ENCRYPTPASSWORDS"><parameter>encrypted passwords</parameter>
6159 </link> parameter.</para>
6160
6161 <para>Default: <command>security = USER</command></para>
6162 <para>Example: <command>security = DOMAIN</command></para>
6163 </listitem>
6164 </varlistentry>
6165
6166
6167
6168 <varlistentry>
6169 <term><anchor id="SECURITYMASK">security mask (S)</term>
6170 <listitem><para>This parameter controls what UNIX permission
6171 bits can be modified when a Windows NT client is manipulating
6172 the UNIX permission on a file using the native NT security
6173 dialog box.</para>
6174
6175 <para>This parameter is applied as a mask (AND'ed with) to
6176 the changed permission bits, thus preventing any bits not in
6177 this mask from being modified. Essentially, zero bits in this
6178 mask may be treated as a set of bits the user is not allowed
6179 to change.</para>
6180
6181 <para>If not set explicitly this parameter is set to the same
6182 value as the <link linkend="CREATEMASK"><parameter>create mask
6183 </parameter></link> parameter. To allow a user to modify all the
6184 user/group/world permissions on a file, set this parameter to
6185 0777.</para>
6186
6187 <para><emphasis>Note</emphasis> that users who can access the
6188 Samba server through other means can easily bypass this
6189 restriction, so it is primarily useful for standalone
6190 "appliance" systems. Administrators of most normal systems will
6191 probably want to set it to 0777.</para>
6192
6193 <para>See also the <link linkend="FORCEDIRECTORYSECURITYMODE">
6194 <parameter>force directory security mode</parameter></link>,
6195 <link linkend="DIRECTORYSECURITYMASK"><parameter>directory
6196 security mask</parameter></link>, <link linkend="FORCESECURITYMODE">
6197 <parameter>force security mode</parameter></link> parameters.</para>
6198
6199 <para>Default: <command>security mask = &lt;same as create mask&gt;
6200 </command></para>
6201 <para>Example: <command>security mask = 0777</command></para>
6202 </listitem>
6203 </varlistentry>
6204
6205
6206 <varlistentry>
6207 <term><anchor id="SERVERSTRING">server string (G)</term>
6208 <listitem><para>This controls what string will show up in the
6209 printer comment box in print manager and next to the IPC connection
6210 in <command>net view"</command>. It can be any string that you wish
6211 to show to your users.</para>
6212
6213 <para>It also sets what will appear in browse lists next
6214 to the machine name.</para>
6215
6216 <para>A <parameter>%v</parameter> will be replaced with the Samba
6217 version number.</para>
6218
6219 <para>A <parameter>%h</parameter> will be replaced with the
6220 hostname.</para>
6221
6222 <para>Default: <command>server string = Samba %v</command></para>
6223
6224 <para>Example: <command>server string = University of GNUs Samba
6225 Server</command></para>
6226 </listitem>
6227 </varlistentry>
6228
6229
6230
6231 <varlistentry>
6232 <term><anchor id="SETDIRECTORY">set directory (S)</term>
6233 <listitem><para>If <command>set directory = no</command>, then
6234 users of the service may not use the setdir command to change
6235 directory.</para>
6236
6237 <para>The <command>setdir</command> command is only implemented
6238 in the Digital Pathworks client. See the Pathworks documentation
6239 for details.</para>
6240
6241 <para>Default: <command>set directory = no</command></para>
6242 </listitem>
6243 </varlistentry>
6244
6245
6246
6247
6248 <varlistentry>
6249 <term><anchor id="SHAREMODES">share modes (S)</term>
6250 <listitem><para>This enables or disables the honoring of
6251 the <parameter>share modes</parameter> during a file open. These
6252 modes are used by clients to gain exclusive read or write access
6253 to a file.</para>
6254
6255 <para>These open modes are not directly supported by UNIX, so
6256 they are simulated using shared memory, or lock files if your
6257 UNIX doesn't support shared memory (almost all do).</para>
6258
6259 <para>The share modes that are enabled by this option are
6260 <constant>DENY_DOS</constant>, <constant>DENY_ALL</constant>,
6261 <constant>DENY_READ</constant>, <constant>DENY_WRITE</constant>,
6262 <constant>DENY_NONE</constant> and <constant>DENY_FCB</constant>.
6263 </para>
6264
6265 <para>This option gives full share compatibility and enabled
6266 by default.</para>
6267
6268 <para>You should <emphasis>NEVER</emphasis> turn this parameter
6269 off as many Windows applications will break if you do so.</para>
6270
6271 <para>Default: <command>share modes = yes</command></para>
6272 </listitem>
6273 </varlistentry>
6274
6275
6276
6277
6278 <varlistentry>
6279 <term><anchor id="SHORTPRESERVECASE">short preserve case (S)</term>
6280 <listitem><para>This boolean parameter controls if new files
6281 which conform to 8.3 syntax, that is all in upper case and of
6282 suitable length, are created upper case, or if they are forced
6283 to be the <link linkend="DEFAULTCASE"><parameter>default case
6284 </parameter></link>. This option can be use with <link
6285 linkend="PRESERVECASE"><command>preserve case = yes</command>
6286 </link> to permit long filenames to retain their case, while short
6287 names are lowered. </para>
6288
6289 <para>See the section on <link linkend="NAMEMANGLINGSECT">
6290 NAME MANGLING</link>.</para>
6291
6292 <para>Default: <command>short preserve case = yes</command></para>
6293 </listitem>
6294 </varlistentry>
6295
6296
6297
6298 <varlistentry>
6299 <term><anchor id="SHOWADDPRINTERWIZARD">show add printer wizard (G)</term>
6300 <listitem><para>With the introduction of MS-RPC based printing support
6301 for Windows NT/2000 client in Samba 2.2, a "Printers..." folder will
6302 appear on Samba hosts in the share listing. Normally this folder will
6303 contain an icon for the MS Add Printer Wizard (APW). However, it is
6304 possible to disable this feature regardless of the level of privilege
6305 of the connected user.</para>
6306
6307 <para>Under normal circumstances, the Windows NT/2000 client will
6308 open a handle on the printer server with OpenPrinterEx() asking for
6309 Administrator privileges. If the user does not have administrative
6310 access on the print server (i.e is not root or a member of the
6311 <parameter>printer admin</parameter> group), the OpenPrinterEx()
6312 call fails and the clients another open call with a request for
6313 a lower privilege level. This should succeed, however the APW
6314 icon will not be displayed.</para>
6315
6316 <para>Disabling the <parameter>show add printer wizard</parameter>
6317 parameter will always cause the OpenPrinterEx() on the server
6318 to fail. Thus the APW icon will never be displayed. <emphasis>
6319 Note :</emphasis>This does not prevent the same user from having
6320 administrative privilege on an individual printer.</para>
6321
6322 <para>See also <link linkend="ADDPRINTERCOMMAND"><parameter>addprinter
6323 command</parameter></link>, <link linkend="DELETEPRINTERCOMMAND">
6324 <parameter>deleteprinter command</parameter></link>, <link
6325 linkend="PRINTERADMIN"><parameter>printer admin</parameter></link></para>
6326
6327 <para>Default :<command>show add printer wizard = yes</command></para>
6328 </listitem>
6329 </varlistentry>
6330
6331
6332
6333
6334 <varlistentry>
6335 <term><anchor id="SMBPASSWDFILE">smb passwd file (G)</term>
6336 <listitem><para>This option sets the path to the encrypted
6337 smbpasswd file. By default the path to the smbpasswd file
6338 is compiled into Samba.</para>
6339
6340 <para>Default: <command>smb passwd file = ${prefix}/private/smbpasswd
6341 </command></para>
6342
6343 <para>Example: <command>smb passwd file = /etc/samba/smbpasswd
6344 </command></para>
6345 </listitem>
6346 </varlistentry>
6347
6348
6349
6350 <varlistentry>
6351 <term><anchor id="SMBRUN">smbrun (G)</term>
6352 <listitem><para>This sets the full path to the <command>smbrun
6353 </command> binary. This defaults to the value in the <filename>
6354 Makefile</filename>.</para>
6355
6356 <para>You must get this path right for many services
6357 to work correctly.</para>
6358
6359 <para>You should not need to change this parameter so
6360 long as Samba is installed correctly.</para>
6361
6362 <para>Default: <command>smbrun = ${prefix}/private/bin/smbrun
6363 </command></para>
6364
6365 <para>Example: <command>smbrun = /usr/local/samba/bin/smbrun
6366 </command></para>
6367 </listitem>
6368 </varlistentry>
6369
6370
6371
6372 <varlistentry>
6373 <term><anchor id="SOCKETADDRESS">socket address (G)</term>
6374 <listitem><para>This option allows you to control what
6375 address Samba will listen for connections on. This is used to
6376 support multiple virtual interfaces on the one server, each
6377 with a different configuration.</para>
6378
6379 <para>By default samba will accept connections on any
6380 address.</para>
6381
6382 <para>Example: <command>socket address = 192.168.2.20</command>
6383 </para>
6384 </listitem>
6385 </varlistentry>
6386
6387
6388
6389 <varlistentry>
6390 <term><anchor id="SOCKETOPTIONS">socket options (G)</term>
6391 <listitem><para>This option allows you to set socket options
6392 to be used when talking with the client.</para>
6393
6394 <para>Socket options are controls on the networking layer
6395 of the operating systems which allow the connection to be
6396 tuned.</para>
6397
6398 <para>This option will typically be used to tune your Samba
6399 server for optimal performance for your local network. There is
6400 no way that Samba can know what the optimal parameters are for
6401 your net, so you must experiment and choose them yourself. We
6402 strongly suggest you read the appropriate documentation for your
6403 operating system first (perhaps <command>man setsockopt</command>
6404 will help).</para>
6405
6406 <para>You may find that on some systems Samba will say
6407 "Unknown socket option" when you supply an option. This means you
6408 either incorrectly typed it or you need to add an include file
6409 to includes.h for your OS. If the latter is the case please
6410 send the patch to <ulink url="mailto:samba@samba.org">
6411 samba@samba.org</ulink>.</para>
6412
6413 <para>Any of the supported socket options may be combined
6414 in any way you like, as long as your OS allows it.</para>
6415
6416 <para>This is the list of socket options currently settable
6417 using this option:</para>
6418
6419 <itemizedlist>
6420 <listitem><para>SO_KEEPALIVE</para></listitem>
6421 <listitem><para>SO_REUSEADDR</para></listitem>
6422 <listitem><para>SO_BROADCAST</para></listitem>
6423 <listitem><para>TCP_NODELAY</para></listitem>
6424 <listitem><para>IPTOS_LOWDELAY</para></listitem>
6425 <listitem><para>IPTOS_THROUGHPUT</para></listitem>
6426 <listitem><para>SO_SNDBUF *</para></listitem>
6427 <listitem><para>SO_RCVBUF *</para></listitem>
6428 <listitem><para>SO_SNDLOWAT *</para></listitem>
6429 <listitem><para>SO_RCVLOWAT *</para></listitem>
6430 </itemizedlist>
6431
6432 <para>Those marked with a <emphasis>'*'</emphasis> take an integer
6433 argument. The others can optionally take a 1 or 0 argument to enable
6434 or disable the option, by default they will be enabled if you
6435 don't specify 1 or 0.</para>
6436
6437 <para>To specify an argument use the syntax SOME_OPTION=VALUE
6438 for example <command>SO_SNDBUF=8192</command>. Note that you must
6439 not have any spaces before or after the = sign.</para>
6440
6441 <para>If you are on a local network then a sensible option
6442 might be</para>
6443 <para><command>socket options = IPTOS_LOWDELAY</command></para>
6444
6445 <para>If you have a local network then you could try:</para>
6446 <para><command>socket options = IPTOS_LOWDELAY TCP_NODELAY</command></para>
6447
6448 <para>If you are on a wide area network then perhaps try
6449 setting IPTOS_THROUGHPUT. </para>
6450
6451 <para>Note that several of the options may cause your Samba
6452 server to fail completely. Use these options with caution!</para>
6453
6454 <para>Default: <command>socket options = TCP_NODELAY</command></para>
6455 <para>Example: <command>socket options = IPTOS_LOWDELAY</command></para>
6456 </listitem>
6457 </varlistentry>
6458
6459
6460
6461
6462 <varlistentry>
6463 <term><anchor id="SOURCEENVIRONMENT">source environment (G)</term>
6464 <listitem><para>This parameter causes Samba to set environment
6465 variables as per the content of the file named.</para>
6466
6467 <para>If the value of this parameter starts with a "|" character
6468 then Samba will treat that value as a pipe command to open and
6469 will set the environment variables from the output of the pipe.</para>
6470
6471 <para>The contents of the file or the output of the pipe should
6472 be formatted as the output of the standard Unix <command>env(1)
6473 </command> command. This is of the form :</para>
6474 <para>Example environment entry:</para>
6475 <para><command>SAMBA_NETBIOS_NAME=myhostname</command></para>
6476
6477 <para>Default: <emphasis>No default value</emphasis></para>
6478 <para>Examples: <command>source environment = |/etc/smb.conf.sh
6479 </command></para>
6480
6481 <para>Example: <command>source environment =
6482 /usr/local/smb_env_vars</command></para>
6483 </listitem>
6484 </varlistentry>
6485
6486
6487
6488 <varlistentry>
6489 <term><anchor id="SSL">ssl (G)</term>
6490 <listitem><para>This variable is part of SSL-enabled Samba. This
6491 is only available if the SSL libraries have been compiled on your
6492 system and the configure option <command>--with-ssl</command> was
6493 given at configure time.</para>
6494
6495 <para><emphasis>Note</emphasis> that for export control reasons
6496 this code is <emphasis>NOT</emphasis> enabled by default in any
6497 current binary version of Samba.</para>
6498
6499 <para>This variable enables or disables the entire SSL mode. If
6500 it is set to <constant>no</constant>, the SSL enabled samba behaves
6501 exactly like the non-SSL samba. If set to <constant>yes</constant>,
6502 it depends on the variables <link linkend="SSLHOSTS"><parameter>
6503 ssl hosts</parameter></link> and <link linkend="SSLHOSTSRESIGN">
6504 <parameter>ssl hosts resign</parameter></link> whether an SSL
6505 connection will be required.</para>
6506
6507 <para>Default: <command>ssl=no</command></para>
6508 </listitem>
6509 </varlistentry>
6510
6511
6512
6513 <varlistentry>
6514 <term><anchor id="SSLCACERTDIR">ssl CA certDir (G)</term>
6515 <listitem><para>This variable is part of SSL-enabled Samba. This
6516 is only available if the SSL libraries have been compiled on your
6517 system and the configure option <command>--with-ssl</command> was
6518 given at configure time.</para>
6519
6520 <para><emphasis>Note</emphasis> that for export control reasons
6521 this code is <emphasis>NOT</emphasis> enabled by default in any
6522 current binary version of Samba.</para>
6523
6524 <para>This variable defines where to look up the Certification
6525 Authorities. The given directory should contain one file for
6526 each CA that samba will trust. The file name must be the hash
6527 value over the "Distinguished Name" of the CA. How this directory
6528 is set up is explained later in this document. All files within the
6529 directory that don't fit into this naming scheme are ignored. You
6530 don't need this variable if you don't verify client certificates.</para>
6531
6532 <para>Default: <command>ssl CA certDir = /usr/local/ssl/certs
6533 </command></para>
6534 </listitem>
6535 </varlistentry>
6536
6537
6538
6539 <varlistentry>
6540 <term><anchor id="SSLCACERTFILE">ssl CA certFile (G)</term>
6541 <listitem><para>This variable is part of SSL-enabled Samba. This
6542 is only available if the SSL libraries have been compiled on your
6543 system and the configure option <command>--with-ssl</command> was
6544 given at configure time.</para>
6545
6546 <para><emphasis>Note</emphasis> that for export control reasons
6547 this code is <emphasis>NOT</emphasis> enabled by default in any
6548 current binary version of Samba.</para>
6549
6550 <para>This variable is a second way to define the trusted CAs.
6551 The certificates of the trusted CAs are collected in one big
6552 file and this variable points to the file. You will probably
6553 only use one of the two ways to define your CAs. The first choice is
6554 preferable if you have many CAs or want to be flexible, the second
6555 is preferable if you only have one CA and want to keep things
6556 simple (you won't need to create the hashed file names). You
6557 don't need this variable if you don't verify client certificates.</para>
6558
6559 <para>Default: <command>ssl CA certFile = /usr/local/ssl/certs/trustedCAs.pem
6560 </command></para>
6561 </listitem>
6562 </varlistentry>
6563
6564
6565
6566 <varlistentry>
6567 <term><anchor id="SSLCIPHERS">ssl ciphers (G)</term>
6568 <listitem><para>This variable is part of SSL-enabled Samba. This
6569 is only available if the SSL libraries have been compiled on your
6570 system and the configure option <command>--with-ssl</command> was
6571 given at configure time.</para>
6572
6573 <para><emphasis>Note</emphasis> that for export control reasons
6574 this code is <emphasis>NOT</emphasis> enabled by default in any
6575 current binary version of Samba.</para>
6576
6577 <para>This variable defines the ciphers that should be offered
6578 during SSL negotiation. You should not set this variable unless
6579 you know what you are doing.</para>
6580 </listitem>
6581 </varlistentry>
6582
6583
6584 <varlistentry>
6585 <term><anchor id="SSLCLIENTCERT">ssl client cert (G)</term>
6586 <listitem><para>This variable is part of SSL-enabled Samba. This
6587 is only available if the SSL libraries have been compiled on your
6588 system and the configure option <command>--with-ssl</command> was
6589 given at configure time.</para>
6590
6591 <para><emphasis>Note</emphasis> that for export control reasons
6592 this code is <emphasis>NOT</emphasis> enabled by default in any
6593 current binary version of Samba.</para>
6594
6595 <para>The certificate in this file is used by <ulink url="smbclient.1.html">
6596 <command>smbclient(1)</command></ulink> if it exists. It's needed
6597 if the server requires a client certificate.</para>
6598
6599 <para>Default: <command>ssl client cert = /usr/local/ssl/certs/smbclient.pem
6600 </command></para>
6601 </listitem>
6602 </varlistentry>
6603
6604
6605
6606 <varlistentry>
6607 <term><anchor id="SSLCLIENTKEY">ssl client key (G)</term>
6608 <listitem><para>This variable is part of SSL-enabled Samba. This
6609 is only available if the SSL libraries have been compiled on your
6610 system and the configure option <command>--with-ssl</command> was
6611 given at configure time.</para>
6612
6613 <para><emphasis>Note</emphasis> that for export control reasons
6614 this code is <emphasis>NOT</emphasis> enabled by default in any
6615 current binary version of Samba.</para>
6616
6617 <para>This is the private key for <ulink url="smbclient.1.html">
6618 <command>smbclient(1)</command></ulink>. It's only needed if the
6619 client should have a certificate. </para>
6620
6621 <para>Default: <command>ssl client key = /usr/local/ssl/private/smbclient.pem
6622 </command></para>
6623 </listitem>
6624 </varlistentry>
6625
6626
6627
6628 <varlistentry>
6629 <term><anchor id="SSLCOMPATIBILITY">ssl compatibility (G)</term>
6630 <listitem><para>This variable is part of SSL-enabled Samba. This
6631 is only available if the SSL libraries have been compiled on your
6632 system and the configure option <command>--with-ssl</command> was
6633 given at configure time.</para>
6634
6635 <para><emphasis>Note</emphasis> that for export control reasons
6636 this code is <emphasis>NOT</emphasis> enabled by default in any
6637 current binary version of Samba.</para>
6638
6639 <para>This variable defines whether SSLeay should be configured
6640 for bug compatibility with other SSL implementations. This is
6641 probably not desirable because currently no clients with SSL
6642 implementations other than SSLeay exist.</para>
6643
6644 <para>Default: <command>ssl compatibility = no</command></para>
6645 </listitem>
6646 </varlistentry>
6647
6648
6649 <varlistentry>
6650 <term><anchor id="SSLHOSTS">ssl hosts (G)</term>
6651 <listitem><para>See <link linkend="SSLHOSTSRESIGN"><parameter>
6652 ssl hosts resign</parameter></link>.</para>
6653 </listitem>
6654 </varlistentry>
6655
6656
6657 <varlistentry>
6658 <term><anchor id="SSLHOSTSRESIGN">ssl hosts resign (G)</term>
6659 <listitem><para>This variable is part of SSL-enabled Samba. This
6660 is only available if the SSL libraries have been compiled on your
6661 system and the configure option <command>--with-ssl</command> was
6662 given at configure time.</para>
6663
6664 <para><emphasis>Note</emphasis> that for export control reasons
6665 this code is <emphasis>NOT</emphasis> enabled by default in any
6666 current binary version of Samba.</para>
6667
6668 <para>These two variables define whether samba will go
6669 into SSL mode or not. If none of them is defined, samba will
6670 allow only SSL connections. If the <link linkend="SSLHOSTS">
6671 <parameter>ssl hosts</parameter></link> variable lists
6672 hosts (by IP-address, IP-address range, net group or name),
6673 only these hosts will be forced into SSL mode. If the <parameter>
6674 ssl hosts resign</parameter> variable lists hosts, only these
6675 hosts will NOT be forced into SSL mode. The syntax for these two
6676 variables is the same as for the <link linkend="HOSTSALLOW"><parameter>
6677 hosts allow</parameter></link> and <link linkend="HOSTSDENY">
6678 <parameter>hosts deny</parameter></link> pair of variables, only
6679 that the subject of the decision is different: It's not the access
6680 right but whether SSL is used or not. </para>
6681
6682 <para>The example below requires SSL connections from all hosts
6683 outside the local net (which is 192.168.*.*).</para>
6684
6685 <para>Default: <command>ssl hosts = &lt;empty string&gt;</command></para>
6686 <para><command>ssl hosts resign = &lt;empty string&gt;</command></para>
6687
6688 <para>Example: <command>ssl hosts resign = 192.168.</command></para>
6689 </listitem>
6690 </varlistentry>
6691
6692
6693
6694 <varlistentry>
6695 <term><anchor id="SSLREQUIRECLIENTCERT">ssl require clientcert (G)</term>
6696 <listitem><para>This variable is part of SSL-enabled Samba. This
6697 is only available if the SSL libraries have been compiled on your
6698 system and the configure option <command>--with-ssl</command> was
6699 given at configure time.</para>
6700
6701 <para><emphasis>Note</emphasis> that for export control reasons
6702 this code is <emphasis>NOT</emphasis> enabled by default in any
6703 current binary version of Samba.</para>
6704
6705 <para>If this variable is set to <constant>yes</constant>, the
6706 server will not tolerate connections from clients that don't
6707 have a valid certificate. The directory/file given in <link
6708 linkend="SSLCACERTDIR"><parameter>ssl CA certDir</parameter>
6709 </link> and <link linkend="SSLCACERTFILE"><parameter>ssl CA certFile
6710 </parameter></link> will be used to look up the CAs that issued
6711 the client's certificate. If the certificate can't be verified
6712 positively, the connection will be terminated. If this variable
6713 is set to <constant>no</constant>, clients don't need certificates.
6714 Contrary to web applications you really <emphasis>should</emphasis>
6715 require client certificates. In the web environment the client's
6716 data is sensitive (credit card numbers) and the server must prove
6717 to be trustworthy. In a file server environment the server's data
6718 will be sensitive and the clients must prove to be trustworthy.</para>
6719
6720 <para>Default: <command>ssl require clientcert = no</command></para>
6721 </listitem>
6722 </varlistentry>
6723
6724
6725
6726 <varlistentry>
6727 <term><anchor id="SSLREQUIRESERVERCERT">ssl require servercert (G)</term>
6728 <listitem><para>This variable is part of SSL-enabled Samba. This
6729 is only available if the SSL libraries have been compiled on your
6730 system and the configure option <command>--with-ssl</command> was
6731 given at configure time.</para>
6732
6733 <para><emphasis>Note</emphasis> that for export control reasons
6734 this code is <emphasis>NOT</emphasis> enabled by default in any
6735 current binary version of Samba.</para>
6736
6737 <para>If this variable is set to <constant>yes</constant>, the
6738 <ulink url="smbclient.1.html"><command>smbclient(1)</command>
6739 </ulink> will request a certificate from the server. Same as
6740 <link linkend="SSLREQUIRECLIENTCERT"><parameter>ssl require
6741 clientcert</parameter></link> for the server.</para>
6742
6743 <para>Default: <command>ssl require servercert = no</command>
6744 </para>
6745 </listitem>
6746 </varlistentry>
6747
6748 <varlistentry>
6749 <term><anchor id="SSLSERVERCERT">ssl server cert (G)</term>
6750 <listitem><para>This variable is part of SSL-enabled Samba. This
6751 is only available if the SSL libraries have been compiled on your
6752 system and the configure option <command>--with-ssl</command> was
6753 given at configure time.</para>
6754
6755 <para><emphasis>Note</emphasis> that for export control reasons
6756 this code is <emphasis>NOT</emphasis> enabled by default in any
6757 current binary version of Samba.</para>
6758
6759 <para>This is the file containing the server's certificate.
6760 The server <emphasis>must</emphasis> have a certificate. The
6761 file may also contain the server's private key. See later for
6762 how certificates and private keys are created.</para>
6763
6764 <para>Default: <command>ssl server cert = &lt;empty string&gt;
6765 </command></para>
6766 </listitem>
6767 </varlistentry>
6768
6769
6770 <varlistentry>
6771 <term><anchor id="SSLSERVERKEY">ssl server key (G)</term>
6772 <listitem><para>This variable is part of SSL-enabled Samba. This
6773 is only available if the SSL libraries have been compiled on your
6774 system and the configure option <command>--with-ssl</command> was
6775 given at configure time.</para>
6776
6777 <para><emphasis>Note</emphasis> that for export control reasons
6778 this code is <emphasis>NOT</emphasis> enabled by default in any
6779 current binary version of Samba.</para>
6780
6781 <para>This file contains the private key of the server. If
6782 this variable is not defined, the key is looked up in the
6783 certificate file (it may be appended to the certificate).
6784 The server <emphasis>must</emphasis> have a private key
6785 and the certificate <emphasis>must</emphasis>
6786 match this private key.</para>
6787
6788 <para>Default: <command>ssl server key = &lt;empty string&gt;
6789 </command></para>
6790 </listitem>
6791 </varlistentry>
6792
6793
6794 <varlistentry>
6795 <term><anchor id="SSLVERSION">ssl version (G)</term>
6796 <listitem><para>This variable is part of SSL-enabled Samba. This
6797 is only available if the SSL libraries have been compiled on your
6798 system and the configure option <command>--with-ssl</command> was
6799 given at configure time.</para>
6800
6801 <para><emphasis>Note</emphasis> that for export control reasons
6802 this code is <emphasis>NOT</emphasis> enabled by default in any
6803 current binary version of Samba.</para>
6804
6805 <para>This enumeration variable defines the versions of the
6806 SSL protocol that will be used. <constant>ssl2or3</constant> allows
6807 dynamic negotiation of SSL v2 or v3, <constant>ssl2</constant> results
6808 in SSL v2, <constant>ssl3</constant> results in SSL v3 and
6809 <constant>tls1</constant> results in TLS v1. TLS (Transport Layer
6810 Security) is the new standard for SSL.</para>
6811
6812 <para>Default: <command>ssl version = "ssl2or3"</command></para>
6813 </listitem>
6814 </varlistentry>
6815
6816
6817
6818 <varlistentry>
6819 <term><anchor id="STATCACHE">stat cache (G)</term>
6820 <listitem><para>This parameter determines if <ulink
6821 url="smbd.8.html">smbd(8)</ulink> will use a cache in order to
6822 speed up case insensitive name mappings. You should never need
6823 to change this parameter.</para>
6824
6825 <para>Default: <command>stat cache = yes</command></para>
6826 </listitem>
6827 </varlistentry>
6828
6829 <varlistentry>
6830 <term><anchor id="STATCACHESIZE">stat cache size (G)</term>
6831 <listitem><para>This parameter determines the number of
6832 entries in the <parameter>stat cache</parameter>. You should
6833 never need to change this parameter.</para>
6834
6835 <para>Default: <command>stat cache size = 50</command></para>
6836 </listitem>
6837 </varlistentry>
6838
6839
6840
6841 <varlistentry>
6842 <term><anchor id="STATUS">status (G)</term>
6843 <listitem><para>This enables or disables logging of connections
6844 to a status file that <ulink url="smbstatus.1.html">smbstatus(1)</ulink>
6845 can read.</para>
6846
6847 <para>With this disabled <command>smbstatus</command> won't be able
6848 to tell you what connections are active. You should never need to
6849 change this parameter.</para>
6850
6851 <para>Default: <command>status = yes</command></para>
6852 </listitem>
6853 </varlistentry>
6854
6855
6856
6857 <varlistentry>
6858 <term><anchor id="STRICTLOCKING">strict locking (S)</term>
6859 <listitem><para>This is a boolean that controls the handling of
6860 file locking in the server. When this is set to <constant>yes</constant>
6861 the server will check every read and write access for file locks, and
6862 deny access if locks exist. This can be slow on some systems.</para>
6863
6864 <para>When strict locking is <constant>no</constant> the server does file
6865 lock checks only when the client explicitly asks for them.</para>
6866
6867 <para>Well behaved clients always ask for lock checks when it
6868 is important, so in the vast majority of cases <command>strict
6869 locking = no</command> is preferable.</para>
6870
6871 <para>Default: <command>strict locking = no</command></para>
6872 </listitem>
6873 </varlistentry>
6874
6875
6876
6877 <varlistentry>
6878 <term><anchor id="STRICTSYNC">strict sync (S)</term>
6879 <listitem><para>Many Windows applications (including the Windows
6880 98 explorer shell) seem to confuse flushing buffer contents to
6881 disk with doing a sync to disk. Under UNIX, a sync call forces
6882 the process to be suspended until the kernel has ensured that
6883 all outstanding data in kernel disk buffers has been safely stored
6884 onto stable storage. This is very slow and should only be done
6885 rarely. Setting this parameter to <constant>no</constant> (the
6886 default) means that smbd ignores the Windows applications requests for
6887 a sync call. There is only a possibility of losing data if the
6888 operating system itself that Samba is running on crashes, so there is
6889 little danger in this default setting. In addition, this fixes many
6890 performance problems that people have reported with the new Windows98
6891 explorer shell file copies.</para>
6892
6893 <para>See also the <link linkend="SYNCALWAYS"><parameter>sync
6894 always></parameter></link> parameter.</para>
6895
6896 <para>Default: <command>strict sync = no</command></para>
6897 </listitem>
6898 </varlistentry>
6899
6900
6901 <varlistentry>
6902 <term><anchor id="STRIPDOT">strip dot (G)</term>
6903 <listitem><para>This is a boolean that controls whether to
6904 strip trailing dots off UNIX filenames. This helps with some
6905 CDROMs that have filenames ending in a single dot.</para>
6906
6907 <para>Default: <command>strip dot = no</command></para>
6908 </listitem>
6909 </varlistentry>
6910
6911
6912
6913 <varlistentry>
6914 <term><anchor id="SYNCALWAYS">sync always (S)</term>
6915 <listitem><para>This is a boolean parameter that controls
6916 whether writes will always be written to stable storage before
6917 the write call returns. If this is false then the server will be
6918 guided by the client's request in each write call (clients can
6919 set a bit indicating that a particular write should be synchronous).
6920 If this is true then every write will be followed by a <command>fsync()
6921 </command> call to ensure the data is written to disk. Note that
6922 the <parameter>strict sync</parameter> parameter must be set to
6923 <constant>yes</constant> in order for this parameter to have
6924 any affect.</para>
6925
6926 <para>See also the <link linkend="STRICTSYNC"><parameter>strict
6927 sync</parameter></link> parameter.</para>
6928
6929 <para>Default: <command>sync always = no</command></para>
6930 </listitem>
6931 </varlistentry>
6932
6933
6934
6935 <varlistentry>
6936 <term><anchor id="SYSLOG">syslog (G)</term>
6937 <listitem><para>This parameter maps how Samba debug messages
6938 are logged onto the system syslog logging levels. Samba debug
6939 level zero maps onto syslog <constant>LOG_ERR</constant>, debug
6940 level one maps onto <constant>LOG_WARNING</constant>, debug level
6941 two maps onto <constant>LOG_NOTICE</constant>, debug level three
6942 maps onto LOG_INFO. All higher levels are mapped to <constant>
6943 LOG_DEBUG</constant>.</para>
6944
6945 <para>This parameter sets the threshold for sending messages
6946 to syslog. Only messages with debug level less than this value
6947 will be sent to syslog.</para>
6948
6949 <para>Default: <command>syslog = 1</command></para>
6950 </listitem>
6951 </varlistentry>
6952
6953
6954
6955 <varlistentry>
6956 <term><anchor id="SYSLOGONLY">syslog only (G)</term>
6957 <listitem><para>If this parameter is set then Samba debug
6958 messages are logged into the system syslog only, and not to
6959 the debug log files.</para>
6960
6961 <para>Default: <command>syslog only = no</command></para>
6962 </listitem>
6963 </varlistentry>
6964
6965
6966
6967 <varlistentry>
6968 <term><anchor id="TEMPLATEHOMEDIR">template homedir (G)</term>
6969 <listitem><para><emphasis>NOTE:</emphasis> this parameter is
6970 only available in Samba 3.0.</para>
6971
6972 <para>When filling out the user information for a Windows NT
6973 user, the <ulink url="winbindd.8.html">winbindd(8)</ulink> daemon
6974 uses this parameter to fill in the home directory for that user.
6975 If the string <parameter>%D</parameter> is present it is substituted
6976 with the user's Windows NT domain name. If the string <parameter>%U
6977 </parameter> is present it is substituted with the user's Windows
6978 NT user name.</para>
6979
6980 <para>Default: <command>template homedir = /home/%D/%U</command></para>
6981 </listitem>
6982 </varlistentry>
6983
6984
6985
6986 <varlistentry>
6987 <term><anchor id="TEMPLATESHELL">template shell (G)</term>
6988 <listitem><para><emphasis>NOTE:</emphasis> this parameter is
6989 only available in Samba 3.0.</para>
6990
6991 <para>When filling out the user information for a Windows NT
6992 user, the <ulink url="winbindd.8.html">winbindd(8)</ulink> daemon
6993 uses this parameter to fill in the login shell for that user.</para>
6994
6995 <para>Default: <command>template shell = /bin/false</command></para>
6996 </listitem>
6997 </varlistentry>
6998
6999
7000
7001 <varlistentry>
7002 <term><anchor id="TIMEOFFSET">time offset (G)</term>
7003 <listitem><para>This parameter is a setting in minutes to add
7004 to the normal GMT to local time conversion. This is useful if
7005 you are serving a lot of PCs that have incorrect daylight
7006 saving time handling.</para>
7007
7008 <para>Default: <command>time offset = 0</command></para>
7009 <para>Example: <command>time offset = 60</command></para>
7010 </listitem>
7011 </varlistentry>
7012
7013
7014
7015 <varlistentry>
7016 <term><anchor id="TIMESERVER">time server (G)</term>
7017 <listitem><para>This parameter determines if <ulink url="nmbd.8.html">
7018 nmbd(8)</ulink> advertises itself as a time server to Windows
7019 clients.</para>
7020
7021 <para>Default: <command>time server = no</command></para>
7022 </listitem>
7023 </varlistentry>
7024
7025
7026 <varlistentry>
7027 <term><anchor id="TIMESTAMPLOGS">timestamp logs (G)</term>
7028 <listitem><para>Synonym for <link linkend="DEBUGTIMESTAMP"><parameter>
7029 debug timestamp</parameter></link>.</para>
7030 </listitem>
7031 </varlistentry>
7032
7033
7034
7035
7036
7037 <varlistentry>
7038 <term><anchor id="TOTALPRINTJOBS">total print jobs (G)</term>
7039 <listitem><para>This parameter accepts an integer value which defines
7040 a limit on the maximum number of print jobs that will be accepted
7041 system wide at any given time. If a print job is submitted
7042 by a client which will exceed this number, then smbd will return an
7043 error indicating that no space is available on the server. The
7044 default value of 0 means that no such limit exists. This parameter
7045 can be used to prevent a server from exceeding its capacity and is
7046 designed as a printing throttle. See also
7047 <link linkend="MAXPRINTJOBS"><parameter>max print jobs</parameter</link>.
7048 </para>
7049
7050 <para>Default: <command>total print jobs = 0</command></para>
7051 <para>Example: <command>total print jobs = 5000</command></para>
7052 </listitem>
7053 </varlistentry>
7054
7055
7056
7057
7058 <varlistentry>
7059 <term><anchor id="UNIXPASSWORDSYNC">unix password sync (G)</term>
7060 <listitem><para>This boolean parameter controls whether Samba
7061 attempts to synchronize the UNIX password with the SMB password
7062 when the encrypted SMB password in the smbpasswd file is changed.
7063 If this is set to true the program specified in the <parameter>passwd
7064 program</parameter>parameter is called <emphasis>AS ROOT</emphasis> -
7065 to allow the new UNIX password to be set without access to the
7066 old UNIX password (as the SMB password has change code has no
7067 access to the old password cleartext, only the new).</para>
7068
7069 <para>See also <link linkend="PASSWDPROGRAM"><parameter>passwd
7070 program</parameter></link>, <link linkend="PASSWDCHAT"><parameter>
7071 passwd chat</parameter></link>.</para>
7072
7073 <para>Default: <command>unix password sync = no</command></para>
7074 </listitem>
7075 </varlistentry>
7076
7077
7078
7079 <varlistentry>
7080 <term><anchor id="UNIXREALNAME">unix realname (G)</term>
7081 <listitem><para>This boolean parameter when set causes samba
7082 to supply the real name field from the unix password file to
7083 the client. This is useful for setting up mail clients and WWW
7084 browsers on systems used by more than one person.</para>
7085
7086 <para>Default: <command>unix realname = yes</command></para>
7087 </listitem>
7088 </varlistentry>
7089
7090
7091
7092 <varlistentry>
7093 <term><anchor id="UPDATEENCRYPTED">update encrypted (G)</term>
7094 <listitem><para>This boolean parameter allows a user logging
7095 on with a plaintext password to have their encrypted (hashed)
7096 password in the smbpasswd file to be updated automatically as
7097 they log on. This option allows a site to migrate from plaintext
7098 password authentication (users authenticate with plaintext
7099 password over the wire, and are checked against a UNIX account
7100 database) to encrypted password authentication (the SMB
7101 challenge/response authentication mechanism) without forcing
7102 all users to re-enter their passwords via smbpasswd at the time the
7103 change is made. This is a convenience option to allow the change over
7104 to encrypted passwords to be made over a longer period. Once all users
7105 have encrypted representations of their passwords in the smbpasswd
7106 file this parameter should be set to <constant>no</constant>.</para>
7107
7108 <para>In order for this parameter to work correctly the <link
7109 linkend="ENCRYPTPASSWORDS"><parameter>encrypt passwords</parameter>
7110 </link> parameter must be set to <constant>no</constant> when
7111 this parameter is set to <constant>yes</constant>.</para>
7112
7113 <para>Note that even when this parameter is set a user
7114 authenticating to <command>smbd</command> must still enter a valid
7115 password in order to connect correctly, and to update their hashed
7116 (smbpasswd) passwords.</para>
7117
7118 <para>Default: <command>update encrypted = no</command></para>
7119 </listitem>
7120 </varlistentry>
7121
7122
7123
7124 <varlistentry>
7125 <term><anchor id="USERHOSTS">use rhosts (G)</term>
7126 <listitem><para>If this global parameter is a true, it specifies
7127 that the UNIX users <filename>.rhosts</filename> file in their home directory
7128 will be read to find the names of hosts and users who will be allowed
7129 access without specifying a password.</para>
7130
7131 <para><emphasis>NOTE:</emphasis> The use of <parameter>use rhosts
7132 </parameter> can be a major security hole. This is because you are
7133 trusting the PC to supply the correct username. It is very easy to
7134 get a PC to supply a false username. I recommend that the <parameter>
7135 use rhosts</parameter> option be only used if you really know what
7136 you are doing.</para>
7137
7138 <para>Default: <command>use rhosts = no</command></para>
7139 </listitem>
7140 </varlistentry>
7141
7142
7143
7144 <varlistentry>
7145 <term><anchor id="USER">user (S)</term>
7146 <listitem><para>Synonym for <link linkend="USERNAME"><parameter>
7147 username</parameter></link>.</para>
7148 </listitem>
7149 </varlistentry>
7150
7151
7152
7153 <varlistentry>
7154 <term><anchor id="USERS">users (S)</term>
7155 <listitem><para>Synonym for <link linkend="USERNAME"><parameter>
7156 username</parameter></link>.</para>
7157 </listitem>
7158 </varlistentry>
7159
7160
7161 <varlistentry>
7162 <term><anchor id="USERNAME">username (S)</term>
7163 <listitem><para>Multiple users may be specified in a comma-delimited
7164 list, in which case the supplied password will be tested against
7165 each username in turn (left to right).</para>
7166
7167 <para>The <parameter>username</parameter> line is needed only when
7168 the PC is unable to supply its own username. This is the case
7169 for the COREPLUS protocol or where your users have different WfWg
7170 usernames to UNIX usernames. In both these cases you may also be
7171 better using the \\server\share%user syntax instead.</para>
7172
7173 <para>The <parameter>username</parameter> line is not a great
7174 solution in many cases as it means Samba will try to validate
7175 the supplied password against each of the usernames in the
7176 <parameter>username</parameter> line in turn. This is slow and
7177 a bad idea for lots of users in case of duplicate passwords.
7178 You may get timeouts or security breaches using this parameter
7179 unwisely.</para>
7180
7181 <para>Samba relies on the underlying UNIX security. This
7182 parameter does not restrict who can login, it just offers hints
7183 to the Samba server as to what usernames might correspond to the
7184 supplied password. Users can login as whoever they please and
7185 they will be able to do no more damage than if they started a
7186 telnet session. The daemon runs as the user that they log in as,
7187 so they cannot do anything that user cannot do.</para>
7188
7189 <para>To restrict a service to a particular set of users you
7190 can use the <link linkend="VALIDUSERS"><parameter>valid users
7191 </parameter></link> parameter.</para>
7192
7193 <para>If any of the usernames begin with a '@' then the name
7194 will be looked up first in the yp netgroups list (if Samba
7195 is compiled with netgroup support), followed by a lookup in
7196 the UNIX groups database and will expand to a list of all users
7197 in the group of that name.</para>
7198
7199 <para>If any of the usernames begin with a '+' then the name
7200 will be looked up only in the UNIX groups database and will
7201 expand to a list of all users in the group of that name.</para>
7202
7203 <para>If any of the usernames begin with a '&'then the name
7204 will be looked up only in the yp netgroups database (if Samba
7205 is compiled with netgroup support) and will expand to a list
7206 of all users in the netgroup group of that name.</para>
7207
7208 <para>Note that searching though a groups database can take
7209 quite some time, and some clients may time out during the
7210 search.</para>
7211
7212 <para>See the section <link linkend="VALIDATIONSECT">NOTE ABOUT
7213 USERNAME/PASSWORD VALIDATION</link> for more information on how
7214 this parameter determines access to the services.</para>
7215
7216 <para>Default: <command>The guest account if a guest service,
7217 else &lt;empty string&gt;.</command></para>
7218
7219 <para>Examples:<command>username = fred, mary, jack, jane,
7220 @users, @pcgroup</command></para>
7221 </listitem>
7222 </varlistentry>
7223
7224
7225
7226 <varlistentry>
7227 <term><anchor id="USERNAMELEVEL">username level (G)</term>
7228 <listitem><para>This option helps Samba to try and 'guess' at
7229 the real UNIX username, as many DOS clients send an all-uppercase
7230 username. By default Samba tries all lowercase, followed by the
7231 username with the first letter capitalized, and fails if the
7232 username is not found on the UNIX machine.</para>
7233
7234 <para>If this parameter is set to non-zero the behavior changes.
7235 This parameter is a number that specifies the number of uppercase
7236 combinations to try while trying to determine the UNIX user name. The
7237 higher the number the more combinations will be tried, but the slower
7238 the discovery of usernames will be. Use this parameter when you have
7239 strange usernames on your UNIX machine, such as <constant>AstrangeUser
7240 </constant>.</para>
7241
7242 <para>Default: <command>username level = 0</command></para>
7243 <para>Example: <command>username level = 5</command></para>
7244 </listitem>
7245 </varlistentry>
7246
7247
7248
7249 <varlistentry>
7250 <term><anchor id="USERNAMEMAP">username map (G)</term>
7251 <listitem><para>This option allows you to specify a file containing
7252 a mapping of usernames from the clients to the server. This can be
7253 used for several purposes. The most common is to map usernames
7254 that users use on DOS or Windows machines to those that the UNIX
7255 box uses. The other is to map multiple users to a single username
7256 so that they can more easily share files.</para>
7257
7258 <para>The map file is parsed line by line. Each line should
7259 contain a single UNIX username on the left then a '=' followed
7260 by a list of usernames on the right. The list of usernames on the
7261 right may contain names of the form @group in which case they
7262 will match any UNIX username in that group. The special client
7263 name '*' is a wildcard and matches any name. Each line of the
7264 map file may be up to 1023 characters long.</para>
7265
7266 <para>The file is processed on each line by taking the
7267 supplied username and comparing it with each username on the right
7268 hand side of the '=' signs. If the supplied name matches any of
7269 the names on the right hand side then it is replaced with the name
7270 on the left. Processing then continues with the next line.</para>
7271
7272 <para>If any line begins with a '#' or a ';' then it is
7273 ignored</para>
7274
7275 <para>If any line begins with an '!' then the processing
7276 will stop after that line if a mapping was done by the line.
7277 Otherwise mapping continues with every line being processed.
7278 Using '!' is most useful when you have a wildcard mapping line
7279 later in the file.</para>
7280
7281 <para>For example to map from the name <constant>admin</constant>
7282 or <constant>administrator</constant> to the UNIX name <constant>
7283 root</constant> you would use:</para>
7284
7285 <para><command>root = admin administrator</command></para>
7286
7287 <para>Or to map anyone in the UNIX group <constant>system</constant>
7288 to the UNIX name <constant>sys</constant> you would use:</para>
7289
7290 <para><command>sys = @system</command></para>
7291
7292 <para>You can have as many mappings as you like in a username
7293 map file.</para>
7294
7295
7296 <para>If your system supports the NIS NETGROUP option then
7297 the netgroup database is checked before the <filename>/etc/group
7298 </filename> database for matching groups.</para>
7299
7300 <para>You can map Windows usernames that have spaces in them
7301 by using double quotes around the name. For example:</para>
7302
7303 <para><command>tridge = "Andrew Tridgell"</command></para>
7304
7305 <para>would map the windows username "Andrew Tridgell" to the
7306 unix username "tridge".</para>
7307
7308 <para>The following example would map mary and fred to the
7309 unix user sys, and map the rest to guest. Note the use of the
7310 '!' to tell Samba to stop processing if it gets a match on
7311 that line.</para>
7312
7313 <para><programlisting>
7314 !sys = mary fred
7315 guest = *
7316 </programlisting></para>
7317
7318 <para>Note that the remapping is applied to all occurrences
7319 of usernames. Thus if you connect to \\server\fred and <constant>
7320 fred</constant> is remapped to <constant>mary</constant> then you
7321 will actually be connecting to \\server\mary and will need to
7322 supply a password suitable for <constant>mary</constant> not
7323 <constant>fred</constant>. The only exception to this is the
7324 username passed to the <link linkend="PASSWORDSERVER"><parameter>
7325 password server</parameter></link> (if you have one). The password
7326 server will receive whatever username the client supplies without
7327 modification.</para>
7328
7329 <para>Also note that no reverse mapping is done. The main effect
7330 this has is with printing. Users who have been mapped may have
7331 trouble deleting print jobs as PrintManager under WfWg will think
7332 they don't own the print job.</para>
7333
7334 <para>Default: <emphasis>no username map</emphasis></para>
7335 <para>Example: <command>username map = /usr/local/samba/lib/users.map
7336 </command></para>
7337 </listitem>
7338 </varlistentry>
7339
7340
7341
7342 <varlistentry>
7343 <term><anchor id="UTMP">utmp (S)</term>
7344 <listitem><para>This boolean parameter is only available if
7345 Samba has been configured and compiled with the option <command>
7346 --with-utmp</command>. If set to True then Samba will attempt
7347 to add utmp or utmpx records (depending on the UNIX system) whenever a
7348 connection is made to a Samba server. Sites may use this to record the
7349 user connecting to a Samba share.</para>
7350
7351 <para>See also the <link linkend="UTMPDIRECTORY"><parameter>
7352 utmp directory</parameter></link> parameter.</para>
7353
7354 <para>Default: <command>utmp = no</command></para>
7355 </listitem>
7356 </varlistentry>
7357
7358
7359
7360 <varlistentry>
7361 <term><anchor id="UTMPDIRECTORY">utmp directory(G)</term>
7362 <listitem><para>This parameter is only available if Samba has
7363 been configured and compiled with the option <command>
7364 --with-utmp</command>. It specifies a directory pathname that is
7365 used to store the utmp or utmpx files (depending on the UNIX system) that
7366 record user connections to a Samba server. See also the <link linkend="UTMP">
7367 <parameter>utmp</parameter></link> parameter. By default this is
7368 not set, meaning the system will use whatever utmp file the
7369 native system is set to use (usually
7370 <filename>/var/run/utmp</filename> on Linux).</para>
7371
7372 <para>Default: <emphasis>no utmp directory</emphasis></para>
7373 </listitem>
7374 </varlistentry>
7375
7376
7377
7378 <varlistentry>
7379 <term><anchor id="VALIDCHARS">valid chars (G)</term>
7380 <listitem><para>The option allows you to specify additional
7381 characters that should be considered valid by the server in
7382 filenames. This is particularly useful for national character
7383 sets, such as adding u-umlaut or a-ring.</para>
7384
7385 <para>The option takes a list of characters in either integer
7386 or character form with spaces between them. If you give two
7387 characters with a colon between them then it will be taken as
7388 an lowercase:uppercase pair.</para>
7389
7390 <para>If you have an editor capable of entering the characters
7391 into the config file then it is probably easiest to use this
7392 method. Otherwise you can specify the characters in octal,
7393 decimal or hexadecimal form using the usual C notation.</para>
7394
7395 <para>For example to add the single character 'Z' to the charset
7396 (which is a pointless thing to do as it's already there) you could
7397 do one of the following</para>
7398
7399 <para><programlisting>
7400 valid chars = Z
7401 valid chars = z:Z
7402 valid chars = 0132:0172
7403 </programlisting></para>
7404
7405 <para>The last two examples above actually add two characters,
7406 and alter the uppercase and lowercase mappings appropriately.</para>
7407
7408 <para>Note that you <emphasis>MUST</emphasis> specify this parameter
7409 after the <parameter>client code page</parameter> parameter if you
7410 have both set. If <parameter>client code page</parameter> is set after
7411 the <parameter>valid chars</parameter> parameter the <parameter>valid
7412 chars</parameter> settings will be overwritten.</para>
7413
7414 <para>See also the <link linkend="CLIENTCODEPAGE"><parameter>client
7415 code page</parameter></link> parameter.</para>
7416
7417 <para>Default: <emphasis>Samba defaults to using a reasonable set
7418 of valid characters for English systems</emphasis></para>
7419
7420 <para>Example: <command>valid chars = 0345:0305 0366:0326 0344:0304
7421 </command></para>
7422
7423 <para>The above example allows filenames to have the Swedish
7424 characters in them.</para>
7425
7426 <para><emphasis>NOTE:</emphasis> It is actually quite difficult to
7427 correctly produce a <parameter>valid chars</parameter> line for
7428 a particular system. To automate the process <ulink
7429 url="mailto:tino@augsburg.net">tino@augsburg.net</ulink> has written
7430 a package called <command>validchars</command> which will automatically
7431 produce a complete <parameter>valid chars</parameter> line for
7432 a given client system. Look in the <filename>examples/validchars/
7433 </filename> subdirectory of your Samba source code distribution
7434 for this package.</para>
7435 </listitem>
7436 </varlistentry>
7437
7438
7439
7440 <varlistentry>
7441 <term><anchor id="VALIDUSERS">valid users (S)</term>
7442 <listitem><para>This is a list of users that should be allowed
7443 to login to this service. Names starting with '@', '+' and '&'
7444 are interpreted using the same rules as described in the
7445 <parameter>invalid users</parameter> parameter.</para>
7446
7447 <para>If this is empty (the default) then any user can login.
7448 If a username is in both this list and the <parameter>invalid
7449 users</parameter> list then access is denied for that user.</para>
7450
7451 <para>The current servicename is substituted for <parameter>%S
7452 </parameter>. This is useful in the [homes] section.</para>
7453
7454 <para>See also <link linkend="INVALIDUSERS"><parameter>invalid users
7455 </parameter></link></para>
7456
7457 <para>Default: <emphasis>No valid users list (anyone can login)
7458 </emphasis></para>
7459
7460 <para>Example: <command>valid users = greg, @pcusers</command></para>
7461 </listitem>
7462 </varlistentry>
7463
7464
7465
7466
7467 <varlistentry>
7468 <term><anchor id="VETOFILES">veto files(S)</term>
7469 <listitem><para>This is a list of files and directories that
7470 are neither visible nor accessible. Each entry in the list must
7471 be separated by a '/', which allows spaces to be included
7472 in the entry. '*' and '?' can be used to specify multiple files
7473 or directories as in DOS wildcards.</para>
7474
7475 <para>Each entry must be a unix path, not a DOS path and
7476 must <emphasis>not</emphasis> include the unix directory
7477 separator '/'.</para>
7478
7479 <para>Note that the <parameter>case sensitive</parameter> option
7480 is applicable in vetoing files.</para>
7481
7482 <para>One feature of the veto files parameter that it is important
7483 to be aware of, is that if a directory contains nothing but files
7484 that match the veto files parameter (which means that Windows/DOS
7485 clients cannot ever see them) is deleted, the veto files within
7486 that directory <emphasis>are automatically deleted</emphasis> along
7487 with it, if the user has UNIX permissions to do so.</para>
7488
7489 <para>Setting this parameter will affect the performance
7490 of Samba, as it will be forced to check all files and directories
7491 for a match as they are scanned.</para>
7492
7493 <para>See also <link linkend="HIDEFILES"><parameter>hide files
7494 </parameter></link> and <link linkend="CASESENSITIVE"><parameter>
7495 case sensitive</parameter></link>.</para>
7496
7497 <para>Default: <emphasis>No files or directories are vetoed.
7498 </emphasis></para>
7499
7500 <para>Examples:<programlisting>
7501 ; Veto any files containing the word Security,
7502 ; any ending in .tmp, and any directory containing the
7503 ; word root.
7504 veto files = /*Security*/*.tmp/*root*/
7505
7506 ; Veto the Apple specific files that a NetAtalk server
7507 ; creates.
7508 veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
7509 </programlisting></para>
7510 </listitem>
7511 </varlistentry>
7512
7513
7514 <varlistentry>
7515 <term><anchor id="VETOOPLOCKFILES">veto oplock files (S)</term>
7516 <listitem><para>This parameter is only valid when the <link
7517 linkend="OPLOCKS"><parameter>oplocks</parameter></link>
7518 parameter is turned on for a share. It allows the Samba administrator
7519 to selectively turn off the granting of oplocks on selected files that
7520 match a wildcarded list, similar to the wildcarded list used in the
7521 <link linkend="VETOFILES"><parameter>veto files</parameter></link>
7522 parameter.</para>
7523
7524 <para>Default: <emphasis>No files are vetoed for oplock
7525 grants</emphasis></para>
7526
7527 <para>You might want to do this on files that you know will
7528 be heavily contended for by clients. A good example of this
7529 is in the NetBench SMB benchmark program, which causes heavy
7530 client contention for files ending in <filename>.SEM</filename>.
7531 To cause Samba not to grant oplocks on these files you would use
7532 the line (either in the [global] section or in the section for
7533 the particular NetBench share :</para>
7534
7535 <para>Example: <command>veto oplock files = /*;.SEM/
7536 </command></para>
7537 </listitem>
7538 </varlistentry>
7539
7540
7541
7542 <varlistentry>
7543 <term><anchor id="VFSOBJECT">vfs object (S)</term>
7544 <listitem><para>This parameter specifies a shared object file that
7545 is used for Samba VFS I/O operations. By default, normal
7546 disk I/O operations are used but these can be overloaded
7547 with a VFS object. The Samba VFS layer is new to Samba 2.2 and
7548 must be enabled at compile time with --with-vfs.</para>
7549
7550 <para>Default : <emphasis>no value</emphasis></para>
7551 </listitem>
7552 </varlistentry>
7553
7554
7555
7556
7557 <varlistentry>
7558 <term><anchor id="VFSOPTIONS">vfs options (S)</term>
7559 <listitem><para>This parameter allows parameters to be passed
7560 to the vfs layer at initialisation time. The Samba VFS layer
7561 is new to Samba 2.2 and must be enabled at compile time
7562 with --with-vfs. See also <link linkend="VFSOBJECT"><parameter>
7563 vfs object</parameter></link>.</para>
7564
7565 <para>Default : <emphasis>no value</emphasis></para>
7566 </listitem>
7567 </varlistentry>
7568
7569
7570
7571 <varlistentry>
7572 <term><anchor id="VOLUME">volume (S)</term>
7573 <listitem><para> This allows you to override the volume label
7574 returned for a share. Useful for CDROMs with installation programs
7575 that insist on a particular volume label.</para>
7576
7577 <para>Default: <emphasis>the name of the share</emphasis></para>
7578 </listitem>
7579 </varlistentry>
7580
7581
7582
7583 <varlistentry>
7584 <term><anchor id="WIDELINKS">wide links (S)</term>
7585 <listitem><para>This parameter controls whether or not links
7586 in the UNIX file system may be followed by the server. Links
7587 that point to areas within the directory tree exported by the
7588 server are always allowed; this parameter controls access only
7589 to areas that are outside the directory tree being exported.</para>
7590
7591 <para>Note that setting this parameter can have a negative
7592 effect on your server performance due to the extra system calls
7593 that Samba has to do in order to perform the link checks.</para>
7594
7595 <para>Default: <command>wide links = yes</command></para>
7596 </listitem>
7597 </varlistentry>
7598
7599
7600
7601
7602 <varlistentry>
7603 <term><anchor id="WINBINDCACHETIME">winbind cache time</term>
7604 <listitem><para><emphasis>NOTE:</emphasis> this parameter is only
7605 available in Samba 3.0.</para>
7606
7607 <para>This parameter specifies the number of seconds the
7608 <ulink url="winbindd.8.html">winbindd(8)</ulink> daemon will cache
7609 user and group information before querying a Windows NT server
7610 again.</para>
7611
7612 <para>Default: <command>winbind cache type = 15</command></para>
7613 </listitem>
7614 </varlistentry>
7615
7616
7617
7618
7619 <varlistentry>
7620 <term><anchor id="WINBINDGID">winbind gid</term>
7621 <listitem><para><emphasis>NOTE:</emphasis> this parameter is only
7622 available in Samba 3.0.</para>
7623
7624 <para>The winbind gid parameter specifies the range of group
7625 ids that are allocated by the <ulink url="winbindd.8.html">
7626 winbindd(8)</ulink> daemon. This range of group ids should have no
7627 existing local or nis groups within it as strange conflicts can
7628 occur otherwise.</para>
7629
7630 <para>Default: <command>winbind gid = &lt;empty string&gt;
7631 </command></para>
7632
7633 <para>Example: <command>winbind gid = 10000-20000</command></para>
7634 </listitem>
7635 </varlistentry>
7636
7637
7638 <varlistentry>
7639 <term><anchor id="WINBINDSEPARATOR">winbind separator</term>
7640 <listitem><para><emphasis>NOTE:</emphasis> this parameter is only
7641 available in Samba 3.0.</para>
7642
7643 <para>This parameter allows an admin to define the character
7644 used when listing a username of the form of <replaceable>DOMAIN
7645 </replaceable>\<replaceable>user</replaceable>. This parameter
7646 is only applicable when using the <filename>pam_winbind.so</filename>
7647 and <filename>nss_winbind.so</filename> modules for UNIX services.
7648 </para>
7649
7650 <para>Example: <command>winbind separator = \</command></para>
7651 <para>Example: <command>winbind separator = +</command></para>
7652 </listitem>
7653 </varlistentry>
7654
7655
7656
7657
7658 <varlistentry>
7659 <term><anchor id="WINBINDUID">winbind uid</term>
7660 <listitem><para><emphasis>NOTE:</emphasis> this parameter is only
7661 available in Samba 3.0.</para>
7662
7663 <para>The winbind gid parameter specifies the range of group
7664 ids that are allocated by the <ulink url="winbindd.8.html">
7665 winbindd(8)</ulink> daemon. This range of ids should have no
7666 existing local or nis users within it as strange conflicts can
7667 occur otherwise.</para>
7668
7669 <para>Default: <command>winbind uid = &lt;empty string&gt;
7670 </command></para>
7671
7672 <para>Example: <command>winbind uid = 10000-20000</command></para>
7673 </listitem>
7674 </varlistentry>
7675
7676
7677
7678
7679
7680 <varlistentry>
7681 <term><anchor id="WINSHOOK">wins hook (G)</term>
7682 <listitem><para>When Samba is running as a WINS server this
7683 allows you to call an external program for all changes to the
7684 WINS database. The primary use for this option is to allow the
7685 dynamic update of external name resolution databases such as
7686 dynamic DNS.</para>
7687
7688 <para>The wins hook parameter specifies the name of a script
7689 or executable that will be called as follows:</para>
7690
7691 <para><command>wins_hook operation name nametype ttl IP_list
7692 </command></para>
7693
7694 <itemizedlist>
7695 <listitem><para>The first argument is the operation and is one
7696 of "add", "delete", or "refresh". In most cases the operation can
7697 be ignored as the rest of the parameters provide sufficient
7698 information. Note that "refresh" may sometimes be called when the
7699 name has not previously been added, in that case it should be treated
7700 as an add.</para></listitem>
7701
7702 <listitem><para>The second argument is the netbios name. If the
7703 name is not a legal name then the wins hook is not called.
7704 Legal names contain only letters, digits, hyphens, underscores
7705 and periods.</para></listitem>
7706
7707 <listitem><para>The third argument is the netbios name
7708 type as a 2 digit hexadecimal number. </para></listitem>
7709
7710 <listitem><para>The fourth argument is the TTL (time to live)
7711 for the name in seconds.</para></listitem>
7712
7713 <listitem><para>The fifth and subsequent arguments are the IP
7714 addresses currently registered for that name. If this list is
7715 empty then the name should be deleted.</para></listitem>
7716 </itemizedlist>
7717
7718 <para>An example script that calls the BIND dynamic DNS update
7719 program <command>nsupdate</command> is provided in the examples
7720 directory of the Samba source code. </para>
7721 </listitem>
7722 </varlistentry>
7723
7724
7725
7726
7727
7728 <varlistentry>
7729 <term><anchor id="WINSPROXY">wins proxy (G)</term>
7730 <listitem><para>This is a boolean that controls if <ulink
7731 url="nmbd.8.html">nmbd(8)</ulink> will respond to broadcast name
7732 queries on behalf of other hosts. You may need to set this
7733 to <constant>yes</constant> for some older clients.</para>
7734
7735 <para>Default: <command>wins proxy = no</command></para>
7736 </listitem>
7737 </varlistentry>
7738
7739
7740
7741
7742 <varlistentry>
7743 <term><anchor id="WINSSERVER">wins server (G)</term>
7744 <listitem><para>This specifies the IP address (or DNS name: IP
7745 address for preference) of the WINS server that <ulink url="nmbd.8.html">
7746 nmbd(8)</ulink> should register with. If you have a WINS server on
7747 your network then you should set this to the WINS server's IP.</para>
7748
7749 <para>You should point this at your WINS server if you have a
7750 multi-subnetted network.</para>
7751
7752 <para><emphasis>NOTE</emphasis>. You need to set up Samba to point
7753 to a WINS server if you have multiple subnets and wish cross-subnet
7754 browsing to work correctly.</para>
7755
7756 <para>See the documentation file <filename>BROWSING.txt</filename>
7757 in the docs/ directory of your Samba source distribution.</para>
7758
7759 <para>Default: <emphasis>not enabled</emphasis></para>
7760 <para>Example: <command>wins server = 192.9.200.1</command></para>
7761 </listitem>
7762 </varlistentry>
7763
7764
7765
7766 <varlistentry>
7767 <term><anchor id="WINSSUPPORT">wins support (G)</term>
7768 <listitem><para>This boolean controls if the <ulink url="nmbd.8.html">
7769 nmbd(8)</ulink> process in Samba will act as a WINS server. You should
7770 not set this to true unless you have a multi-subnetted network and
7771 you wish a particular <command>nmbd</command> to be your WINS server.
7772 Note that you should <emphasis>NEVER</emphasis> set this to true
7773 on more than one machine in your network.</para>
7774
7775 <para>Default: <command>wins support = no</command></para>
7776 </listitem>
7777 </varlistentry>
7778
7779
7780
7781 <varlistentry>
7782 <term><anchor id="WORKGROUP">workgroup (G)</term>
7783 <listitem><para>This controls what workgroup your server will
7784 appear to be in when queried by clients. Note that this parameter
7785 also controls the Domain name used with the <link
7786 linkend="SECURITYEQUALSDOMAIN"><command>security=domain</command></link>
7787 setting.</para>
7788
7789 <para>Default: <emphasis>set at compile time to WORKGROUP</emphasis></para>
7790 <para>Example: <command>workgroup = MYGROUP</command></para>
7791 </listitem>
7792 </varlistentry>
7793
7794
7795
7796
7797 <varlistentry>
7798 <term><anchor id="WRITABLE">writable (S)</term>
7799 <listitem><para>Synonym for <link linkend="WRITEABLE"><parameter>
7800 writeable</parameter></link> for people who can't spell :-).</para>
7801 </listitem>
7802 </varlistentry>
7803
7804
7805
7806 <varlistentry>
7807 <term><anchor id="WRITECACHESIZE">write cache size (S)</term>
7808 <listitem><para>If this integer parameter is set to non-zero value,
7809 Samba will create an in-memory cache for each oplocked file
7810 (it does <emphasis>not</emphasis> do this for
7811 non-oplocked files). All writes that the client does not request
7812 to be flushed directly to disk will be stored in this cache if possible.
7813 The cache is flushed onto disk when a write comes in whose offset
7814 would not fit into the cache or when the file is closed by the client.
7815 Reads for the file are also served from this cache if the data is stored
7816 within it.</para>
7817
7818 <para>This cache allows Samba to batch client writes into a more
7819 efficient write size for RAID disks (ie. writes may be tuned to
7820 be the RAID stripe size) and can improve performance on systems
7821 where the disk subsystem is a bottleneck but there is free
7822 memory for userspace programs.</para>
7823
7824 <para>The integer parameter specifies the size of this cache
7825 (per oplocked file) in bytes.</para>
7826
7827 <para>Default: <command>write cache size = 0</command></para>
7828 <para>Example: <command>write cache size = 262144</command></para>
7829
7830 <para>for a 256k cache size per file.</para>
7831 </listitem>
7832 </varlistentry>
7833
7834
7835
7836
7837
7838 <varlistentry>
7839 <term><anchor id="WRITELIST">write list (S)</term>
7840 <listitem><para>This is a list of users that are given read-write
7841 access to a service. If the connecting user is in this list then
7842 they will be given write access, no matter what the <link
7843 linkend="WRITEABLE"><parameter>writeable</parameter></link>
7844 option is set to. The list can include group names using the
7845 @group syntax.</para>
7846
7847 <para>Note that if a user is in both the read list and the
7848 write list then they will be given write access.</para>
7849
7850 <para>See also the <link linkend="READLIST"><parameter>read list
7851 </parameter></link> option.</para>
7852
7853 <para>Default: <command>write list = &lt;empty string&gt;
7854 </command></para>
7855
7856 <para>Example: <command>write list = admin, root, @staff
7857 </command></para>
7858 </listitem>
7859 </varlistentry>
7860
7861
7862
7863
7864
7865 <varlistentry>
7866 <term><anchor id="WRITEOK">write ok (S)</term>
7867 <listitem><para>Synonym for <link linkend="WRITEABLE"><parameter>
7868 writeable</parameter></link>.</para>
7869 </listitem>
7870 </varlistentry>
7871
7872
7873
7874 <varlistentry>
7875 <term><anchor id="WRITERAW">write raw (G)</term>
7876 <listitem><para>This parameter controls whether or not the server
7877 will support raw writes SMB's when transferring data from clients.
7878 You should never need to change this parameter.</para>
7879
7880 <para>Default: <command>write raw = yes</command></para>
7881 </listitem>
7882 </varlistentry>
7883
7884
7885
7886 <varlistentry>
7887 <term><anchor id="WRITEABLE">writeable (S)</term>
7888 <listitem><para>An inverted synonym is <link linkend="READONLY">
7889 <parameter>read only</parameter></link>.</para>
7890
7891 <para>If this parameter is <constant>no</constant>, then users
7892 of a service may not create or modify files in the service's
7893 directory.</para>
7894
7895 <para>Note that a printable service (<command>printable = yes</command>)
7896 will <emphasis>ALWAYS</emphasis> allow writing to the directory
7897 (user privileges permitting), but only via spooling operations.</para>
7898
7899 <para>Default: <command>writeable = no</command></para>
7900 </listitem>
7901 </varlistentry>
7902
7903
7904 </variablelist>
7905
7906 </refsect1>
7907
7908 <refsect1>
7909 <title>WARNINGS</title>
7910
7911 <para>Although the configuration file permits service names
7912 to contain spaces, your client software may not. Spaces will
7913 be ignored in comparisons anyway, so it shouldn't be a
7914 problem - but be aware of the possibility.</para>
7915
7916 <para>On a similar note, many clients - especially DOS clients -
7917 limit service names to eight characters. <ulink url="smbd.8.html">smbd(8)
7918 </ulink> has no such limitation, but attempts to connect from such
7919 clients will fail if they truncate the service names. For this reason
7920 you should probably keep your service names down to eight characters
7921 in length.</para>
7922
7923 <para>Use of the [homes] and [printers] special sections make life
7924 for an administrator easy, but the various combinations of default
7925 attributes can be tricky. Take extreme care when designing these
7926 sections. In particular, ensure that the permissions on spool
7927 directories are correct.</para>
7928 </refsect1>
7929
7930 <refsect1>
7931 <title>VERSION</title>
7932
7933 <para>This man page is correct for version 2.2 of
7934 the Samba suite.</para>
7935 </refsect1>
7936
7937 <refsect1>
7938 <title>SEE ALSO</title>
7939 <para><ulink url="samba.7.html">samba(7)</ulink>,
7940 <ulink url="smbpasswd.8.html"><command>smbpasswd(8)</command></ulink>,
7941 <ulink url="swat.8.html"><command>swat(8)</command></ulink>,
7942 <ulink url="smbd.8.html"><command>smbd(8)</command></ulink>,
7943 <ulink url="nmbd.8.html"><command>nmbd(8)</command></ulink>,
7944 <ulink url="smbclient.1.html"><command>smbclient(1)</command></ulink>,
7945 <ulink url="nmblookup.1.html"><command>nmblookup(1)</command></ulink>,
7946 <ulink url="testparm.1.html"><command>testparm(1)</command></ulink>,
7947 <ulink url="testprns.1.html"><command>testprns(1)</command></ulink>
7948 </para>
7949 </refsect1>
7950
7951 <refsect1>
7952 <title>AUTHOR</title>
7953
7954 <para>The original Samba software and related utilities
7955 were created by Andrew Tridgell. Samba is now developed
7956 by the Samba Team as an Open Source project similar
7957 to the way the Linux kernel is developed.</para>
7958
7959 <para>The original Samba man pages were written by Karl Auer.
7960 The man page sources were converted to YODL format (another
7961 excellent piece of Open Source software, available at
7962 <ulink url="ftp://ftp.icce.rug.nl/pub/unix/">
7963 ftp://ftp.icce.rug.nl/pub/unix/</ulink>) and updated for the Samba 2.0
7964 release by Jeremy Allison. The conversion to DocBook for
7965 Samba 2.2 was done by Gerald Carter</para>
7966 </refsect1>
7967
7968 </refentry>
Samba GIT mirror