From 4834c45bc610de2f45e8564f89cde644062a792f Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 5 May 2005 22:38:51 +0000 Subject: [PATCH] Move existing samba4 documentation to Samba-docs trunk --- docs/Makefile | 33 +- docs/Makefile.settings.in | 4 +- docs/README | 1 + .../CodingSuggestions.xml | 0 .../NetBIOS.xml | 0 .../Tracing.xml | 0 .../architecture.xml | 0 .../cifsntdomain.xml | 0 .../contributing.xml | 0 .../debug.xml | 0 .../encryption.xml | 0 .../gencache.xml | 0 .../index.xml | 0 .../internals.xml | 0 .../modules.xml | 0 .../packagers.xml | 0 .../parsing.xml | 0 .../printing.xml | 0 .../registry.dot | 0 .../registry.xml | 0 .../rpc_plugin.xml | 0 .../unix-smb.xml | 0 .../vfs.xml | 0 .../windows-debug.xml | 0 .../wins.xml | 0 docs/Samba4-HOWTO/ad-dc.xml | 4 + docs/Samba4-HOWTO/ad-member.xml | 4 + docs/Samba4-HOWTO/auth.xml | 4 + docs/Samba4-HOWTO/cifsfs.xml | 4 + docs/Samba4-HOWTO/compiling.xml | 24 + docs/Samba4-HOWTO/config.xml | 5 + docs/Samba4-HOWTO/domain-bdc.xml | 4 + docs/Samba4-HOWTO/domain-member.xml | 2 + docs/Samba4-HOWTO/domain-pdc.xml | 1 + docs/Samba4-HOWTO/history.xml | 0 docs/Samba4-HOWTO/index.xml | 137 + docs/Samba4-HOWTO/printing.xml | 11 + docs/Samba4-HOWTO/protocol.xml | 204 + docs/Samba4-HOWTO/registry.xml | 4 + docs/Samba4-HOWTO/samba.xml | 48 + docs/Samba4-HOWTO/security=share.xml | 8 + docs/Samba4-HOWTO/security=user.xml | 6 + docs/Samba4-HOWTO/smbclient.xml | 4 + docs/configure.in | 2 +- docs/manpages-3/smb.conf.5.xml | 8468 ++++++++++++++++++-- docs/manpages-4/gentest.1.xml | 158 + docs/manpages-4/gregedit.1.xml | 86 + docs/manpages-4/ldb.7.xml | 120 + docs/manpages-4/ldbadd.1.xml | 99 + docs/manpages-4/ldbdel.1.xml | 97 + docs/manpages-4/ldbedit.1.xml | 125 + docs/manpages-4/ldbmodify.1.xml | 87 + docs/manpages-4/ldbrename.1.xml | 101 + docs/manpages-4/ldbsearch.1.xml | 113 + docs/manpages-4/locktest.1.xml | 157 + docs/manpages-4/masktest.1.xml | 139 + docs/manpages-4/ndrdump.1.xml | 83 + docs/manpages-4/ntlm_auth.1.xml | 269 + docs/manpages-4/pidl.1.xml | 516 ++ docs/manpages-4/regdiff.1.xml | 102 + docs/manpages-4/regpatch.1.xml | 88 + docs/manpages-4/regshell.1.xml | 188 + docs/manpages-4/regtree.1.xml | 101 + docs/manpages-4/smbtorture.1.xml | 172 + 64 files changed, 11111 insertions(+), 672 deletions(-) rename docs/{Samba-Developers-Guide => Samba3-Developers-Guide}/CodingSuggestions.xml (100%) rename docs/{Samba-Developers-Guide => Samba3-Developers-Guide}/NetBIOS.xml (100%) rename docs/{Samba-Developers-Guide => Samba3-Developers-Guide}/Tracing.xml (100%) rename docs/{Samba-Developers-Guide => Samba3-Developers-Guide}/architecture.xml (100%) rename docs/{Samba-Developers-Guide => Samba3-Developers-Guide}/cifsntdomain.xml (100%) rename docs/{Samba-Developers-Guide => Samba3-Developers-Guide}/contributing.xml (100%) rename docs/{Samba-Developers-Guide => Samba3-Developers-Guide}/debug.xml (100%) rename docs/{Samba-Developers-Guide => Samba3-Developers-Guide}/encryption.xml (100%) rename docs/{Samba-Developers-Guide => Samba3-Developers-Guide}/gencache.xml (100%) rename docs/{Samba-Developers-Guide => Samba3-Developers-Guide}/index.xml (100%) rename docs/{Samba-Developers-Guide => Samba3-Developers-Guide}/internals.xml (100%) rename docs/{Samba-Developers-Guide => Samba3-Developers-Guide}/modules.xml (100%) rename docs/{Samba-Developers-Guide => Samba3-Developers-Guide}/packagers.xml (100%) rename docs/{Samba-Developers-Guide => Samba3-Developers-Guide}/parsing.xml (100%) rename docs/{Samba-Developers-Guide => Samba3-Developers-Guide}/printing.xml (100%) rename docs/{Samba-Developers-Guide => Samba3-Developers-Guide}/registry.dot (100%) rename docs/{Samba-Developers-Guide => Samba3-Developers-Guide}/registry.xml (100%) rename docs/{Samba-Developers-Guide => Samba3-Developers-Guide}/rpc_plugin.xml (100%) rename docs/{Samba-Developers-Guide => Samba3-Developers-Guide}/unix-smb.xml (100%) rename docs/{Samba-Developers-Guide => Samba3-Developers-Guide}/vfs.xml (100%) rename docs/{Samba-Developers-Guide => Samba3-Developers-Guide}/windows-debug.xml (100%) rename docs/{Samba-Developers-Guide => Samba3-Developers-Guide}/wins.xml (100%) create mode 100644 docs/Samba4-HOWTO/ad-dc.xml create mode 100644 docs/Samba4-HOWTO/ad-member.xml create mode 100644 docs/Samba4-HOWTO/auth.xml create mode 100644 docs/Samba4-HOWTO/cifsfs.xml create mode 100644 docs/Samba4-HOWTO/compiling.xml create mode 100644 docs/Samba4-HOWTO/config.xml create mode 100644 docs/Samba4-HOWTO/domain-bdc.xml create mode 100644 docs/Samba4-HOWTO/domain-member.xml create mode 100644 docs/Samba4-HOWTO/domain-pdc.xml create mode 100644 docs/Samba4-HOWTO/history.xml create mode 100644 docs/Samba4-HOWTO/index.xml create mode 100644 docs/Samba4-HOWTO/printing.xml create mode 100644 docs/Samba4-HOWTO/protocol.xml create mode 100644 docs/Samba4-HOWTO/registry.xml create mode 100644 docs/Samba4-HOWTO/samba.xml create mode 100644 docs/Samba4-HOWTO/security=share.xml create mode 100644 docs/Samba4-HOWTO/security=user.xml create mode 100644 docs/Samba4-HOWTO/smbclient.xml rewrite docs/manpages-3/smb.conf.5.xml (93%) create mode 100644 docs/manpages-4/gentest.1.xml create mode 100644 docs/manpages-4/gregedit.1.xml create mode 100644 docs/manpages-4/ldb.7.xml create mode 100644 docs/manpages-4/ldbadd.1.xml create mode 100644 docs/manpages-4/ldbdel.1.xml create mode 100644 docs/manpages-4/ldbedit.1.xml create mode 100644 docs/manpages-4/ldbmodify.1.xml create mode 100644 docs/manpages-4/ldbrename.1.xml create mode 100644 docs/manpages-4/ldbsearch.1.xml create mode 100644 docs/manpages-4/locktest.1.xml create mode 100644 docs/manpages-4/masktest.1.xml create mode 100644 docs/manpages-4/ndrdump.1.xml create mode 100644 docs/manpages-4/ntlm_auth.1.xml create mode 100644 docs/manpages-4/pidl.1.xml create mode 100644 docs/manpages-4/regdiff.1.xml create mode 100644 docs/manpages-4/regpatch.1.xml create mode 100644 docs/manpages-4/regshell.1.xml create mode 100644 docs/manpages-4/regtree.1.xml create mode 100644 docs/manpages-4/smbtorture.1.xml diff --git a/docs/Makefile b/docs/Makefile index eb3bb41bfcf..1571b7a8b1d 100644 --- a/docs/Makefile +++ b/docs/Makefile @@ -8,11 +8,12 @@ include Makefile.settings # Docs to build MAIN_DOCS = $(patsubst %/index.xml,%,$(wildcard */index.xml)) -MANPAGES = $(wildcard $(MANPAGEDIR)/*.?.xml) +MANPAGES3 = $(wildcard $(MANPAGEDIR3)/*.?.xml) +MANPAGES4 = $(wildcard $(MANPAGEDIR4)/*.?.xml) # Lists of files to process LATEX_FIGURES = xslt/figures/caution.pdf xslt/figures/important.pdf xslt/figures/note.pdf xslt/figures/tip.pdf xslt/figures/warning.pdf -MANPAGES_PLUCKER = $(patsubst $(MANPAGEDIR)/%.xml,$(PLUCKERDIR)/%.pdb,$(MANPAGES)) +MANPAGES_PLUCKER = $(patsubst $(MANPAGEDIR3)/%.xml,$(PLUCKERDIR)/%.pdb,$(MANPAGES3)) DATETIME := $(shell date +%Y%m%d%H%M%S) @@ -31,23 +32,24 @@ help: @echo " release - Build the docs needed for a Samba release" @echo " all - Build all docs that can be build using the utilities found by configure" @echo " everything - Build all of the above" - @echo " pdf,tex,dvi,ps,manpages,txt,pearson,fo,htmlhelp - Build specific output format" + @echo " pdf,tex,dvi,ps,manpages{3,4},txt,pearson,fo,htmlhelp - Build specific output format" @echo " html - Build multi-file HTML versions" @echo " html-single - Build single-file HTML versions" - @echo " htmlman - Build HTML version of manpages" + @echo " htmlman3 - Build HTML version of manpages" @echo " undocumented - Output list of undocumented smb.conf options" @echo " samples - Extract examples" @echo " files - Extract other files" $(DOCBOOKDIR)/Samba-Guide.xml: $(filter-out Samba-Guide/index.xml,$(wildcard Samba-Guide/*.xml)) $(DOCBOOKDIR)/Samba-HOWTO-Collection.xml: $(filter-out Samba-HOWTO-Collection/index.xml,$(wildcard Samba-HOWTO-Collection/*.xml)) Samba-HOWTO-Collection-attributions.xml -Samba-HOWTO-Collection/manpages.xml: $(MANPAGEDIR)/smb.conf.5.xml -$(DOCBOOKDIR)/Samba-Developers-Guide.xml: $(filter-out Samba-Developers-Guide/index.xml,$(wildcard Samba-Developers-Guide/*.xml)) Samba-Developers-Guide-attributions.xml +Samba-HOWTO-Collection/manpages.xml: $(MANPAGEDIR3)/smb.conf.5.xml +$(DOCBOOKDIR)/Samba3-Developers-Guide.xml: $(filter-out Samba3-Developers-Guide/index.xml,$(wildcard Samba3-Developers-Guide/*.xml)) Samba3-Developers-Guide-attributions.xml +$(DOCBOOKDIR)/Samba4-HOWTO.xml: $(filter-out Samba4-HOWTO/index.xml,$(wildcard Samba4-HOWTO/*.xml)) Samba4-HOWTO-attributions.xml # Pseudo targets all: $(TARGETS) -everything: manpages pdf html-single html htmlman txt ps fo htmlhelp pearson -release: manpages htmlman html pdf +everything: manpages3 manpages4 pdf html-single html htmlman3 txt ps fo htmlhelp pearson +release: manpages3 htmlman3 html pdf # Output format targets pdf: $(patsubst %,$(PDFDIR)/%.pdf,$(MAIN_DOCS)) @@ -60,11 +62,12 @@ fo-pdf: $(patsubst %,$(FOPDFDIR)/%.pdf,$(MAIN_DOCS)) tex: $(addsuffix .tex,$(MAIN_DOCS)) texi: $(patsubst %,$(TEXINFODIR)/%.texi,$(MAIN_DOCS)) texiinfo: $(patsubst %,$(TEXINFODIR)/%.info,$(MAIN_DOCS)) -manpages: $(patsubst $(MANPAGEDIR)/%.xml,$(MANDIR)/%,$(MANPAGES)) +manpages3: $(patsubst $(MANPAGEDIR3)/%.xml,$(OUTPUTDIR)/manpages-3/%,$(MANPAGES3)) +manpages4: $(patsubst $(MANPAGEDIR4)/%.xml,$(OUTPUTDIR)/manpages-4/%,$(MANPAGES4)) pearson: $(PEARSONDIR)/Samba-HOWTO-Collection.xml pearson-verify: $(PEARSONDIR)/Samba-HOWTO-Collection.report.html plucker: $(patsubst %,$(PLUCKERDIR)/%.pdb,$(MAIN_DOCS)) -htmlman: $(patsubst $(MANPAGEDIR)/%.xml,$(HTMLDIR)/%.html,$(MANPAGES)) $(HTMLDIR)/manpages.html +htmlman3: $(patsubst $(MANPAGEDIR3)/%.xml,$(HTMLDIR)/%.html,$(MANPAGES3)) $(HTMLDIR)/manpages.html html-single: $(patsubst %,$(HTMLDIR)/%.html,$(MAIN_DOCS)) html: $(patsubst %,$(HTMLDIR)/%/index.html,$(MAIN_DOCS)) $(HTMLDIR)/index.html htmlhelp: $(addprefix $(HTMLHELPDIR)/,$(MAIN_DOCS)) @@ -76,7 +79,11 @@ $(DOCBOOKDIR)/%.xml: %/index.xml xslt/expand-sambadoc.xsl mkdir -p $(@D) $(XSLTPROC) --stringparam latex.imagebasedir "$*/" --stringparam noreference 1 --xinclude --output $@ xslt/expand-sambadoc.xsl $< -$(DOCBOOKDIR)/%.xml: $(MANPAGEDIR)/%.xml xslt/expand-sambadoc.xsl +$(DOCBOOKDIR)/manpages-3/%.xml: $(MANPAGEDIR3)/%.xml xslt/expand-sambadoc.xsl + mkdir -p $(@D) + $(XSLTPROC) --xinclude --stringparam latex.imagebasedir "$*/" --stringparam noreference 1 --output $@ xslt/expand-sambadoc.xsl $< + +$(DOCBOOKDIR)/manpages-4/%.xml: $(MANPAGEDIR4)/%.xml xslt/expand-sambadoc.xsl mkdir -p $(@D) $(XSLTPROC) --xinclude --stringparam latex.imagebasedir "$*/" --stringparam noreference 1 --output $@ xslt/expand-sambadoc.xsl $< @@ -229,7 +236,7 @@ $(TEXINFODIR)/%.info: $(TEXINFODIR)/%.texi $(MAKEINFO) --no-validate --force -o $@ "$<" # Manpages -$(MANPAGEDIR)/smb.conf.5.xml: $(SMBDOTCONFDOC)/parameters.all.xml $(SMBDOTCONFDOC)/parameters.service.xml $(SMBDOTCONFDOC)/parameters.global.xml +$(MANPAGEDIR3)/smb.conf.5.xml: $(SMBDOTCONFDOC)/parameters.all.xml $(SMBDOTCONFDOC)/parameters.service.xml $(SMBDOTCONFDOC)/parameters.global.xml $(SMBDOTCONFDOC)/parameters.all.xml: $(shell find $(SMBDOTCONFDOC) -type f -name '*.xml' -mindepth 2 | sort -t/ -k3 | xargs) $(SMBDOTCONFDOC)/generate-file-list.sh $(SMBDOTCONFDOC)/generate-file-list.sh $(SMBDOTCONFDOC) > $@ @@ -240,7 +247,7 @@ $(SMBDOTCONFDOC)/parameters.global.xml: $(SMBDOTCONFDOC)/parameters.all.xml $(SM $(SMBDOTCONFDOC)/parameters.service.xml: $(SMBDOTCONFDOC)/parameters.all.xml $(SMBDOTCONFDOC)/generate-context.xsl $(XSLTPROC) --xinclude --param smb.context "'S'" --output $(SMBDOTCONFDOC)/parameters.service.xml $(SMBDOTCONFDOC)/generate-context.xsl $< -$(MANDIR)/%: $(DOCBOOKDIR)/%.xml xslt/man.xsl +$(OUTPUTDIR)/%: $(DOCBOOKDIR)/%.xml xslt/man.xsl mkdir -p $(@D) $(XSLTPROC) --output $@ xslt/man.xsl $< diff --git a/docs/Makefile.settings.in b/docs/Makefile.settings.in index ece4de1585b..6c66f5e0564 100644 --- a/docs/Makefile.settings.in +++ b/docs/Makefile.settings.in @@ -28,9 +28,9 @@ OUTPUTDIR = output ARCHIVEDIR = archive TEXINFODIR = $(OUTPUTDIR)/texi SRCDIR = @SAMBASOURCEDIR@ -MANDIR = $(OUTPUTDIR)/manpages-3 EPSTOPDF = @EPSTOPDF@ -MANPAGEDIR = manpages-3 +MANPAGEDIR3 = manpages-3 +MANPAGEDIR4 = manpages-4 MAKEINDEX = @MAKEINDEX@ EXAMPLESDIR = $(OUTPUTDIR)/examples SMBDOTCONFDOC = smbdotconf diff --git a/docs/README b/docs/README index 06345b14d6e..589085b229d 100644 --- a/docs/README +++ b/docs/README @@ -6,6 +6,7 @@ !== Updates: Jelmer Vernooij, jelmer@samba.org, Aug, 2002 !== Updates: Jelmer Vernooij, jelmer@samba.org, Jun, 2003 !== Updates: Jelmer Vernooij, jelmer@samba.org, May, 2004 +!== Updates: Jelmer Vernooij, jelmer@samba.org, May, 2005 Quick start ----------- diff --git a/docs/Samba-Developers-Guide/CodingSuggestions.xml b/docs/Samba3-Developers-Guide/CodingSuggestions.xml similarity index 100% rename from docs/Samba-Developers-Guide/CodingSuggestions.xml rename to docs/Samba3-Developers-Guide/CodingSuggestions.xml diff --git a/docs/Samba-Developers-Guide/NetBIOS.xml b/docs/Samba3-Developers-Guide/NetBIOS.xml similarity index 100% rename from docs/Samba-Developers-Guide/NetBIOS.xml rename to docs/Samba3-Developers-Guide/NetBIOS.xml diff --git a/docs/Samba-Developers-Guide/Tracing.xml b/docs/Samba3-Developers-Guide/Tracing.xml similarity index 100% rename from docs/Samba-Developers-Guide/Tracing.xml rename to docs/Samba3-Developers-Guide/Tracing.xml diff --git a/docs/Samba-Developers-Guide/architecture.xml b/docs/Samba3-Developers-Guide/architecture.xml similarity index 100% rename from docs/Samba-Developers-Guide/architecture.xml rename to docs/Samba3-Developers-Guide/architecture.xml diff --git a/docs/Samba-Developers-Guide/cifsntdomain.xml b/docs/Samba3-Developers-Guide/cifsntdomain.xml similarity index 100% rename from docs/Samba-Developers-Guide/cifsntdomain.xml rename to docs/Samba3-Developers-Guide/cifsntdomain.xml diff --git a/docs/Samba-Developers-Guide/contributing.xml b/docs/Samba3-Developers-Guide/contributing.xml similarity index 100% rename from docs/Samba-Developers-Guide/contributing.xml rename to docs/Samba3-Developers-Guide/contributing.xml diff --git a/docs/Samba-Developers-Guide/debug.xml b/docs/Samba3-Developers-Guide/debug.xml similarity index 100% rename from docs/Samba-Developers-Guide/debug.xml rename to docs/Samba3-Developers-Guide/debug.xml diff --git a/docs/Samba-Developers-Guide/encryption.xml b/docs/Samba3-Developers-Guide/encryption.xml similarity index 100% rename from docs/Samba-Developers-Guide/encryption.xml rename to docs/Samba3-Developers-Guide/encryption.xml diff --git a/docs/Samba-Developers-Guide/gencache.xml b/docs/Samba3-Developers-Guide/gencache.xml similarity index 100% rename from docs/Samba-Developers-Guide/gencache.xml rename to docs/Samba3-Developers-Guide/gencache.xml diff --git a/docs/Samba-Developers-Guide/index.xml b/docs/Samba3-Developers-Guide/index.xml similarity index 100% rename from docs/Samba-Developers-Guide/index.xml rename to docs/Samba3-Developers-Guide/index.xml diff --git a/docs/Samba-Developers-Guide/internals.xml b/docs/Samba3-Developers-Guide/internals.xml similarity index 100% rename from docs/Samba-Developers-Guide/internals.xml rename to docs/Samba3-Developers-Guide/internals.xml diff --git a/docs/Samba-Developers-Guide/modules.xml b/docs/Samba3-Developers-Guide/modules.xml similarity index 100% rename from docs/Samba-Developers-Guide/modules.xml rename to docs/Samba3-Developers-Guide/modules.xml diff --git a/docs/Samba-Developers-Guide/packagers.xml b/docs/Samba3-Developers-Guide/packagers.xml similarity index 100% rename from docs/Samba-Developers-Guide/packagers.xml rename to docs/Samba3-Developers-Guide/packagers.xml diff --git a/docs/Samba-Developers-Guide/parsing.xml b/docs/Samba3-Developers-Guide/parsing.xml similarity index 100% rename from docs/Samba-Developers-Guide/parsing.xml rename to docs/Samba3-Developers-Guide/parsing.xml diff --git a/docs/Samba-Developers-Guide/printing.xml b/docs/Samba3-Developers-Guide/printing.xml similarity index 100% rename from docs/Samba-Developers-Guide/printing.xml rename to docs/Samba3-Developers-Guide/printing.xml diff --git a/docs/Samba-Developers-Guide/registry.dot b/docs/Samba3-Developers-Guide/registry.dot similarity index 100% rename from docs/Samba-Developers-Guide/registry.dot rename to docs/Samba3-Developers-Guide/registry.dot diff --git a/docs/Samba-Developers-Guide/registry.xml b/docs/Samba3-Developers-Guide/registry.xml similarity index 100% rename from docs/Samba-Developers-Guide/registry.xml rename to docs/Samba3-Developers-Guide/registry.xml diff --git a/docs/Samba-Developers-Guide/rpc_plugin.xml b/docs/Samba3-Developers-Guide/rpc_plugin.xml similarity index 100% rename from docs/Samba-Developers-Guide/rpc_plugin.xml rename to docs/Samba3-Developers-Guide/rpc_plugin.xml diff --git a/docs/Samba-Developers-Guide/unix-smb.xml b/docs/Samba3-Developers-Guide/unix-smb.xml similarity index 100% rename from docs/Samba-Developers-Guide/unix-smb.xml rename to docs/Samba3-Developers-Guide/unix-smb.xml diff --git a/docs/Samba-Developers-Guide/vfs.xml b/docs/Samba3-Developers-Guide/vfs.xml similarity index 100% rename from docs/Samba-Developers-Guide/vfs.xml rename to docs/Samba3-Developers-Guide/vfs.xml diff --git a/docs/Samba-Developers-Guide/windows-debug.xml b/docs/Samba3-Developers-Guide/windows-debug.xml similarity index 100% rename from docs/Samba-Developers-Guide/windows-debug.xml rename to docs/Samba3-Developers-Guide/windows-debug.xml diff --git a/docs/Samba-Developers-Guide/wins.xml b/docs/Samba3-Developers-Guide/wins.xml similarity index 100% rename from docs/Samba-Developers-Guide/wins.xml rename to docs/Samba3-Developers-Guide/wins.xml diff --git a/docs/Samba4-HOWTO/ad-dc.xml b/docs/Samba4-HOWTO/ad-dc.xml new file mode 100644 index 00000000000..cdfc358edc3 --- /dev/null +++ b/docs/Samba4-HOWTO/ad-dc.xml @@ -0,0 +1,4 @@ + + Active Directory - Domain Controller + + diff --git a/docs/Samba4-HOWTO/ad-member.xml b/docs/Samba4-HOWTO/ad-member.xml new file mode 100644 index 00000000000..b46d99be74d --- /dev/null +++ b/docs/Samba4-HOWTO/ad-member.xml @@ -0,0 +1,4 @@ + + Active Directory - Member + + diff --git a/docs/Samba4-HOWTO/auth.xml b/docs/Samba4-HOWTO/auth.xml new file mode 100644 index 00000000000..58b25f4035b --- /dev/null +++ b/docs/Samba4-HOWTO/auth.xml @@ -0,0 +1,4 @@ + + Authentication + + diff --git a/docs/Samba4-HOWTO/cifsfs.xml b/docs/Samba4-HOWTO/cifsfs.xml new file mode 100644 index 00000000000..190c3840d6c --- /dev/null +++ b/docs/Samba4-HOWTO/cifsfs.xml @@ -0,0 +1,4 @@ + + CIFSFS + + diff --git a/docs/Samba4-HOWTO/compiling.xml b/docs/Samba4-HOWTO/compiling.xml new file mode 100644 index 00000000000..048a0f4b8e5 --- /dev/null +++ b/docs/Samba4-HOWTO/compiling.xml @@ -0,0 +1,24 @@ + + Compiling + + + Downloading the source - Tar Ball + + + + + Downloading the source - Subversion + + + + + Compiling the source + + + + + Installing + + + + diff --git a/docs/Samba4-HOWTO/config.xml b/docs/Samba4-HOWTO/config.xml new file mode 100644 index 00000000000..e251c698abe --- /dev/null +++ b/docs/Samba4-HOWTO/config.xml @@ -0,0 +1,5 @@ + + Configuration + + Chapter describing Samba's configuration in detail. + diff --git a/docs/Samba4-HOWTO/domain-bdc.xml b/docs/Samba4-HOWTO/domain-bdc.xml new file mode 100644 index 00000000000..61c420fe7bf --- /dev/null +++ b/docs/Samba4-HOWTO/domain-bdc.xml @@ -0,0 +1,4 @@ + + Backup Domain Controller + + diff --git a/docs/Samba4-HOWTO/domain-member.xml b/docs/Samba4-HOWTO/domain-member.xml new file mode 100644 index 00000000000..8be3758792e --- /dev/null +++ b/docs/Samba4-HOWTO/domain-member.xml @@ -0,0 +1,2 @@ + + diff --git a/docs/Samba4-HOWTO/domain-pdc.xml b/docs/Samba4-HOWTO/domain-pdc.xml new file mode 100644 index 00000000000..b3fb6e6f7b4 --- /dev/null +++ b/docs/Samba4-HOWTO/domain-pdc.xml @@ -0,0 +1 @@ + diff --git a/docs/Samba4-HOWTO/history.xml b/docs/Samba4-HOWTO/history.xml new file mode 100644 index 00000000000..e69de29bb2d diff --git a/docs/Samba4-HOWTO/index.xml b/docs/Samba4-HOWTO/index.xml new file mode 100644 index 00000000000..6562a7ed349 --- /dev/null +++ b/docs/Samba4-HOWTO/index.xml @@ -0,0 +1,137 @@ + + + + +The Official Samba-4 HOWTO + + + + &person.jelmer; + + + + + + + + + Attribution + + + + + + + + + + + + + Introduction to SMB networks + + Not everybody is already familiar with SMB networks and the jargon + used in such networks. This part describes the evolution of SMB, + how the protocol is structured and what Samba can be used for. + + NT admins, already familiar with SMB networks, are probably only + interested in the chapter about Samba itself. + + + + + + + + Samba 4 Basics + + FIXME + + + + + + + Network model + + + A SMB server is used in a certain network type + (workgroup, domain, active directory) with a specific + role (stand-alone, primary domain controller, backup domain controller, etc) in that network. Samba has to be configured according to that role. + Each of the chapters in this part describes how to configure Samba + for a specific role. + + + + + + Network Model: Share-based security + + + + + + Network Model: User-based security + + + + + Network Model: NT4-style domains + + + + + + + + + + Common services + + + Independent of the role the server has, it can provide services. + Examples of services are printing, user management, authentication, etc. + + + + + + + + + + Clients + + Samba includes a number of different clients for accessing + SMB file, print and other services. Pretty much every service can + be access using a command-line utility, though there are several + GUI clients available as well. + + + + + + + + Appendices + + + + + + + + + + + + + + + diff --git a/docs/Samba4-HOWTO/printing.xml b/docs/Samba4-HOWTO/printing.xml new file mode 100644 index 00000000000..5ffb2b76801 --- /dev/null +++ b/docs/Samba4-HOWTO/printing.xml @@ -0,0 +1,11 @@ + + Printing + + + + + Unix printing types + + + + diff --git a/docs/Samba4-HOWTO/protocol.xml b/docs/Samba4-HOWTO/protocol.xml new file mode 100644 index 00000000000..f2961116e0b --- /dev/null +++ b/docs/Samba4-HOWTO/protocol.xml @@ -0,0 +1,204 @@ + + The SMB/CIFS protocol + + + + + "SMB" (also known as "CIFS") is a + file-sharing protocol that has been used since the mid-eighties. + Most people know SMB as the protocol behind the "Network Neighbourhood" + and remote printing in Windows. + + + + Several parts of the protocol are not discussed in this chapter, such + as mailslots, browsing and dfs, to prevent it from getting too complex. + CIFS internals are documented in detail in Hertel, 2003. + + + + + History + + + Invention by IBM + + + SMB is not very old, but it has a long history of modifications and extensions. + The original protocol was meant to run over ``NetBIOS'', which was the + name of the DOS interface to a very simple LAN system developed by IBM. + NetBIOS was developed because SNA, IBM's other main + protocol at the time, was much too advanced for use in DOS. + + + + The NetBIOS API in these days (early eighties) was nothing more then the + interface to a very simple link-layer protocol + over which several protocols, including SMB, were used. It could do reads and + writes to services on remote hosts, which were identified by case-insensitive + names, and discover all available hosts and services. + + + + Dr. Barry Feigenbau, an IBM employee, invented the core of the original SMB protocol, + which he initially named after himself: ``BAF''. He later changed the name to + be ``SMB'' (for ``Server Message Block''). Every packet in the protocol + starts with a byte $0xFF$ and these three letters. + + + + IBM, Microsoft, 3Com and Intel made up the rest of the initial protocol + together. The commands the protocol supported at this stage were basically + a mirror of the DOS File IO API calls, which meant the protocol wasn't very + efficient. The protocol also lacked authentication support. Everybody on the + network could do reads and writes, which meant this protocol + wasn't very suitable for large enterprises. + + + + NetBIOS is an API that has had various implementations; there is + NetBIOS over TCP/IP (NBT), NetBIOS over IPX, NetBIOS over SNA and + even NetBIOS over DECNEt. Mostly used these days is + NetBIOS over TCP (NBT). + + + + This is also were things are starting to get hairy. Since NetBIOS identifies + hosts by their name, NetBIOS clients had to start doing IP broadcasts to + figure out the IP of the host they had to connect to. Several schemes were + introduced to do name lookups crossing subnet boundaries, using name servers, + etc. We're basically emulating a NetBIOS LAN in order to be able to run SMB. + + + + Doing NetBIOS over IP is not very sane, however, the NBT implementation itself + in Windows isn't very nice either. It has horrible + limits, special exceptions, several broken schemes for looking up + names (including two kinds of name servers). NetBIOS and NetBIOS over TCP/IP + are described in RFC1001 and RFC1002. + + + + + The various incarnations of SMB + + Over the years, several usage models for SMB have been developed. While SMB originally started out as a file sharing protocol, it was later extended to include support for network management and other network services + as well. + + + One of the reasons for the various "upgrades" of the SMB + protocol is the fact that networks have become larger + and larger and with them the need for privilege separation + and scalability has increased. + + + + DOS + + + The original model in which SMB was used was as a + simple file-sharing service in a NetBIOS-environment. + + + + File sharing worked basically by specifying a list of directories that had + to be shared and what name they had to be shared under ("shares"). Eventually, + one could password-protect a share. At most one password per share could be set. + + + + + Windows For Workgroups + + + After the ``CORE'' dialect, + IBM and Microsoft implemented a new dialect known as ``LANMAN''. + This dialect was used by Windows for + Workgroups, OS/2 and Windows 9x which all know it under a different name. A + 'virtual' file system was also added, which was used for doing remote function + calls (RAP, for ``Remote Administration Protocol''). + + + + Computers are grouped into "Workgroups" in this model. Everybody is equal to + the others and there is no central point of control. + + + + + Windows NT + + For Windows NT, yet another dialect was added, named 'NT'. The NT dialect + had it's own set of file I/O functions (similar to the NT File I/O API) + and it had support for yet another way of doing remote function calls: + DCE/RPC. RPC's are used for DCOM and several of the subsystems in NT + that can be accessed remotely (registry, printing, user management, logging + on, etc). + + + + Windows NT works with a new concept for grouping computers called ``domains''In the protocol, domains are actually an upgraded version of a workgroup. Each computer is member of exactly one domain. There are several roles a computer can have in the domain: PDC (primary domain controller, the "manager" of the domain, that coordinates all authentication and authorization), BDC (Backup domain controller, in case the PDC goes down) or just a regular domain member. The PDC decides who is to be a member of the domain. + + + + + Windows 2000 + + In Windows NT 5 (marketing name: Windows 2000), NetBIOS-less SMB was + introduced. This means SMB is used directly over TCP port 445 instead of + via NetBIOS over TCP/IP. DNS + is used for looking up machine names. + + + Windows 2000 was also the first operating system from Microsoft + that had support for Active Directory. Active Directory is very + similar to the "domain" concept used by NT4, though it + is implemented differently (using modified open protocols), + and has some additional features (one of the most important ones being decentralized). + + + + Active directory no longer uses a central point of authority + and there are fewer limits to the size of a domain. Several + DC's can exist, so there is no longer a single point of + failure as well as better scalability. + + + + + + Samba versions and their support for the SMB models + + + Samba 2.2 + + Full CORE and Workgroup support. Somewhat basic + NT4-style support. + + + + Samba 3.0 + + Full CORE and Workgroup support. Almost complete + NT4-style support. + + + + + Samba 3.2 + + FIXME + + + + Samba 4.0 + + Full CORE, Workgroup, NT4 and ADS support. + + + + + diff --git a/docs/Samba4-HOWTO/registry.xml b/docs/Samba4-HOWTO/registry.xml new file mode 100644 index 00000000000..2ef11d34578 --- /dev/null +++ b/docs/Samba4-HOWTO/registry.xml @@ -0,0 +1,4 @@ + + Registry + + diff --git a/docs/Samba4-HOWTO/samba.xml b/docs/Samba4-HOWTO/samba.xml new file mode 100644 index 00000000000..8fed58559a6 --- /dev/null +++ b/docs/Samba4-HOWTO/samba.xml @@ -0,0 +1,48 @@ + + Samba + + + Samba is an Open Source application that provides + an SMB implementation for POSIX-compatible + operating systems. + + + + Providing support for a Windows-based file-sharing protocol + on POSIX servers sometimes requires mapping Windows semantics to + POSIX semantics. + + + + Samba has always been catching up with Microsoft. Here is a list + of Samba releases and what they support (or will support). + + + + Samba 2.2 + + Full CORE and Workgroup support. Somewhat basic + NT4-style support. + + + + Samba 3.0 + + Full CORE and Workgroup support. Almost complete + NT4-style support. + + + + + Samba 3.2 + + FIXME + + + + Samba 4.0 + + Full CORE, Workgroup, NT4 and ADS support. + + + diff --git a/docs/Samba4-HOWTO/security=share.xml b/docs/Samba4-HOWTO/security=share.xml new file mode 100644 index 00000000000..1731bc08622 --- /dev/null +++ b/docs/Samba4-HOWTO/security=share.xml @@ -0,0 +1,8 @@ + + Share-based stand-alone server + + + One of the simplest + + + diff --git a/docs/Samba4-HOWTO/security=user.xml b/docs/Samba4-HOWTO/security=user.xml new file mode 100644 index 00000000000..1713c99c7cb --- /dev/null +++ b/docs/Samba4-HOWTO/security=user.xml @@ -0,0 +1,6 @@ + + User-based Stand-alone server + + + + diff --git a/docs/Samba4-HOWTO/smbclient.xml b/docs/Samba4-HOWTO/smbclient.xml new file mode 100644 index 00000000000..1f97ce62656 --- /dev/null +++ b/docs/Samba4-HOWTO/smbclient.xml @@ -0,0 +1,4 @@ + + smbclient + + diff --git a/docs/configure.in b/docs/configure.in index 884be787c67..9012a01a7f6 100644 --- a/docs/configure.in +++ b/docs/configure.in @@ -83,7 +83,7 @@ DOCS_DEFINE_TARGET(PS, LATEX, [PostScript versions], [ps]) DOCS_DEFINE_TARGET(HTML, ALL, [HTML versions], [html]) DOCS_DEFINE_TARGET(HTMLHELP, ALL, [HTML Help versions], [htmlhelp]) DOCS_DEFINE_TARGET(HTMLMAN, ALL, [HTML versions of the manpages], [htmlman]) -DOCS_DEFINE_TARGET(MANPAGES, ALL, [manpages], [manpages]) +DOCS_DEFINE_TARGET(MANPAGES, ALL, [manpages], [manpages3 manpages4]) DOCS_DEFINE_TARGET(PEARSON, ALL, [pearson-compatible XML], [pearson]) DOCS_DEFINE_TARGET(PLUCKER, HTML, [plucker versions], [plucker]) DOCS_DEFINE_TARGET(VALIDATE, ALL, [validating docbook output], []) diff --git a/docs/manpages-3/smb.conf.5.xml b/docs/manpages-3/smb.conf.5.xml dissimilarity index 93% index ad9e3fbe97d..ba010de3174 100644 --- a/docs/manpages-3/smb.conf.5.xml +++ b/docs/manpages-3/smb.conf.5.xml @@ -1,656 +1,7812 @@ - - - - smb.conf - 5 - - - - - smb.conf - The configuration file for the Samba suite - - - - SYNOPSIS - - The smb.conf file is a configuration - file for the Samba suite. smb.conf contains - runtime configuration information for the Samba programs. The smb.conf file - is designed to be configured and administered by the swat - 8 program. The complete - description of the file format and possible parameters held within - are here for reference purposes. - - - FILE FORMAT - - The file consists of sections and parameters. A section - begins with the name of the section in square brackets and continues - until the next section begins. Sections contain parameters of the - form - - name = value - - - The file is line-based - that is, each newline-terminated - line represents either a comment, a section name or a parameter. - - Section and parameter names are not case sensitive. - - Only the first equals sign in a parameter is significant. - Whitespace before or after the first equals sign is discarded. - Leading, trailing and internal whitespace in section and parameter - names is irrelevant. Leading and trailing whitespace in a parameter - value is discarded. Internal whitespace within a parameter value - is retained verbatim. - - Any line beginning with a semicolon (;) or a hash (#) - character is ignored, as are lines containing only whitespace. - - Any line ending in a \ is continued - on the next line in the customary UNIX fashion. - - The values following the equals sign in parameters are all - either a string (no quotes needed) or a boolean, which may be given - as yes/no, 0/1 or true/false. Case is not significant in boolean - values, but is preserved in string values. Some items such as - create modes are numeric. - - - - SECTION DESCRIPTIONS - - Each section in the configuration file (except for the - [global] section) describes a shared resource (known - as a share). The section name is the name of the - shared resource and the parameters within the section define - the shares attributes. - - There are three special sections, [global], - [homes] and [printers], which are - described under special sections. The - following notes apply to ordinary section descriptions. - - A share consists of a directory to which access is being - given plus a description of the access rights which are granted - to the user of the service. Some housekeeping options are - also specifiable. - - Sections are either file share services (used by the - client as an extension of their native file systems) or - printable services (used by the client to access print services - on the host running the server). - - Sections may be designated guest services, - in which case no password is required to access them. A specified - UNIX guest account is used to define access - privileges in this case. - - Sections other than guest services will require a password - to access them. The client provides the username. As older clients - only provide passwords and not usernames, you may specify a list - of usernames to check against the password using the user = - option in the share definition. For modern clients such as - Windows 95/98/ME/NT/2000, this should not be necessary. - - The access rights granted by the server are - masked by the access rights granted to the specified or guest - UNIX user by the host system. The server does not grant more - access than the host system grants. - - The following sample section defines a file space share. - The user has write access to the path /home/bar. - The share is accessed via the share name foo: - - - - /home/bar - read only = no - - - The following sample section defines a printable share. - The share is read-only, but printable. That is, the only write - access permitted is via calls to open, write to and close a - spool file. The guest ok parameter means - access will be permitted as the default guest user (specified - elsewhere): - - - - /usr/spool/public - yes - yes - yes - - - - - SPECIAL SECTIONS - - - The [global] section - - Parameters in this section apply to the server - as a whole, or are defaults for sections that do not - specifically define certain items. See the notes - under PARAMETERS for more information. - - - - The [homes] section - - If a section called [homes] is included in the - configuration file, services connecting clients to their - home directories can be created on the fly by the server. - - When the connection request is made, the existing - sections are scanned. If a match is found, it is used. If no - match is found, the requested section name is treated as a - username and looked up in the local password file. If the - name exists and the correct password has been given, a share is - created by cloning the [homes] section. - - Some modifications are then made to the newly - created share: - - - The share name is changed from homes to - the located username. - - If no path was given, the path is set to - the user's home directory. - - - If you decide to use a path = line - in your [homes] section, you may find it useful - to use the %S macro. For example : - - path = /data/pchome/%S - - is useful if you have different home directories - for your PCs than for UNIX access. - - This is a fast and simple way to give a large number - of clients access to their home directories with a minimum - of fuss. - - A similar process occurs if the requested section - name is homes, except that the share name is not - changed to that of the requesting user. This method of using - the [homes] section works well if different users share - a client PC. - - The [homes] section can specify all the parameters - a normal service section can specify, though some make more sense - than others. The following is a typical and suitable [homes] - section: - - - - no - - - An important point is that if guest access is specified - in the [homes] section, all home directories will be - visible to all clients without a password. - In the very unlikely event that this is actually desirable, it - is wise to also specify read only access. - - The browseable flag for - auto home directories will be inherited from the global browseable - flag, not the [homes] browseable flag. This is useful as - it means setting browseable = no in - the [homes] section will hide the [homes] share but make - any auto home directories visible. - - - - The [printers] section - - This section works like [homes], - but for printers. - - If a [printers] section occurs in the - configuration file, users are able to connect to any printer - specified in the local host's printcap file. - - When a connection request is made, the existing sections - are scanned. If a match is found, it is used. If no match is found, - but a [homes] section exists, it is used as described - above. Otherwise, the requested section name is treated as a - printer name and the appropriate printcap file is scanned to see - if the requested section name is a valid printer share name. If - a match is found, a new printer share is created by cloning - the [printers] section. - - A few modifications are then made to the newly created - share: - - - The share name is set to the located printer - name - - If no printer name was given, the printer name - is set to the located printer name - - If the share does not permit guest access and - no username was given, the username is set to the located - printer name. - - - The [printers] service MUST be - printable - if you specify otherwise, the server will refuse - to load the configuration file. - - Typically the path specified is that of a - world-writeable spool directory with the sticky bit set on - it. A typical [printers] entry looks like - this: - - - - /usr/spool/public - yes - yes - - - All aliases given for a printer in the printcap file - are legitimate printer names as far as the server is concerned. - If your printing subsystem doesn't work like that, you will have - to set up a pseudo-printcap. This is a file consisting of one or - more lines like this: - - -alias|alias|alias|alias... - - - Each alias should be an acceptable printer name for - your printing subsystem. In the [global] section, specify - the new file as your printcap. The server will only recognize - names found in your pseudo-printcap, which of course can contain - whatever aliases you like. The same technique could be used - simply to limit access to a subset of your local printers. - - An alias, by the way, is defined as any component of the - first entry of a printcap record. Records are separated by newlines, - components (if there are more than one) are separated by vertical - bar symbols (|). - - On SYSV systems which use lpstat to determine what - printers are defined on the system you may be able to use - printcap name = lpstat to automatically obtain a list - of printers. See the printcap name option - for more details. - - - - - PARAMETERS - - Parameters define the specific attributes of sections. - - Some parameters are specific to the [global] section - (e.g., security). Some parameters are usable - in all sections (e.g., create mode). All others - are permissible only in normal sections. For the purposes of the - following descriptions the [homes] and [printers] - sections will be considered normal. The letter G - in parentheses indicates that a parameter is specific to the - [global] section. The letter S - indicates that a parameter can be specified in a service specific - section. All S parameters can also be specified in - the [global] section - in which case they will define - the default behavior for all services. - - Parameters are arranged here in alphabetical order - this may - not create best bedfellows, but at least you can find them! Where - there are synonyms, the preferred synonym is described, others refer - to the preferred synonym. - - - - VARIABLE SUBSTITUTIONS - - Many of the strings that are settable in the config file - can take substitutions. For example the option path = - /tmp/%u is interpreted as path = - /tmp/john if the user connected with the username john. - - These substitutions are mostly noted in the descriptions below, - but there are some general substitutions which apply whenever they - might be relevant. These are: - - - - %U - session username (the username that the client - wanted, not necessarily the same as the one they got). - - - - %G - primary group name of %U. - - - - %h - the Internet hostname that Samba is running - on. - - - - %m - the NetBIOS name of the client machine - (very useful). - - - - %L - the NetBIOS name of the server. This allows you - to change your config based on what the client calls you. Your - server can have a dual personality. - - This parameter is not available when Samba listens - on port 445, as clients no longer send this information. - - - - - - %M - the Internet name of the client machine. - - - - - %R - the selected protocol level after - protocol negotiation. It can be one of CORE, COREPLUS, - LANMAN1, LANMAN2 or NT1. - - - - %d - the process id of the current server - process. - - - - %a - the architecture of the remote - machine. It currently recognizes Samba (Samba), - the Linux CIFS file system (CIFSFS), OS/2, (OS2), - Windows for Workgroups (WfWg), Windows 9x/ME - (Win95), Windows NT (WinNT), - Windows 2000 (Win2K), Windows XP (WinXP), - and Windows 2003 (Win2K3). Anything else will be known as - UNKNOWN. - - - - - %I - the IP address of the client machine. - - - - - %i - the local IP address to which a client connected. - - - - - %T - the current date and time. - - - - %D - name of the domain or workgroup of the current user. - - - - %$(envvar) - the value of the environment variable - envar. - - - - The following substitutes apply only to some configuration options (only those - that are used when a connection has been established): - - - - %S - the name of the current service, if any. - - - - - %P - the root directory of the current service, - if any. - - - - %u - username of the current service, if any. - - - - - %g - primary group name of %u. - - - - %H - the home directory of the user given - by %u. - - - - %N - the name of your NIS home directory server. - This is obtained from your NIS auto.map entry. If you have - not compiled Samba with the --with-automount - option, this value will be the same as %L. - - - - - %p - the path of the service's home directory, - obtained from your NIS auto.map entry. The NIS auto.map entry - is split up as %N:%p. - - - - There are some quite creative things that can be done - with these substitutions and other smb.conf options. - - - - NAME MANGLING - - Samba supports name mangling so that DOS and - Windows clients can use files that don't conform to the 8.3 format. - It can also be set to adjust the case of 8.3 format filenames. - - There are several options that control the way mangling is - performed, and they are grouped here rather than listed separately. - For the defaults look at the output of the testparm program. - - All of these options can be set separately for each service - (or globally, of course). - - The options are: - - - - - case sensitive = yes/no/auto - controls whether filenames are case sensitive. If - they aren't, Samba must do a filename search and match on passed - names. The default setting of auto allows clients that support case - sensitive filenames (Linux CIFSVFS and smbclient 3.0.5 and above currently) - to tell the Samba server on a per-packet basis that they wish to access - the file system in a case-sensitive manner (to support UNIX case sensitive - semantics). No Windows or DOS system supports case-sensitive filename so - setting this option to auto is that same as setting it to no for them. - Default auto. - - - - default case = upper/lower - controls what the default case is for new - filenames. Default lower. - - - - preserve case = yes/no - controls whether new files are created with the - case that the client passes, or if they are forced to be the - default case. Default yes. - - - - - short preserve case = yes/no - controls if new files which conform to 8.3 syntax, - that is all in upper case and of suitable length, are created - upper case, or if they are forced to be the default - case. This option can be used with preserve case = yes - to permit long filenames to retain their case, while short names - are lowercased. Default yes. - - - - By default, Samba 3.0 has the same semantics as a Windows - NT server, in that it is case insensitive but case preserving. - - - - - NOTE ABOUT USERNAME/PASSWORD VALIDATION - - There are a number of ways in which a user can connect - to a service. The server uses the following steps in determining - if it will allow a connection to a specified service. If all the - steps fail, the connection request is rejected. However, if one of the - steps succeeds, the following steps are not checked. - - If the service is marked guest only = yes and the - server is running with share-level security (security = share, - steps 1 to 5 are skipped. - - - - If the client has passed a username/password - pair and that username/password pair is validated by the UNIX - system's password programs, the connection is made as that - username. This includes the - \\server\service%username method of passing - a username. - - If the client has previously registered a username - with the system and now supplies a correct password for that - username, the connection is allowed. - - The client's NetBIOS name and any previously - used usernames are checked against the supplied password. If - they match, the connection is allowed as the corresponding - user. - - If the client has previously validated a - username/password pair with the server and the client has passed - the validation token, that username is used. - - If a user = field is given in the - smb.conf file for the service and the client - has supplied a password, and that password matches (according to - the UNIX system's password checking) with one of the usernames - from the user = field, the connection is made as - the username in the user = line. If one - of the usernames in the user = list begins with a - @, that name expands to a list of names in - the group of the same name. - - If the service is a guest service, a - connection is made as the username given in the guest - account = for the service, irrespective of the - supplied password. - - - - - - EXPLANATION OF EACH PARAMETER - - - - - - - WARNINGS - - Although the configuration file permits service names - to contain spaces, your client software may not. Spaces will - be ignored in comparisons anyway, so it shouldn't be a - problem - but be aware of the possibility. - - On a similar note, many clients - especially DOS clients - - limit service names to eight characters. smbd - 8 has no such limitation, but attempts to connect from such - clients will fail if they truncate the service names. For this reason - you should probably keep your service names down to eight characters - in length. - - Use of the [homes] and [printers] special sections make life - for an administrator easy, but the various combinations of default - attributes can be tricky. Take extreme care when designing these - sections. In particular, ensure that the permissions on spool - directories are correct. - - - - VERSION - - This man page is correct for version 3.0 of the Samba suite. - - - - SEE ALSO - - samba - 7, smbpasswd - 8, swat - 8, smbd - 8, nmbd - 8, smbclient - 1, nmblookup - 1, testparm - 1, testprns - 1. - - - - AUTHOR - - The original Samba software and related utilities - were created by Andrew Tridgell. Samba is now developed - by the Samba Team as an Open Source project similar - to the way the Linux kernel is developed. - - The original Samba man pages were written by Karl Auer. - The man page sources were converted to YODL format (another - excellent piece of Open Source software, available at - ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 - release by Jeremy Allison. The conversion to DocBook for - Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 - for Samba 3.0 was done by Alexander Bokovoy. - - - + + + + +abort shutdown scriptabort shutdown script (G) + This a full path name to a script called by smbd + 8 that + should stop a shutdown procedure issued by the + shutdown script. + + If the connected user posseses the SeRemoteShutdownPrivilege, + right, this command will be run as user. + +Default: abort shutdown script = + + +Example: abort shutdown script = /sbin/shutdown -c + + + + +acl compatibilityacl compatibility (S) + This parameter specifies what OS ACL semantics should + be compatible with. Possible values are winnt for Windows NT 4, + win2k for Windows 2000 and above and auto. + If you specify auto, the value for this parameter + will be based upon the version of the client. There should + be no reason to change this parameter from the default. + +Default: acl compatibility = Auto + + +Example: acl compatibility = win2k + + + + +add group scriptadd group script (G) + This is the full pathname to a script that will be run + AS ROOT by + smbd8 + when a new group is requested. It will expand any %g to the group name passed. This + script is only useful for installations using the Windows NT + domain administration tools. The script is free to create a + group with an arbitrary name to circumvent unix group name + restrictions. In that case the script must print the numeric gid + of the created group on stdout. + +No default + + + +add machine scriptadd machine script (G) + This is the full pathname to a script that will be run by + smbd + 8 when a machine is added + to it's domain using the administrator username and password + method. + + This option is only required when using sam back-ends tied + to the Unix uid method of RID calculation such as smbpasswd. + This option is only available in Samba 3.0. + +Default: add machine script = + + +Example: add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /var/lib/nobody -s /bin/false %u + + + + +addprinter commandaddprinter command (G) + With the introduction of MS-RPC based printing + support for Windows NT/2000 clients in Samba 2.2, The MS Add + Printer Wizard (APW) icon is now also available in the + "Printers..." folder displayed a share listing. The APW + allows for printers to be add remotely to a Samba or Windows + NT/2000 print server. + + For a Samba host this means that the printer must be + physically added to the underlying printing system. The add + printer command defines a script to be run which + will perform the necessary operations for adding the printer + to the print system and to add the appropriate service definition + to the smb.conf file in order that it can be + shared by smbd + 8. + + The addprinter command is + automatically invoked with the following parameter (in + order): + + + printer name + share name + port name + driver name + location + Windows 9x driver location + + + All parameters are filled in from the PRINTER_INFO_2 structure sent + by the Windows NT/2000 client with one exception. The "Windows 9x + driver location" parameter is included for backwards compatibility + only. The remaining fields in the structure are generated from answers + to the APW questions. + + Once the addprinter command has + been executed, smbd will reparse the + smb.conf to determine if the share defined by the APW + exists. If the sharename is still invalid, then smbd + will return an ACCESS_DENIED error to the client. + + + The "add printer command" program can output a single line of text, + which Samba will set as the port the new printer is connected to. + If this line isn't output, Samba won't reload its printer shares. + + + +Default: addprinter command = + + +Example: addprinter command = /usr/bin/addprinter + + + + +add share commandadd share command (G) + Samba 2.2.0 introduced the ability to dynamically + add and delete shares via the Windows NT 4.0 Server Manager. The + add share command is used to define an + external program or script which will add a new service definition + to smb.conf. In order to successfully + execute the add share command, smbd + requires that the administrator be connected using a root account (i.e. + uid == 0). + + + + When executed, smbd will automatically invoke the + add share command with four parameters. + + + + + configFile - the location + of the global smb.conf file. + + + + + shareName - the name of the new + share. + + + + + pathName - path to an **existing** + directory on disk. + + + + + comment - comment string to associate + with the new share. + + + + + + This parameter is only used for add file shares. To add printer shares, + see the addprinter + command. + + +Default: add share command = + + +Example: add share command = /usr/local/bin/addshare + + + + +add user scriptadd user script (G) + This is the full pathname to a script that will + be run AS ROOT by smbd + 8 under special circumstances described below. + + Normally, a Samba server requires that UNIX users are + created for all users accessing files on this server. For sites + that use Windows NT account databases as their primary user database + creating these users and keeping the user list in sync with the + Windows NT PDC is an onerous task. This option allows smbd to create the required UNIX users + ON DEMAND when a user accesses the Samba server. + + In order to use this option, smbd + 8 must NOT be set to security = share + and add user script + must be set to a full pathname for a script that will create a UNIX + user given one argument of %u, which expands into + the UNIX user name to create. + + When the Windows user attempts to access the Samba server, + at login (session setup in the SMB protocol) time, smbd + 8 contacts the password server and + attempts to authenticate the given user with the given password. If the + authentication succeeds then smbd + attempts to find a UNIX user in the UNIX password database to map the + Windows user into. If this lookup fails, and add user script + is set then smbd will + call the specified script AS ROOT, expanding + any %u argument to be the user name to create. + + If this script successfully creates the user then smbd + will continue on as though the UNIX user + already existed. In this way, UNIX users are dynamically created to + match existing Windows NT accounts. + + See also + security, + password server, + delete user + script. + +Default: add user script = + + +Example: add user script = /usr/local/samba/bin/add_user %u + + + + +add user to group scriptadd user to group script (G) + Full path to the script that will be called when + a user is added to a group using the Windows NT domain administration + tools. It will be run by smbd + 8 AS ROOT. + Any %g will be replaced with the group name and + any %u will be replaced with the user name. + + + Note that the adduser command used in the example below does + not support the used syntax on all systems. + + +Default: add user to group script = + + +Example: add user to group script = /usr/sbin/adduser %u %g + + + + +admin usersadmin users (S) + This is a list of users who will be granted + administrative privileges on the share. This means that they + will do all file operations as the super-user (root). + + You should use this option very carefully, as any user in + this list will be able to do anything they like on the share, + irrespective of file permissions. + + This parameter will not work with the + security = share in + Samba 3.0. This is by design. + + +Default: admin users = + + +Example: admin users = jason + + + + +afs shareafs share (S) + This parameter controls whether special AFS features are enabled + for this share. If enabled, it assumes that the directory exported via + the path parameter is a local AFS import. The + special AFS features include the attempt to hand-craft an AFS token + if you enabled --with-fake-kaserver in configure. + + +Default: afs share = no + + + + + +afs username mapafs username map (G) + If you are using the fake kaserver AFS feature, you might + want to hand-craft the usernames you are creating tokens for. + For example this is necessary if you have users from several domain + in your AFS Protection Database. One possible scheme to code users + as DOMAIN+User as it is done by winbind with the + as a separator. + + + The mapped user name must contain the cell name to log into, + so without setting this parameter there will be no token. + +Default: afs username map = + + +Example: afs username map = %u@afs.samba.org + + + + +algorithmic rid basealgorithmic rid base (G) + This determines how Samba will use its + algorithmic mapping from uids/gid to the RIDs needed to construct + NT Security Identifiers. + + + Setting this option to a larger value could be useful to sites + transitioning from WinNT and Win2k, as existing user and + group rids would otherwise clash with sytem users etc. + + + All UIDs and GIDs must be able to be resolved into SIDs for + the correct operation of ACLs on the server. As such the algorithmic + mapping can't be 'turned off', but pushing it 'out of the way' should + resolve the issues. Users and groups can then be assigned 'low' RIDs + in arbitary-rid supporting backends. + + +Default: algorithmic rid base = 1000 + + +Example: algorithmic rid base = 100000 + + + + +allocation roundup sizeallocation roundup size (S) + This parameter allows an administrator to tune the + allocation size reported to Windows clients. The default + size of 1Mb generally results in improved Windows client + performance. However, rounding the allocation size may cause + difficulties for some applications, e.g. MS Visual Studio. + If the MS Visual Studio compiler starts to crash with an + internal error, set this parameter to zero for this share. + + + The integer parameter specifies the roundup size in bytes. + +Default: allocation roundup size = 1048576 + + +Example: allocation roundup size = 0 +# (to disable roundups) + + + + +allow trusted domainsallow trusted domains (G) + This option only takes effect when the + security option is set to + server or domain. + If it is set to no, then attempts to connect to a resource from + a domain or workgroup other than the one which smbd is running + in will fail, even if that domain is trusted by the remote server + doing the authentication. + + This is useful if you only want your Samba server to + serve resources to users in the domain it is a member of. As + an example, suppose that there are two domains DOMA and DOMB. DOMB + is trusted by DOMA, which contains the Samba server. Under normal + circumstances, a user with an account in DOMB can then access the + resources of a UNIX account with the same account name on the + Samba server even if they do not have an account in DOMA. This + can make implementing a security boundary difficult. + +Default: allow trusted domains = yes + + + + + +announce asannounce as (G) + This specifies what type of server nmbd + 8 will announce itself as, to a network neighborhood browse + list. By default this is set to Windows NT. The valid options + are : "NT Server" (which can also be written as "NT"), + "NT Workstation", "Win95" or "WfW" meaning Windows NT Server, + Windows NT Workstation, Windows 95 and Windows for Workgroups + respectively. Do not change this parameter unless you have a + specific need to stop Samba appearing as an NT server as this + may prevent Samba servers from participating as browser servers + correctly. + +Default: announce as = NT Server + + +Example: announce as = Win95 + + + + +announce versionannounce version (G) + This specifies the major and minor version numbers + that nmbd will use when announcing itself as a server. The default + is 4.9. Do not change this parameter unless you have a specific + need to set a Samba server to be a downlevel server. + +Default: announce version = 4.9 + + +Example: announce version = 2.0 + + + + +auth methodsauth methods (G) + This option allows the administrator to chose what + authentication methods smbd will use when authenticating + a user. This option defaults to sensible values based on + security. This should be considered + a developer option and used only in rare circumstances. In the majority (if not all) + of production servers, the default setting should be adequate. + + Each entry in the list attempts to authenticate the user in turn, until + the user authenticates. In practice only one method will ever actually + be able to complete the authentication. + + + Possible options include guest (anonymous access), + sam (lookups in local list of accounts based on netbios + name or domain name), winbind (relay authentication requests + for remote users through winbindd), ntdomain (pre-winbindd + method of authentication for remote domain users; deprecated in favour of winbind method), + trustdomain (authenticate trusted users by contacting the + remote DC directly from smbd; deprecated in favour of winbind method). + +Default: auth methods = + + +Example: auth methods = guest sam winbind + + + + +availableavailable (S) + This parameter lets you "turn off" a service. If + available = no, then ALL + attempts to connect to the service will fail. Such failures are + logged. + + +Default: available = yes + + + + + +bind interfaces onlybind interfaces only (G) + This global parameter allows the Samba admin + to limit what interfaces on a machine will serve SMB requests. It + affects file service smbd + 8 and name service nmbd + 8 in a slightly different ways. + + For name service it causes nmbd to bind + to ports 137 and 138 on the interfaces listed in + the interfaces parameter. nmbd also + binds to the "all addresses" interface (0.0.0.0) + on ports 137 and 138 for the purposes of reading broadcast messages. + If this option is not set then nmbd will service + name requests on all of these sockets. If bind interfaces + only is set then nmbd will check the + source address of any packets coming in on the broadcast sockets + and discard any that don't match the broadcast addresses of the + interfaces in the interfaces parameter list. + As unicast packets are received on the other sockets it allows + nmbd to refuse to serve names to machines that + send packets that arrive through any interfaces not listed in the + interfaces list. IP Source address spoofing + does defeat this simple check, however, so it must not be used + seriously as a security feature for nmbd. + + For file service it causes smbd + 8 to bind only to the interface list + given in the interfaces parameter. This + restricts the networks that smbd will serve + to packets coming in those interfaces. Note that you should not use this parameter + for machines that are serving PPP or other intermittent or non-broadcast network + interfaces as it will not cope with non-permanent interfaces. + + If bind interfaces only is set then + unless the network address 127.0.0.1 is added + to the interfaces parameter + list smbpasswd + 8 and swat + 8 may not work as expected due + to the reasons covered below. + + To change a users SMB password, the smbpasswd + by default connects to the localhost - 127.0.0.1 + address as an SMB client to issue the password change request. If + bind interfaces only is set then unless the + network address 127.0.0.1 is added to the + interfaces parameter list then + smbpasswd will fail to connect in it's default mode. + smbpasswd can be forced to use the primary IP interface + of the local host by using its smbpasswd + 8 -r remote machine + parameter, with remote machine set + to the IP name of the primary interface of the local host. + + The swat status page tries to connect with + smbd and nmbd at the address + 127.0.0.1 to determine if they are running. + Not adding 127.0.0.1 will cause + smbd and nmbd to always show + "not running" even if they really are. This can prevent + swat from starting/stopping/restarting smbd + and nmbd. + + +Default: bind interfaces only = no + + + + + +blocking locksblocking locks (S) + This parameter controls the behavior + of smbd + 8 when given a request by a client + to obtain a byte range lock on a region of an open file, and the + request has a time limit associated with it. + + If this parameter is set and the lock range requested + cannot be immediately satisfied, samba will internally + queue the lock request, and periodically attempt to obtain + the lock until the timeout period expires. + + If this parameter is set to no, then + samba will behave as previous versions of Samba would and + will fail the lock request immediately if the lock range + cannot be obtained. + + +Default: blocking locks = yes + + + + + +block sizeblock size (S) + This parameter controls the behavior of smbd + 8 when reporting disk free + sizes. By default, this reports a disk block size of 1024 bytes. + + + Changing this parameter may have some effect on the + efficiency of client writes, this is not yet confirmed. This + parameter was added to allow advanced administrators to change + it (usually to a higher value) and test the effect it has on + client write performance without re-compiling the code. As this + is an experimental option it may be removed in a future release. + + + Changing this option does not change the disk free reporting + size, just the block size unit reported to the client. + + +No default + + + +browsablebrowseablebrowsableThis parameter is a synonym for browseable. +browseablebrowseable (S) + This controls whether this share is seen in + the list of available shares in a net view and in the browse list. + + +Default: browseable = yes + + + + + +browse listbrowse list (G) + This controls whether smbd + 8 will serve a browse list to + a client doing a NetServerEnum call. Normally + set to yes. You should never need to change + this. + + +Default: browse list = yes + + + + + +casesignamescase sensitivecasesignamesThis parameter is a synonym for case sensitive. +case sensitivecase sensitive (S) + See the discussion in the section NAME MANGLING. + +Default: case sensitive = no + + + + + +change notify timeoutchange notify timeout (G) + This SMB allows a client to tell a server to + "watch" a particular directory for any changes and only reply to + the SMB request when a change has occurred. Such constant scanning of + a directory is expensive under UNIX, hence an smbd + 8 daemon only performs such a scan + on each requested directory once every change notify + timeout seconds. + +Default: change notify timeout = 60 + + +Example: change notify timeout = 300 +# Would change the scan time to every 5 minutes. + + + + +change share commandchange share command (G) + Samba 2.2.0 introduced the ability to dynamically + add and delete shares via the Windows NT 4.0 Server Manager. The + change share command is used to define an + external program or script which will modify an existing service definition + in smb.conf. In order to successfully + execute the change share command, smbd + requires that the administrator be connected using a root account (i.e. + uid == 0). + + + + When executed, smbd will automatically invoke the + change share command with four parameters. + + + + + configFile - the location + of the global smb.conf file. + + + + + shareName - the name of the new + share. + + + + + pathName - path to an **existing** + directory on disk. + + + + + comment - comment string to associate + with the new share. + + + + + + This parameter is only used modify existing file shares definitions. To modify + printer shares, use the "Printers..." folder as seen when browsing the Samba host. + + +Default: change share command = + + +Example: change share command = /usr/local/bin/addshare + + + + +check password scriptcheck password script (G) + The name of a program that can be used to check password + complexity. The password is sent to the program's standrad input. + + The program must return 0 on good password any other value otherwise. + In case the password is considered weak (the program do not return 0) the + user will be notified and the password change will fail. + + Note: In the example directory there is a sample program called crackcheck + that uses cracklib to checkpassword quality. + + +Default: check password script = Disabled + + +Example: check password script = check password script = /usr/local/sbin/crackcheck + + + + +client lanman authclient lanman auth (G) + This parameter determines whether or not smbclient + 8 and other samba client + tools will attempt to authenticate itself to servers using the + weaker LANMAN password hash. If disabled, only server which support NT + password hashes (e.g. Windows NT/2000, Samba, etc... but not + Windows 95/98) will be able to be connected from the Samba client. + + The LANMAN encrypted response is easily broken, due to it's + case-insensitive nature, and the choice of algorithm. Clients + without Windows 95/98 servers are advised to disable + this option. + + Disabling this option will also disable the client plaintext auth option + + Likewise, if the client ntlmv2 + auth parameter is enabled, then only NTLMv2 logins will be + attempted. + +Default: client lanman auth = yes + + + + + +client ntlmv2 authclient ntlmv2 auth (G) + This parameter determines whether or not smbclient + 8 will attempt to + authenticate itself to servers using the NTLMv2 encrypted password + response. + + If enabled, only an NTLMv2 and LMv2 response (both much more + secure than earlier versions) will be sent. Many servers + (including NT4 < SP4, Win9x and Samba 2.2) are not compatible with + NTLMv2. + + Similarly, if enabled, NTLMv1, client lanman auth and client plaintext auth + authentication will be disabled. This also disables share-level + authentication. + + If disabled, an NTLM response (and possibly a LANMAN response) + will be sent by the client, depending on the value of client lanman auth. + + Note that some sites (particularly + those following 'best practice' security polices) only allow NTLMv2 + responses, and not the weaker LM or NTLM. + +Default: client ntlmv2 auth = no + + + + + +client plaintext authclient plaintext auth (G) + Specifies whether a client should send a plaintext + password if the server does not support encrypted passwords. + +Default: client plaintext auth = yes + + + + + +client schannelclient schannel (G) + + This controls whether the client offers or even + demands the use of the netlogon schannel. + client schannel = no does not + offer the schannel, client schannel = + auto offers the schannel but does not + enforce it, and client schannel = + yes denies access if the server is not + able to speak netlogon schannel. + +Default: client schannel = auto + + +Example: client schannel = yes + + + + +client signingclient signing (G) + This controls whether the client offers or requires + the server it talks to to use SMB signing. Possible values + are auto, mandatory + and disabled. + + + When set to auto, SMB signing is offered, but not enforced. + When set to mandatory, SMB signing is required and if set + to disabled, SMB signing is not offered either. + +Default: client signing = auto + + + + + +client use spnegoclient use spnego (G) + This variable controls whether Samba clients will try + to use Simple and Protected NEGOciation (as specified by rfc2478) with + supporting servers (including WindowsXP, Windows2000 and Samba + 3.0) to agree upon an authentication + mechanism. This enables Kerberos authentication in particular. + +Default: client use spnego = yes + + + + + +commentcomment (S) + This is a text field that is seen next to a share + when a client does a queries the server, either via the network + neighborhood or via net view to list what shares + are available. + + If you want to set the string that is displayed next to the + machine name then see the + server string parameter. + + +Default: comment = +# No comment + + +Example: comment = Fred's Files + + + + +config fileconfig file (G) + This allows you to override the config file + to use, instead of the default (usually smb.conf). + There is a chicken and egg problem here as this option is set + in the config file! + + For this reason, if the name of the config file has changed + when the parameters are loaded then it will reload them from + the new config file. + + This option takes the usual substitutions, which can + be very useful. + + If the config file doesn't exist then it won't be loaded + (allowing you to special case the config files of just a few + clients). + +No default +Example: config file = /usr/local/samba/lib/smb.conf.%m + + + + +copycopy (S) + This parameter allows you to "clone" service + entries. The specified service is simply duplicated under the + current service's name. Any parameters specified in the current + section will override those in the section being copied. + + This feature lets you set up a 'template' service and + create similar services easily. Note that the service being + copied must occur earlier in the configuration file than the + service doing the copying. + +Default: copy = + + +Example: copy = otherservice + + + + +create modecreate maskcreate modeThis parameter is a synonym for create mask. +create maskcreate mask (S) + When a file is created, the necessary permissions are + calculated according to the mapping from DOS modes to UNIX + permissions, and the resulting UNIX mode is then bit-wise 'AND'ed + with this parameter. This parameter may be thought of as a bit-wise + MASK for the UNIX modes of a file. Any bit not + set here will be removed from the modes set on a file when it is + created. + + The default value of this parameter removes the + 'group' and 'other' write and execute bits from the UNIX modes. + + Following this Samba will bit-wise 'OR' the UNIX mode created + from this parameter with the value of the + force create mode + parameter which is set to 000 by default. + + This parameter does not affect directory modes. See the + parameter directory mode + for details. + + Note that this parameter does not apply to permissions + set by Windows NT/2000 ACL editors. If the administrator wishes to enforce + a mask on access control lists also, they need to set the + security mask. + +Default: create mask = 0744 + + +Example: create mask = 0775 + + + + +csc policycsc policy (S) + This stands for client-side caching + policy, and specifies how clients capable of offline + caching will cache the files in the share. The valid values + are: manual, documents, programs, disable. + + These values correspond to those used on Windows servers. + + For example, shares containing roaming profiles can have + offline caching disabled using csc policy = disable. + +Default: csc policy = manual + + +Example: csc policy = programs + + + + +cups optionscups options (S) + This parameter is only applicable if printing is + set to cups. Its value is a free form string of options + passed directly to the cups library. + + + You can pass any generic print option known to CUPS (as listed + in the CUPS "Software Users' Manual"). You can also pass any printer + specific option (as listed in "lpoptions -d printername -l") + valid for the target queue. + + You should set this parameter to raw if your CUPS server + error_log file contains messages such as + "Unsupported format 'application/octet-stream'" when printing from a Windows client + through Samba. It is no longer necessary to enable + system wide raw printing in /etc/cups/mime.{convs,types}. + + + +Default: cups options = "" + + +Example: cups options = "raw,media=a4,job-sheets=secret,secret" + + + + +cups servercups server (G) + This parameter is only applicable if printing is + set to cups. + + + If set, this option overrides the ServerName option in the CUPS + client.conf. This is necessary if you have virtual + samba servers that connect to different CUPS daemons. + +Default: cups server = "" + + +Example: cups server = MYCUPSSERVER + + + + +deadtimedeadtime (G) + The value of the parameter (a decimal integer) + represents the number of minutes of inactivity before a connection + is considered dead, and it is disconnected. The deadtime only takes + effect if the number of open files is zero. + + This is useful to stop a server's resources being + exhausted by a large number of inactive connections. + + Most clients have an auto-reconnect feature when a + connection is broken so in most cases this parameter should be + transparent to users. + + Using this parameter with a timeout of a few minutes + is recommended for most systems. + + A deadtime of zero indicates that no auto-disconnection + should be performed. + +Default: deadtime = 0 + + +Example: deadtime = 15 + + + + +debug hires timestampdebug hires timestamp (G) + Sometimes the timestamps in the log messages + are needed with a resolution of higher that seconds, this + boolean parameter adds microsecond resolution to the timestamp + message header when turned on. + + Note that the parameter + debug timestamp must be on for this to have an + effect. + + +Default: debug hires timestamp = no + + + + + +debug piddebug pid (G) + When using only one log file for more then one forked + smbd + 8-process there may be hard to + follow which process outputs which message. This boolean parameter + is adds the process-id to the timestamp message headers in the + logfile when turned on. + + Note that the parameter + debug timestamp must be on for this to have an + effect. + +Default: debug pid = no + + + + + +timestamp logsdebug timestamptimestamp logsThis parameter is a synonym for debug timestamp. +debug timestampdebug timestamp (G) + Samba debug log messages are timestamped + by default. If you are running at a high + debug level these timestamps + can be distracting. This boolean parameter allows timestamping + to be turned off. + +Default: debug timestamp = yes + + + + + +debug uiddebug uid (G) + Samba is sometimes run as root and sometime + run as the connected user, this boolean parameter inserts the + current euid, egid, uid and gid to the timestamp message headers + in the log file if turned on. + + Note that the parameter + debug timestamp must be on for this to have an + effect. + +Default: debug uid = no + + + + + +default casedefault case (S) + See the section on + NAME MANGLING. Also note the + short preserve case parameter. + +Default: default case = lower + + + + + +default devmodedefault devmode (S) + This parameter is only applicable to printable services. + When smbd is serving Printer Drivers to Windows NT/2k/XP clients, each printer on the Samba + server has a Device Mode which defines things such as paper size and + orientation and duplex settings. The device mode can only correctly be + generated by the printer driver itself (which can only be executed on a + Win32 platform). Because smbd is unable to execute the driver code + to generate the device mode, the default behavior is to set this field + to NULL. + + + Most problems with serving printer drivers to Windows NT/2k/XP clients + can be traced to a problem with the generated device mode. Certain drivers + will do things such as crashing the client's Explorer.exe with a NULL devmode. + However, other printer drivers can cause the client's spooler service + (spoolsv.exe) to die if the devmode was not created by the driver itself + (i.e. smbd generates a default devmode). + + + This parameter should be used with care and tested with the printer + driver in question. It is better to leave the device mode to NULL + and let the Windows client set the correct values. Because drivers do not + do this all the time, setting default devmode = yes + will instruct smbd to generate a default one. + + + For more information on Windows NT/2k printing and Device Modes, + see the MSDN documentation. + + +Default: default devmode = no + + + + + +defaultdefault servicedefaultThis parameter is a synonym for default service. +default servicedefault service (G) + This parameter specifies the name of a service + which will be connected to if the service actually requested cannot + be found. Note that the square brackets are NOT + given in the parameter value (see example below). + + There is no default value for this parameter. If this + parameter is not given, attempting to connect to a nonexistent + service results in an error. + + Typically the default service would be a + guest ok, + read-only service. + + Also note that the apparent service name will be changed + to equal that of the requested service, this is very useful as it + allows you to use macros like %S to make + a wildcard service. + + Note also that any "_" characters in the name of the service + used in the default service will get mapped to a "/". This allows for + interesting things. + +Default: default service = + + +Example: default service = pub + + + + +defer sharing violationsdefer sharing violations (G) + + Windows allows specifying how a file will be shared with + other processes when it is opened. Sharing violations occur when + a file is opened by a different process using options that violate + the share settings specified by other processes. This parameter causes + smbd to act as a Windows server does, and defer returning a "sharing + violation" error message for up to one second, allowing the client + to close the file causing the violation in the meantime. + + + Unix by default does not have this behaviour. + + + There should be no reason to turn off this parameter, as it is + designed to enable Samba to more correctly emulate Windows. + + +Default: defer sharing violations = True + + + + + +delete group scriptdelete group script (G) + This is the full pathname to a script that will + be run AS ROOT smbd + 8 when a group is requested to be deleted. + It will expand any %g to the group name passed. + This script is only useful for installations using the Windows NT domain administration tools. + + +Default: delete group script = + + + + + +deleteprinter commanddeleteprinter command (G) + With the introduction of MS-RPC based printer + support for Windows NT/2000 clients in Samba 2.2, it is now + possible to delete printer at run time by issuing the + DeletePrinter() RPC call. + + For a Samba host this means that the printer must be + physically deleted from underlying printing system. The + deleteprinter command defines a script to be run which + will perform the necessary operations for removing the printer + from the print system and from smb.conf. + + + The deleteprinter command is + automatically called with only one parameter: + "printer name". + + Once the deleteprinter command has + been executed, smbd will reparse the + smb.conf to associated printer no longer exists. + If the sharename is still valid, then smbd + will return an ACCESS_DENIED error to the client. + +Default: deleteprinter command = + + +Example: deleteprinter command = /usr/bin/removeprinter + + + + +delete readonlydelete readonly (S) + This parameter allows readonly files to be deleted. + This is not normal DOS semantics, but is allowed by UNIX. + + This option may be useful for running applications such + as rcs, where UNIX file ownership prevents changing file + permissions, and DOS semantics prevent deletion of a read only file. + +Default: delete readonly = no + + + + + +delete share commanddelete share command (G) + Samba 2.2.0 introduced the ability to dynamically + add and delete shares via the Windows NT 4.0 Server Manager. The + delete share command is used to define an + external program or script which will remove an existing service + definition from smb.conf. In order to successfully + execute the delete share command, smbd + requires that the administrator be connected using a root account (i.e. + uid == 0). + + + + When executed, smbd will automatically invoke the + delete share command with two parameters. + + + + + configFile - the location + of the global smb.conf file. + + + + + shareName - the name of + the existing service. + + + + + + This parameter is only used to remove file shares. To delete printer shares, + see the deleteprinter + command. + + +Default: delete share command = + + +Example: delete share command = /usr/local/bin/delshare + + + + +delete user from group scriptdelete user from group script (G) + Full path to the script that will be called when + a user is removed from a group using the Windows NT domain administration + tools. It will be run by smbd + 8 AS ROOT. + Any %g will be replaced with the group name and + any %u will be replaced with the user name. + + +Default: delete user from group script = + + +Example: delete user from group script = /usr/sbin/deluser %u %g + + + + +delete user scriptdelete user script (G) + This is the full pathname to a script that will + be run by smbd + 8 when managing users + with remote RPC (NT) tools. + + + This script is called when a remote client removes a user + from the server, normally using 'User Manager for Domains' or + rpcclient. + + This script should delete the given UNIX username. + +Default: delete user script = + + +Example: delete user script = /usr/local/samba/bin/del_user %u + + + + +delete veto filesdelete veto files (S) + This option is used when Samba is attempting to + delete a directory that contains one or more vetoed directories + (see the veto files + option). If this option is set to no (the default) then if a vetoed + directory contains any non-vetoed files or directories then the + directory delete will fail. This is usually what you want. + + If this option is set to yes, then Samba + will attempt to recursively delete any files and directories within + the vetoed directory. This can be useful for integration with file + serving systems such as NetAtalk which create meta-files within + directories you might normally veto DOS/Windows users from seeing + (e.g. .AppleDouble) + + Setting delete veto files = yes allows these + directories to be transparently deleted when the parent directory + is deleted (so long as the user has permissions to do so). + +Default: delete veto files = no + + + + + +dfree commanddfree command (G) + + The dfree command setting + should only be used on systems where a problem occurs with the + internal disk space calculations. This has been known to happen + with Ultrix, but may occur with other operating systems. The + symptom that was seen was an error of "Abort Retry + Ignore" at the end of each directory listing. + + This setting allows the replacement of the internal routines to + calculate the total disk space and amount available with an external + routine. The example below gives a possible script that might fulfill + this function. + + The external program will be passed a single parameter indicating + a directory in the filesystem being queried. This will typically consist + of the string ./. The script should return two + integers in ASCII. The first should be the total disk space in blocks, + and the second should be the number of available blocks. An optional + third return value can give the block size in bytes. The default + blocksize is 1024 bytes. + + Note: Your script should NOT be setuid or + setgid and should be owned by (and writeable only by) root! + + Where the script dfree (which must be made executable) could be: + + +#!/bin/sh +df $1 | tail -1 | awk '{print $2" "$4}' + + + or perhaps (on Sys V based systems): + + +#!/bin/sh +/usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}' + + + Note that you may have to replace the command names with full path names on some systems. + + +Default: dfree command = +# By default internal routines for + determining the disk capacity and remaining space will be used. + + +Example: dfree command = /usr/local/samba/bin/dfree + + + + +directory modedirectory maskdirectory modeThis parameter is a synonym for directory mask. +directory maskdirectory mask (S) + This parameter is the octal modes which are + used when converting DOS modes to UNIX modes when creating UNIX + directories. + + When a directory is created, the necessary permissions are + calculated according to the mapping from DOS modes to UNIX permissions, + and the resulting UNIX mode is then bit-wise 'AND'ed with this + parameter. This parameter may be thought of as a bit-wise MASK for + the UNIX modes of a directory. Any bit not set + here will be removed from the modes set on a directory when it is + created. + + The default value of this parameter removes the 'group' + and 'other' write bits from the UNIX mode, allowing only the + user who owns the directory to modify it. + + Following this Samba will bit-wise 'OR' the UNIX mode + created from this parameter with the value of the + force directory mode parameter. + This parameter is set to 000 by default (i.e. no extra mode bits are added). + + Note that this parameter does not apply to permissions + set by Windows NT/2000 ACL editors. If the administrator wishes to enforce + a mask on access control lists also, they need to set the + directory security mask. + +Default: directory mask = 0755 + + +Example: directory mask = 0775 + + + + +directory security maskdirectory security mask (S) + This parameter controls what UNIX permission bits + can be modified when a Windows NT client is manipulating the UNIX + permission on a directory using the native NT security dialog + box. + + This parameter is applied as a mask (AND'ed with) to + the changed permission bits, thus preventing any bits not in + this mask from being modified. Essentially, zero bits in this + mask may be treated as a set of bits the user is not allowed + to change. + + If not set explicitly this parameter is set to 0777 + meaning a user is allowed to modify all the user/group/world + permissions on a directory. + + Note that users who can access the + Samba server through other means can easily bypass this restriction, + so it is primarily useful for standalone "appliance" systems. + Administrators of most normal systems will probably want to leave + it as the default of 0777. + +Default: directory security mask = 0777 + + +Example: directory security mask = 0700 + + + + +disable netbiosdisable netbios (G) + Enabling this parameter will disable netbios support + in Samba. Netbios is the only available form of browsing in + all windows versions except for 2000 and XP. + + Clients that only support netbios won't be able to + see your samba server when netbios support is disabled. + + +Default: disable netbios = no + + + + + +disable spoolssdisable spoolss (G) + Enabling this parameter will disable Samba's support + for the SPOOLSS set of MS-RPC's and will yield identical behavior + as Samba 2.0.x. Windows NT/2000 clients will downgrade to using + Lanman style printing commands. Windows 9x/ME will be uneffected by + the parameter. However, this will also disable the ability to upload + printer drivers to a Samba server via the Windows NT Add Printer + Wizard or by using the NT printer properties dialog window. It will + also disable the capability of Windows NT/2000 clients to download + print drivers from the Samba host upon demand. + Be very careful about enabling this parameter. + + +Default: disable spoolss = no + + + + + +display charsetdisplay charset (G) + Specifies the charset that samba will use + to print messages to stdout and stderr and SWAT will use. + Should generally be the same as the unix charset. + + +Default: display charset = ASCII + + +Example: display charset = UTF8 + + + + +dns proxydns proxy (G) + Specifies that nmbd + 8 when acting as a WINS server and + finding that a NetBIOS name has not been registered, should treat the + NetBIOS name word-for-word as a DNS name and do a lookup with the DNS server + for that name on behalf of the name-querying client. + + Note that the maximum length for a NetBIOS name is 15 + characters, so the DNS name (or DNS alias) can likewise only be + 15 characters, maximum. + + nmbd spawns a second copy of itself to do the + DNS name lookup requests, as doing a name lookup is a blocking + action. + +Default: dns proxy = yes + + + + + +domain logonsdomain logons (G) + + If set to yes, the Samba server will + provide the netlogon service for Windows 9X network logons for the + + workgroup it is in. + This will also cause the Samba server to act as a domain + controller for NT4 style domain services. For more details on + setting up this feature see the Domain Control chapter of the + Samba HOWTO Collection. + + +Default: domain logons = no + + + + + +domain masterdomain master (G) + Tell smbd + 8 to enable WAN-wide browse list + collation. Setting this option causes nmbd to + claim a special domain specific NetBIOS name that identifies + it as a domain master browser for its given + workgroup. Local master browsers + in the same workgroup on broadcast-isolated + subnets will give this nmbd their local browse lists, + and then ask smbd + 8 for a complete copy of the browse + list for the whole wide area network. Browser clients will then contact + their local master browser, and will receive the domain-wide browse list, + instead of just the list for their broadcast-isolated subnet. + + Note that Windows NT Primary Domain Controllers expect to be + able to claim this workgroup specific special + NetBIOS name that identifies them as domain master browsers for + that workgroup by default (i.e. there is no + way to prevent a Windows NT PDC from attempting to do this). This + means that if this parameter is set and nmbd claims + the special name for a workgroup before a Windows + NT PDC is able to do so then cross subnet browsing will behave + strangely and may fail. + + If domain logons = yes + , then the default behavior is to enable the domain + master parameter. If domain logons is + not enabled (the default setting), then neither will domain + master be enabled by default. + + +Default: domain master = auto + + + + + +dont descenddont descend (S) + There are certain directories on some systems + (e.g., the /proc tree under Linux) that are either not + of interest to clients or are infinitely deep (recursive). This + parameter allows you to specify a comma-delimited list of directories + that the server should always show as empty. + + Note that Samba can be very fussy about the exact format + of the "dont descend" entries. For example you may need + ./proc instead of just /proc. + Experimentation is the best policy :-) + +Default: dont descend = + + +Example: dont descend = /proc,/dev + + + + +dos charsetdos charset (G) + DOS SMB clients assume the server has + the same charset as they do. This option specifies which + charset Samba should talk to DOS clients. + + + The default depends on which charsets you have installed. + Samba tries to use charset 850 but falls back to ASCII in + case it is not available. Run testparm + 1 to check the default on your system. + +No default + + + +dos filemodedos filemode (S) + The default behavior in Samba is to provide + UNIX-like behavior where only the owner of a file/directory is + able to change the permissions on it. However, this behavior + is often confusing to DOS/Windows users. Enabling this parameter + allows a user who has write access to the file (by whatever + means) to modify the permissions on it. Note that a user + belonging to the group owning the file will not be allowed to + change permissions if the group is only granted read access. + Ownership of the file/directory is not changed, only the permissions + are modified. + +Default: dos filemode = no + + + + + +dos filetime resolutiondos filetime resolution (S) + Under the DOS and Windows FAT filesystem, the finest + granularity on time resolution is two seconds. Setting this parameter + for a share causes Samba to round the reported time down to the + nearest two second boundary when a query call that requires one second + resolution is made to smbd + 8. + + This option is mainly used as a compatibility option for Visual + C++ when used against Samba shares. If oplocks are enabled on a + share, Visual C++ uses two different time reading calls to check if a + file has changed since it was last read. One of these calls uses a + one-second granularity, the other uses a two second granularity. As + the two second call rounds any odd second down, then if the file has a + timestamp of an odd number of seconds then the two timestamps will not + match and Visual C++ will keep reporting the file has changed. Setting + this option causes the two timestamps to match, and Visual C++ is + happy. + +Default: dos filetime resolution = no + + + + + +dos filetimesdos filetimes (S) + Under DOS and Windows, if a user can write to a + file they can change the timestamp on it. Under POSIX semantics, + only the owner of the file or root may change the timestamp. By + default, Samba runs with POSIX semantics and refuses to change the + timestamp on a file if the user smbd is acting + on behalf of is not the file owner. Setting this option to + yes allows DOS semantics and smbd + 8 will change the file + timestamp as DOS requires. Due to changes in Microsoft Office 2000 and beyond, + the default for this parameter has been changed from "no" to "yes" in Samba 3.0.14 + and above. Microsoft Excel will display dialog box warnings about the file being + changed by another user if this parameter is not set to "yes" and files are being + shared between users. + + +Default: dos filetimes = yes + + + + + +ea supportea support (S) + This boolean parameter controls whether smbd + 8 will allow clients to attempt to store OS/2 style Extended + attributes on a share. In order to enable this parameter the underlying filesystem exported by + the share must support extended attributes (such as provided on XFS and EXT3 on Linux, with the + correct kernel patches). On Linux the filesystem must have been mounted with the mount + option user_xattr in order for extended attributes to work, also + extended attributes must be compiled into the Linux kernel. + +Default: ea support = no + + + + + +enable privilegesenable privileges (G) + This parameter controls whether or not smbd will honor + privileges assigned to specific SIDs via either net rpc rights + or one of the Windows user and group manager tools. This parameter is + disabled by default to prevent members of the Domain Admins group from + being able to assign privileges to users or groups which can then result in certain + smbd operations running as root that would normally run under the context + of the connected user. + + An example of how privileges can be used is to assign + the right to join clients to a Samba controlled domain without + providing root access to the server via smbd. + + Please read the extended description provided in the + Samba documentation before enabling this option. + + +Default: enable privileges = no + + + + + +enable rid algorithmenable rid algorithm (G) + This option is used to control whether or not smbd in Samba 3.0 should fallback + to the algorithm used by Samba 2.2 to generate user and group RIDs. The longterm + development goal is to remove the algorithmic mappings of RIDs altogether, but + this has proved to be difficult. This parameter is mainly provided so that + developers can turn the algorithm on and off and see what breaks. This parameter + should not be disabled by non-developers because certain features in Samba will fail + to work without it. + + + +Default: enable rid algorithm = yes + + + + + +encrypt passwordsencrypt passwords (G) + This boolean controls whether encrypted passwords + will be negotiated with the client. Note that Windows NT 4.0 SP3 and + above and also Windows 98 will by default expect encrypted passwords + unless a registry entry is changed. To use encrypted passwords in + Samba see the chapter "User Database" in the Samba HOWTO Collection. + + + + MS Windows clients that expect Microsoft encrypted passwords and that + do not have plain text password support enabled will be able to + connect only to a Samba server that has encypted password support + enabled and for which the user accounts have a valid encrypted password. + Refer to the smbpasswd command man page for information regarding the + creation of encrypted passwords for user accounts. + + + + The use of plain text passwords is NOT advised as support for this feature + is no longer maintained in Microsoft Windows products. If you want to use + plain text passwords you must set this parameter to no. + + + In order for encrypted passwords to work correctly + smbd + 8 must either + have access to a local smbpasswd + 5 file (see the smbpasswd + 8 program for information on how to set up + and maintain this file), or set the security = [server|domain|ads] parameter which + causes smbd to authenticate against another + server. + +Default: encrypt passwords = yes + + + + + +enhanced browsingenhanced browsing (G) + This option enables a couple of enhancements to + cross-subnet browse propagation that have been added in Samba + but which are not standard in Microsoft implementations. + + + The first enhancement to browse propagation consists of a regular + wildcard query to a Samba WINS server for all Domain Master Browsers, + followed by a browse synchronization with each of the returned + DMBs. The second enhancement consists of a regular randomised browse + synchronization with all currently known DMBs. + + You may wish to disable this option if you have a problem with empty + workgroups not disappearing from browse lists. Due to the restrictions + of the browse protocols these enhancements can cause a empty workgroup + to stay around forever which can be annoying. + + In general you should leave this option enabled as it makes + cross-subnet browse propagation much more reliable. + + +Default: enhanced browsing = yes + + + + + +enumports commandenumports command (G) + The concept of a "port" is fairly foreign + to UNIX hosts. Under Windows NT/2000 print servers, a port + is associated with a port monitor and generally takes the form of + a local port (i.e. LPT1:, COM1:, FILE:) or a remote port + (i.e. LPD Port Monitor, etc...). By default, Samba has only one + port defined--"Samba Printer Port". Under + Windows NT/2000, all printers must have a valid port name. + If you wish to have a list of ports displayed (smbd + does not use a port name for anything) other than + the default "Samba Printer Port", you + can define enumports command to point to + a program which should generate a list of ports, one per line, + to standard output. This listing will then be used in response + to the level 1 and 2 EnumPorts() RPC. + +Default: enumports command = + + +Example: enumports command = /usr/bin/listports + + + + +fake directory create timesfake directory create times (S) + NTFS and Windows VFAT file systems keep a create + time for all files and directories. This is not the same as the + ctime - status change time - that Unix keeps, so Samba by default + reports the earliest of the various times Unix does keep. Setting + this parameter for a share causes Samba to always report midnight + 1-1-1980 as the create time for directories. + + This option is mainly used as a compatibility option for + Visual C++ when used against Samba shares. Visual C++ generated + makefiles have the object directory as a dependency for each object + file, and a make rule to create the directory. Also, when NMAKE + compares timestamps it uses the creation time when examining a + directory. Thus the object directory will be created if it does not + exist, but once it does exist it will always have an earlier + timestamp than the object files it contains. + + However, Unix time semantics mean that the create time + reported by Samba will be updated whenever a file is created or + or deleted in the directory. NMAKE finds all object files in + the object directory. The timestamp of the last one built is then + compared to the timestamp of the object directory. If the + directory's timestamp if newer, then all object files + will be rebuilt. Enabling this option + ensures directories always predate their contents and an NMAKE build + will proceed as expected. + +Default: fake directory create times = no + + + + + +fake oplocksfake oplocks (S) + Oplocks are the way that SMB clients get permission + from a server to locally cache file operations. If a server grants + an oplock (opportunistic lock) then the client is free to assume + that it is the only one accessing the file and it will aggressively + cache file data. With some oplock types the client may even cache + file open/close operations. This can give enormous performance benefits. + + + When you set fake oplocks = yes, + smbd8 will + always grant oplock requests no matter how many clients are using the file. + + It is generally much better to use the real + oplocks support rather + than this parameter. + + If you enable this option on all read-only shares or + shares that you know will only be accessed from one client at a + time such as physically read-only media like CDROMs, you will see + a big performance improvement on many operations. If you enable + this option on shares where multiple clients may be accessing the + files read-write at the same time you can get data corruption. Use + this option carefully! + +Default: fake oplocks = no + + + + + +follow symlinksfollow symlinks (S) + This parameter allows the Samba administrator + to stop smbd + 8 from following symbolic + links in a particular share. Setting this + parameter to no prevents any file or directory + that is a symbolic link from being followed (the user will get an + error). This option is very useful to stop users from adding a + symbolic link to /etc/passwd in their home + directory for instance. However it will slow filename lookups + down slightly. + + This option is enabled (i.e. smbd will + follow symbolic links) by default. + +Default: follow symlinks = yes + + + + + +force create modeforce create mode (S) + This parameter specifies a set of UNIX mode bit + permissions that will always be set on a + file created by Samba. This is done by bitwise 'OR'ing these bits onto + the mode bits of a file that is being created or having its + permissions changed. The default for this parameter is (in octal) + 000. The modes in this parameter are bitwise 'OR'ed onto the file + mode after the mask set in the create mask + parameter is applied. + + The example below would force all created files to have read and execute + permissions set for 'group' and 'other' as well as the + read/write/execute bits set for the 'user'. + + +Default: force create mode = 000 + + +Example: force create mode = 0755 + + + + +force directory modeforce directory mode (S) + This parameter specifies a set of UNIX mode bit + permissions that will always be set on a directory + created by Samba. This is done by bitwise 'OR'ing these bits onto the + mode bits of a directory that is being created. The default for this + parameter is (in octal) 0000 which will not add any extra permission + bits to a created directory. This operation is done after the mode + mask in the parameter directory mask is + applied. + + The example below would force all created directories to have read and execute + permissions set for 'group' and 'other' as well as the + read/write/execute bits set for the 'user'. + +Default: force directory mode = 000 + + +Example: force directory mode = 0755 + + + + +force directory security modeforce directory security mode (S) + This parameter controls what UNIX permission bits + can be modified when a Windows NT client is manipulating the UNIX + permission on a directory using the native NT security dialog box. + + This parameter is applied as a mask (OR'ed with) to the + changed permission bits, thus forcing any bits in this mask that + the user may have modified to be on. Essentially, one bits in this + mask may be treated as a set of bits that, when modifying security + on a directory, the user has always set to be 'on'. + + If not set explicitly this parameter is 000, which + allows a user to modify all the user/group/world permissions on a + directory without restrictions. + + Users who can access the + Samba server through other means can easily bypass this restriction, + so it is primarily useful for standalone "appliance" systems. + Administrators of most normal systems will probably want to leave + it set as 0000. + + +Default: force directory security mode = 0 + + +Example: force directory security mode = 700 + + + + +groupforce groupgroupThis parameter is a synonym for force group. +force groupforce group (S) + This specifies a UNIX group name that will be + assigned as the default primary group for all users connecting + to this service. This is useful for sharing files by ensuring + that all access to files on service will use the named group for + their permissions checking. Thus, by assigning permissions for this + group to the files and directories within this service the Samba + administrator can restrict or allow sharing of these files. + + In Samba 2.0.5 and above this parameter has extended + functionality in the following way. If the group name listed here + has a '+' character prepended to it then the current user accessing + the share only has the primary group default assigned to this group + if they are already assigned as a member of that group. This allows + an administrator to decide that only users who are already in a + particular group will create files with group ownership set to that + group. This gives a finer granularity of ownership assignment. For + example, the setting force group = +sys means + that only users who are already in group sys will have their default + primary group assigned to sys when accessing this Samba share. All + other users will retain their ordinary primary group. + + If the force user + parameter is also set the group specified in + force group will override the primary group + set in force user. + + +Default: force group = + + +Example: force group = agroup + + + + +force printernameforce printername (S) + When printing from Windows NT (or later), + each printer in smb.conf has two + associated names which can be used by the client. The first + is the sharename (or shortname) defined in smb.conf. This + is the only printername available for use by Windows 9x clients. + The second name associated with a printer can be seen when + browsing to the "Printers" (or "Printers and Faxes") folder + on the Samba server. This is referred to simply as the printername + (not to be confused with the printer name option). + + + When assigning a new driver to a printer on a remote + Windows compatible print server such as Samba, the Windows client + will rename the printer to match the driver name just uploaded. + This can result in confusion for users when multiple + printers are bound to the same driver. To prevent Samba from + allowing the printer's printername to differ from the sharename + defined in smb.conf, set force printername = yes. + + + Be aware that enabling this parameter may affect migrating + printers from a Windows server to Samba since Windows has no way to + force the sharename and printername to match. + + It is recommended that this parameter's value not be changed + once the printer is in use by clients as this could cause a user + not be able to delete printer connections from their local Printers + folder. + + +Default: force printername = no + + + + + +force security modeforce security mode (S) + This parameter controls what UNIX permission + bits can be modified when a Windows NT client is manipulating + the UNIX permission on a file using the native NT security dialog + box. + + This parameter is applied as a mask (OR'ed with) to the + changed permission bits, thus forcing any bits in this mask that + the user may have modified to be on. Essentially, one bits in this + mask may be treated as a set of bits that, when modifying security + on a file, the user has always set to be 'on'. + + If not set explicitly this parameter is set to 0, + and allows a user to modify all the user/group/world permissions on a file, + with no restrictions. + + Note that users who can access + the Samba server through other means can easily bypass this restriction, + so it is primarily useful for standalone "appliance" systems. + Administrators of most normal systems will probably want to leave + this set to 0000. + + +Default: force security mode = 0 + + +Example: force security mode = 700 + + + + +force unknown acl userforce unknown acl user (S) + If this parameter is set, a Windows NT ACL that contains an unknown + SID (security descriptor, or representation of a user or group + id) as the owner or group owner of the file will be silently + mapped into the current UNIX uid or gid of the currently + connected user. + + This is designed to allow Windows NT clients to copy files and + folders containing ACLs that were created locally on the client + machine and contain users local to that machine only (no domain + users) to be copied to a Samba server (usually with XCOPY /O) + and have the unknown userid and groupid of the file owner map to + the current connected user. This can only be fixed correctly + when winbindd allows arbitrary mapping from any Windows NT SID + to a UNIX uid or gid. + + Try using this parameter when XCOPY /O gives an ACCESS_DENIED + error. + +Default: force unknown acl user = no + + + + + +force userforce user (S) + This specifies a UNIX user name that will be + assigned as the default user for all users connecting to this service. + This is useful for sharing files. You should also use it carefully + as using it incorrectly can cause security problems. + + This user name only gets used once a connection is established. + Thus clients still need to connect as a valid user and supply a + valid password. Once connected, all file operations will be performed + as the "forced user", no matter what username the client connected + as. This can be very useful. + + In Samba 2.0.5 and above this parameter also causes the + primary group of the forced user to be used as the primary group + for all file activity. Prior to 2.0.5 the primary group was left + as the primary group of the connecting user (this was a bug). + + +Default: force user = + + +Example: force user = auser + + + + +fstypefstype (S) + This parameter allows the administrator to + configure the string that specifies the type of filesystem a share + is using that is reported by smbd + 8 when a client queries the filesystem type + for a share. The default type is NTFS for + compatibility with Windows NT but this can be changed to other + strings such as Samba or FAT + if required. + +Default: fstype = NTFS + + +Example: fstype = Samba + + + + +get quota commandget quota command (G) + The get quota command should only be used + whenever there is no operating system API available from the OS that + samba can use. + + This option is only available with ./configure --with-sys-quotas. + Or on linux when ./configure --with-quotas was used and a working quota api + was found in the system. + + This parameter should specify the path to a script that + queries the quota information for the specified + user/group for the partition that + the specified directory is on. + + Such a script should take 3 arguments: + + + directory + type of query + uid of user or gid of group + + + The type of query can be one of : + + + 1 - user quotas + 2 - user default quotas (uid = -1) + 3 - group quotas + 4 - group default quotas (gid = -1) + + + This script should print one line as output with spaces between the arguments. The arguments are: + + + + Arg 1 - quota flags (0 = no quotas, 1 = quotas enabled, 2 = quotas enabled and enforced) + Arg 2 - number of currently used blocks + Arg 3 - the softlimit number of blocks + Arg 4 - the hardlimit number of blocks + Arg 5 - currently used number of inodes + Arg 6 - the softlimit number of inodes + Arg 7 - the hardlimit number of inodes + Arg 8(optional) - the number of bytes in a block(default is 1024) + + +Default: get quota command = + + +Example: get quota command = /usr/local/sbin/query_quota + + + + +getwd cachegetwd cache (G) + This is a tuning option. When this is enabled a + caching algorithm will be used to reduce the time taken for getwd() + calls. This can have a significant impact on performance, especially + when the wide links + parameter is set to no. + +Default: getwd cache = yes + + + + + +guest accountguest account (G) + This is a username which will be used for access + to services which are specified as + guest ok (see below). Whatever privileges this + user has will be available to any client connecting to the guest service. + This user must exist in the password file, but does not require + a valid login. The user account "ftp" is often a good choice + for this parameter. + + + On some systems the default guest account "nobody" may not + be able to print. Use another account in this case. You should test + this by trying to log in as your guest user (perhaps by using the + su - command) and trying to print using the + system print command such as lpr(1) or + lp(1). + + This parameter does not accept % macros, because + many parts of the system require this value to be + constant for correct operation. + +Default: guest account = nobody +# default can be changed at compile-time + + +Example: guest account = ftp + + + + +publicguest okpublicThis parameter is a synonym for guest ok. +guest okguest ok (S) + If this parameter is yes for + a service, then no password is required to connect to the service. + Privileges will be those of the + guest account. + + This paramater nullifies the benifits of setting + restrict + anonymous = 2 + + See the section below on + security for more information about this option. + + +Default: guest ok = no + + + + + +only guestguest onlyonly guestThis parameter is a synonym for guest only. +guest onlyguest only (S) + If this parameter is yes for + a service, then only guest connections to the service are permitted. + This parameter will have no effect if + guest ok is not set for the service. + + See the section below on + security for more information about this option. + + +Default: guest only = no + + + + + +hide dot fileshide dot files (S) + This is a boolean parameter that controls whether + files starting with a dot appear as hidden files. + +Default: hide dot files = yes + + + + + +hide fileshide files (S) + This is a list of files or directories that are not + visible but are accessible. The DOS 'hidden' attribute is applied + to any files or directories that match. + + Each entry in the list must be separated by a '/', + which allows spaces to be included in the entry. '*' + and '?' can be used to specify multiple files or directories + as in DOS wildcards. + + Each entry must be a Unix path, not a DOS path and must + not include the Unix directory separator '/'. + + Note that the case sensitivity option is applicable + in hiding files. + + Setting this parameter will affect the performance of Samba, + as it will be forced to check all files and directories for a match + as they are scanned. + +Default: hide files = +# no file are hidden + + +Example: hide files = /.*/DesktopFolderDB/TrashFor%m/resource.frk/ +# +The above example is based on files that the Macintosh +SMB client (DAVE) available from +Thursby creates for internal use, and also still hides +all files beginning with a dot. + + + + +hide special fileshide special files (S) + This parameter prevents clients from seeing + special files such as sockets, devices and fifo's in directory + listings. + + +Default: hide special files = no + + + + + +hide unreadablehide unreadable (S) + This parameter prevents clients from seeing the + existance of files that cannot be read. Defaults to off. + +Default: hide unreadable = no + + + + + +hide unwriteable fileshide unwriteable files (S) + This parameter prevents clients from seeing + the existance of files that cannot be written to. Defaults to off. + Note that unwriteable directories are shown as usual. + + +Default: hide unwriteable files = no + + + + + +homedir maphomedir map (G) + Ifnis homedir + is yes, and smbd + 8 is also acting + as a Win95/98 logon server then this parameter + specifies the NIS (or YP) map from which the server for the user's + home directory should be extracted. At present, only the Sun + auto.home map format is understood. The form of the map is: + + username server:/some/file/system + + and the program will extract the servername from before + the first ':'. There should probably be a better parsing system + that copes with different map formats and also Amd (another + automounter) maps. + + A working NIS client is required on + the system for this option to work. + +Default: homedir map = + + +Example: homedir map = amd.homedir + + + + +host msdfshost msdfs (G) + If set to yes, Samba will act as a Dfs + server, and allow Dfs-aware clients to browse Dfs trees hosted + on the server. + + See also the + msdfs root share level parameter. For + more information on setting up a Dfs tree on Samba, + refer to . + + +Default: host msdfs = no + + + + + +hostname lookupshostname lookups (G) + Specifies whether samba should use (expensive) + hostname lookups or use the ip addresses instead. An example place + where hostname lookups are currently used is when checking + the hosts deny and hosts allow. + + +Default: hostname lookups = no + + +Example: hostname lookups = yes + + + + +allow hostshosts allowallow hostsThis parameter is a synonym for hosts allow. +hosts allowhosts allow (S) + A synonym for this parameter is allow + hosts. + + This parameter is a comma, space, or tab delimited + set of hosts which are permitted to access a service. + + If specified in the [global] section then it will + apply to all services, regardless of whether the individual + service has a different setting. + + You can specify the hosts by name or IP number. For + example, you could restrict access to only the hosts on a + Class C subnet with something like allow hosts = 150.203.5. + . The full syntax of the list is described in the man + page hosts_access(5). Note that this man + page may not be present on your system, so a brief description will + be given here also. + + Note that the localhost address 127.0.0.1 will always + be allowed access unless specifically denied by a + hosts deny option. + + You can also specify hosts by network/netmask pairs and + by netgroup names if your system supports netgroups. The + EXCEPT keyword can also be used to limit a + wildcard list. The following examples may provide some help: + +Example 1: allow all IPs in 150.203.*.*; except one + + hosts allow = 150.203. EXCEPT 150.203.6.66 + + Example 2: allow hosts that match the given network/netmask + + hosts allow = 150.203.15.0/255.255.255.0 + + Example 3: allow a couple of hosts + + hosts allow = lapland, arvidsjaur + + Example 4: allow only hosts in NIS netgroup "foonet", but + deny access from one particular host + + hosts allow = @foonet + + hosts deny = pirate + + Note that access still requires suitable user-level passwords. + + See testparm + 1 for a way of testing your host access + to see if it does what you expect. + + + +Default: hosts allow = +# none (i.e., all hosts permitted access) + + +Example: hosts allow = 150.203.5. myhost.mynet.edu.au + + + + +deny hostshosts denydeny hostsThis parameter is a synonym for hosts deny. +hosts denyhosts deny (S) + The opposite of hosts allow + - hosts listed here are NOT permitted access to + services unless the specific services have their own lists to override + this one. Where the lists conflict, the allow + list takes precedence. + +Default: hosts deny = +# none (i.e., no hosts specifically excluded) + + +Example: hosts deny = 150.203.4. badhost.mynet.edu.au + + + + +hosts equivhosts equiv (G) + If this global parameter is a non-null string, + it specifies the name of a file to read for the names of hosts + and users who will be allowed access without specifying a password. + + + This is not be confused with + hosts allow which is about hosts + access to services and is more useful for guest services. + hosts equiv may be useful for NT clients which will + not supply passwords to Samba. + + The use of hosts equiv + can be a major security hole. This is because you are + trusting the PC to supply the correct username. It is very easy to + get a PC to supply a false username. I recommend that the + hosts equiv option be only used if you really + know what you are doing, or perhaps on a home network where you trust + your spouse and kids. And only if you really trust + them :-). + +Default: hosts equiv = +# no host equivalences + + +Example: hosts equiv = hosts equiv = /etc/hosts.equiv + + + + +idmap backendidmap backend (G) + + The purpose of the idmap backend parameter is to allow idmap to NOT use the local idmap + tdb file to obtain SID to UID / GID mappings, but instead to obtain them from a common + LDAP backend. This way all domain members and controllers will have the same UID and GID + to SID mappings. This avoids the risk of UID / GID inconsistencies across UNIX / Linux + systems that are sharing information over protocols other than SMB/CIFS (ie: NFS). + + + + An alternate method of SID to UID / GID mapping can be achieved using the idmap_rid + plug-in. This plug-in uses the account RID to derive the UID and GID by adding the + RID to a base value specified. This utility requires that the parameter + allow trusted domains = No must be specified, as it is not compatible + with multiple domain environments. The idmap uid and idmap gid ranges must also be + specified. + + +Default: idmap backend = + + +Example: idmap backend = ldap:ldap://ldapslave.example.com + +Example: idmap backend = idmap_rid:DOMNAME=1000-100000000 + + + + +winbind gididmap gidwinbind gidThis parameter is a synonym for idmap gid. +idmap gididmap gid (G) + + The idmap gid parameter specifies the range of group ids that are allocated for + the purpose of mapping UNX groups to NT group SIDs. This range of group ids should have no + existing local or NIS groups within it as strange conflicts can occur otherwise. + + The availability of an idmap gid range is essential for correct operation of + all group mapping. + +Default: idmap gid = + + +Example: idmap gid = 10000-20000 + + + + +winbind uididmap uidwinbind uidThis parameter is a synonym for idmap uid. +idmap uididmap uid (G) + The idmap uid parameter specifies the range of user ids that are allocated for use + in mapping UNIX users to NT user SIDs. This range of ids should have no existing local + or NIS users within it as strange conflicts can occur otherwise. + +Default: idmap uid = + + +Example: idmap uid = 10000-20000 + + + + +includeinclude (G) + This allows you to include one config file + inside another. The file is included literally, as though typed + in place. + + It takes the standard substitutions, except %u + , %P and %S. + + +Default: include = + + +Example: include = /usr/local/samba/lib/admin_smb.conf + + + + +inherit aclsinherit acls (S) + This parameter can be used to ensure that if default acls + exist on parent directories, they are always honored when creating a + subdirectory. The default behavior is to use the mode specified when + creating the directory. Enabling this option sets the mode to 0777, + thus guaranteeing that default directory acls are propagated. + + +Default: inherit acls = no + + + + + +inherit ownerinherit owner (S) + The ownership of new files and directories + is normally governed by effective uid of the connected user. + This option allows the Samba administrator to specify that + the ownership for new files and directories should be controlled + by the ownership of the parent directory. + + Common scenarios where this behavior is useful is in + implementing drop-boxes where users can create and edit files but not + delete them and to ensure that newly create files in a user's + roaming profile directory are actually owner by the user. + +Default: inherit owner = no + + + + + +inherit permissionsinherit permissions (S) + The permissions on new files and directories + are normally governed by + create mask, + directory mask, + force create mode + and force + directory mode but the boolean inherit + permissions parameter overrides this. + + New directories inherit the mode of the parent directory, + including bits such as setgid. + + New files inherit their read/write bits from the parent + directory. Their execute bits continue to be determined by + map archive + , map hidden + and map system + as usual. + + Note that the setuid bit is never set via + inheritance (the code explicitly prohibits this). + + This can be particularly useful on large systems with + many users, perhaps several thousand, to allow a single [homes] + share to be used flexibly by each user. + +Default: inherit permissions = no + + + + + +interfacesinterfaces (G) + This option allows you to override the default + network interfaces list that Samba will use for browsing, name + registration and other NBT traffic. By default Samba will query + the kernel for the list of all active interfaces and use any + interfaces except 127.0.0.1 that are broadcast capable. + + The option takes a list of interface strings. Each string + can be in any of the following forms: + + + a network interface name (such as eth0). + This may include shell-like wildcards so eth* will match + any interface starting with the substring "eth" + + an IP address. In this case the netmask is + determined from the list of interfaces obtained from the + kernel + + an IP/mask pair. + + a broadcast/mask pair. + + + The "mask" parameters can either be a bit length (such + as 24 for a C class network) or a full netmask in dotted + decimal form. + + The "IP" parameters above can either be a full dotted + decimal IP address or a hostname which will be looked up via + the OS's normal hostname resolution mechanisms. + + +Default: interfaces = +# all active interfaces except 127.0.0.1 that are broadcast capable + + +Example: interfaces = + +# This would configure three network interfaces corresponding + to the eth0 device and IP addresses 192.168.2.10 and 192.168.3.10. + The netmasks of the latter two interfaces would be set to 255.255.255.0. + eth0 192.168.2.10/24 192.168.3.10/255.255.255.0 + + + + + +invalid usersinvalid users (S) + This is a list of users that should not be allowed + to login to this service. This is really a paranoid + check to absolutely ensure an improper setting does not breach + your security. + + A name starting with a '@' is interpreted as an NIS + netgroup first (if your system supports NIS), and then as a UNIX + group if the name was not found in the NIS netgroup database. + + A name starting with '+' is interpreted only + by looking in the UNIX group database. A name starting with + '&' is interpreted only by looking in the NIS netgroup database + (this requires NIS to be working on your system). The characters + '+' and '&' may be used at the start of the name in either order + so the value +&group means check the + UNIX group database, followed by the NIS netgroup database, and + the value &+group means check the NIS + netgroup database, followed by the UNIX group database (the + same as the '@' prefix). + + The current servicename is substituted for %S. + This is useful in the [homes] section. + +Default: invalid users = +# no invalid users + + +Example: invalid users = root fred admin @wheel + + + + +keepalivekeepalive (G) + The value of the parameter (an integer) represents + the number of seconds between keepalive + packets. If this parameter is zero, no keepalive packets will be + sent. Keepalive packets, if sent, allow the server to tell whether + a client is still present and responding. + + Keepalives should, in general, not be needed if the socket + being used has the SO_KEEPALIVE attribute set on it (see + socket options). +Basically you should only use this option if you strike difficulties. + +Default: keepalive = 300 + + +Example: keepalive = 600 + + + + +kernel change notifykernel change notify (G) + This parameter specifies whether Samba should ask the + kernel for change notifications in directories so that + SMB clients can refresh whenever the data on the server changes. + + + This parameter is only used when your kernel supports + change notification to user programs, using the F_NOTIFY fcntl. + + +Default: kernel change notify = yes + + + + + +kernel oplockskernel oplocks (G) + For UNIXes that support kernel based + oplocks + (currently only IRIX and the Linux 2.4 kernel), this parameter + allows the use of them to be turned on or off. + + Kernel oplocks support allows Samba oplocks + to be broken whenever a local UNIX process or NFS operation + accesses a file that smbd + 8 has oplocked. This allows complete + data consistency between SMB/CIFS, NFS and local file access (and is + a very cool feature :-). + + This parameter defaults to on, but is translated + to a no-op on systems that no not have the necessary kernel support. + You should never need to touch this parameter. + +Default: kernel oplocks = yes + + + + + +lanman authlanman auth (G) + This parameter determines whether or not smbd + 8 will attempt to + authenticate users or permit password changes + using the LANMAN password hash. If disabled, only clients which support NT + password hashes (e.g. Windows NT/2000 clients, smbclient, but not + Windows 95/98 or the MS DOS network client) will be able to + connect to the Samba host. + + The LANMAN encrypted response is easily broken, due to it's + case-insensitive nature, and the choice of algorithm. Servers + without Windows 95/98/ME or MS DOS clients are advised to disable + this option. + + Unlike the encypt + passwords option, this parameter cannot alter client + behaviour, and the LANMAN response will still be sent over the + network. See the client lanman + auth to disable this for Samba's clients (such as smbclient) + + If this option, and ntlm + auth are both disabled, then only NTLMv2 logins will be + permited. Not all clients support NTLMv2, and most will require + special configuration to use it. + +Default: lanman auth = yes + + + + + +large readwritelarge readwrite (G) + This parameter determines whether or not + smbd + 8 supports the new 64k + streaming read and write varient SMB requests introduced with + Windows 2000. Note that due to Windows 2000 client redirector bugs + this requires Samba to be running on a 64-bit capable operating + system such as IRIX, Solaris or a Linux 2.4 kernel. Can improve + performance by 10% with Windows 2000 clients. Defaults to on. Not as + tested as some other Samba code paths. + +Default: large readwrite = yes + + + + + +ldap admin dnldap admin dn (G) + The ldap admin dn + defines the Distinguished Name (DN) name used by Samba to + contact the ldap server when retreiving user account + information. The ldap admin + dn is used in conjunction with the admin dn password + stored in the private/secrets.tdb file. + See the smbpasswd + 8 man page for more + information on how to accmplish this. + +No default + + + +ldap delete dnldap delete dn (G) + This parameter specifies whether a delete + operation in the ldapsam deletes the complete entry or only the attributes + specific to Samba. + + +Default: ldap delete dn = no + + + + + +ldap filterldap filter (G) + This parameter specifies the RFC 2254 compliant LDAP search filter. + The default is to match the login name with the uid + attribute. Note that this filter should only return one entry. + + +Default: ldap filter = (uid=%u) + + +Example: ldap filter = (&(uid=%u)(objectclass=sambaSamAccount)) + + + + +ldap group suffixldap group suffix (G) + This parameters specifies the suffix that is + used for groups when these are added to the LDAP directory. + If this parameter is unset, the value of ldap suffix will be used instead. + + +Default: ldap group suffix = + + +Example: ldap group suffix = ou=Groups,dc=samba,ou=Groups + + + + +ldap idmap suffixldap idmap suffix (G) + This parameters specifies the suffix that is + used when storing idmap mappings. If this parameter + is unset, the value of ldap suffix + will be used instead. + +Default: ldap idmap suffix = + + +Example: ldap idmap suffix = ou=Idmap,dc=samba,dc=org + + + + +ldap machine suffixldap machine suffix (G) + It specifies where machines should be added to the ldap tree. + +Default: ldap machine suffix = + + + + + +ldap passwd syncldap passwd sync (G) + This option is used to define whether + or not Samba should sync the LDAP password with the NT + and LM hashes for normal accounts (NOT for + workstation, server or domain trusts) on a password + change via SAMBA. + + + The ldap passwd + sync can be set to one of three values: + + + + Yes = Try + to update the LDAP, NT and LM passwords and update the pwdLastSet time. + + + + No = Update NT and + LM passwords and update the pwdLastSet time. + + + + Only = Only update + the LDAP password and let the LDAP server do the rest. + + + +Default: ldap passwd sync = no + + + + + +ldap portldap port (G) + This parameter is only available if Samba has been + configure to include the --with-ldapsam option + at compile time. + + This option is used to control the tcp port number used to contact + the ldap server. + The default is to use the stand LDAPS port 636. + +Default: ldap port = 636 +# if ldap ssl = on + +Default: ldap port = 389 +# if ldap ssl = off + + + + + +ldap replication sleepldap replication sleep (G) + When Samba is asked to write to a read-only LDAP +replica, we are redirected to talk to the read-write master server. +This server then replicates our changes back to the 'local' server, +however the replication might take some seconds, especially over slow +links. Certain client activities, particularly domain joins, can become +confused by the 'success' that does not immediately change the LDAP +back-end's data. + This option simply causes Samba to wait a short time, to +allow the LDAP server to catch up. If you have a particularly +high-latency network, you may wish to time the LDAP replication with a +network sniffer, and increase this value accordingly. Be aware that no +checking is performed that the data has actually replicated. + The value is specified in milliseconds, the maximum +value is 5000 (5 seconds). + +Default: ldap replication sleep = 1000 + + + + + +ldapsam:trustedldapsam:trusted (G) + + +By default, Samba as a Domain Controller with an LDAP backend needs to use the +Unix-style NSS subsystem to access user and group information. Due to the way +Unix stores user information in /etc/passwd and /etc/group this inevitably +leads to inefficiencies. One important question a user needs to know is the +list of groups he is member of. The plain Unix model involves a complete +enumeration of the file /etc/group and its NSS counterparts in LDAP. In this +particular case there often optimized functions are available in Unix, but for +other queries there is no optimized function available. + +To make Samba scale well in large environments, the ldapsam:trusted=yes +option assumes that the complete user and group database that is relevant to +Samba is stored in LDAP with the standard posixAccount/posixGroup model, and +that the Samba auxiliary object classes are stored together with the the posix +data in the same LDAP object. If these assumptions are met, +ldapsam:trusted=yes can be activated and Samba can completely bypass the NSS +system to query user information. Optimized LDAP queries can speed up domain +logon and administration tasks a lot. Depending on the size of the LDAP +database a factor of 100 or more for common queries is easily achieved. + + +Default: ldapsam:trusted = no + + + + + +ldap serverldap server (G) + This parameter is only available if Samba has been + configure to include the --with-ldapsam + option at compile time. + + This parameter should contain the FQDN of the ldap directory + server which should be queried to locate user account information. + + +Default: ldap server = localhost + + + + + +ldap sslldap ssl (G) + This option is used to define whether or not Samba should + use SSL when connecting to the ldap server + This is NOT related to + Samba's previous SSL support which was enabled by specifying the + --with-ssl option to the configure + script. + + The ldap ssl can be set to one of three values: + + + Off = Never + use SSL when querying the directory. + + + + Start_tls = Use + the LDAPv3 StartTLS extended operation (RFC2830) for + communicating with the directory server. + + + + On = Use SSL + on the ldaps port when contacting the ldap server. Only available when the + backwards-compatiblity --with-ldapsam option is specified + to configure. See passdb backend + + + +Default: ldap ssl = start_tls + + + + + +ldap suffixldap suffix (G) + Specifies where user and machine accounts are added to the + tree. Can be overriden by ldap user + suffix and ldap machine + suffix. It also used as the base dn for all ldap +searches. + +Default: ldap suffix = + + + + + +ldap timeoutldap timeout (G) + When Samba connects to an ldap server that server +may be down or unreachable. To prevent Samba from hanging whilst +waiting for the connection this parameter specifies in seconds how +long Samba should wait before failing the connect. The default is +to only wait fifteen seconds for the ldap server to respond to the +connect request. + +Default: ldap timeout = 15 + + + + + +ldap user suffixldap user suffix (G) + This parameter specifies where users are added to the tree. + If this parameter is not specified, the value from ldap suffix. + + +Default: ldap user suffix = + + + + + +level2 oplockslevel2 oplocks (S) + This parameter controls whether Samba supports + level2 (read-only) oplocks on a share. + + Level2, or read-only oplocks allow Windows NT clients + that have an oplock on a file to downgrade from a read-write oplock + to a read-only oplock once a second client opens the file (instead + of releasing all oplocks on a second open, as in traditional, + exclusive oplocks). This allows all openers of the file that + support level2 oplocks to cache the file for read-ahead only (ie. + they may not cache writes or lock requests) and increases performance + for many accesses of files that are not commonly written (such as + application .EXE files). + + Once one of the clients which have a read-only oplock + writes to the file all clients are notified (no reply is needed + or waited for) and told to break their oplocks to "none" and + delete any read-ahead caches. + + It is recommended that this parameter be turned on to + speed access to shared executables. + + For more discussions on level2 oplocks see the CIFS spec. + + Currently, if kernel + oplocks are supported then level2 oplocks are + not granted (even if this parameter is set to yes). + Note also, the oplocks + parameter must be set to yes on this share in order for + this parameter to have any effect. + +Default: level2 oplocks = yes + + + + + +lm announcelm announce (G) + This parameter determines if nmbd + 8 will produce Lanman announce + broadcasts that are needed by OS/2 clients in order for them to see + the Samba server in their browse list. This parameter can have three + values, yes, no, or + auto. The default is auto. + If set to no Samba will never produce these + broadcasts. If set to yes Samba will produce + Lanman announce broadcasts at a frequency set by the parameter + lm interval. If set to auto + Samba will not send Lanman announce broadcasts by default but will + listen for them. If it hears such a broadcast on the wire it will + then start sending them at a frequency set by the parameter + lm interval. + +Default: lm announce = auto + + +Example: lm announce = yes + + + + +lm intervallm interval (G) + If Samba is set to produce Lanman announce + broadcasts needed by OS/2 clients (see the + lm announce parameter) then this + parameter defines the frequency in seconds with which they will be + made. If this is set to zero then no Lanman announcements will be + made despite the setting of the lm announce + parameter. + +Default: lm interval = 60 + + +Example: lm interval = 120 + + + + +load printersload printers (G) + A boolean variable that controls whether all + printers in the printcap will be loaded for browsing by default. + See the printers section for + more details. + +Default: load printers = yes + + + + + +local masterlocal master (G) + This option allows nmbd + 8 to try and become a local master browser + on a subnet. If set to no then + nmbd will not attempt to become a local master browser + on a subnet and will also lose in all browsing elections. By + default this value is set to yes. Setting this value to + yes doesn't mean that Samba will become the + local master browser on a subnet, just that nmbd + will participate in elections for local master browser. + + Setting this value to no will cause nmbd never to become a local +master browser. + +Default: local master = yes + + + + + +lock dirlock directorylock dirThis parameter is a synonym for lock directory. +lock directorylock directory (G) + This option specifies the directory where lock + files will be placed. The lock files are used to implement the + max connections + option. + +Default: lock directory = ${prefix}/var/locks + + +Example: lock directory = /var/run/samba/locks + + + + +lockinglocking (S) + This controls whether or not locking will be + performed by the server in response to lock requests from the + client. + + If locking = no, all lock and unlock + requests will appear to succeed and all lock queries will report + that the file in question is available for locking. + + If locking = yes, real locking will be performed + by the server. + + This option may be useful for read-only + filesystems which may not need locking (such as + CDROM drives), although setting this parameter of no + is not really recommended even in this case. + + Be careful about disabling locking either globally or in a + specific service, as lack of locking may result in data corruption. + You should never need to set this parameter. + +No default + + + +lock spin countlock spin count (G) + This parameter controls the number of times + that smbd should attempt to gain a byte range lock on the + behalf of a client request. Experiments have shown that + Windows 2k servers do not reply with a failure if the lock + could not be immediately granted, but try a few more times + in case the lock could later be acquired. This behavior + is used to support PC database formats such as MS Access + and FoxPro. + + +Default: lock spin count = 3 + + + + + +lock spin timelock spin time (G) + The time in microseconds that smbd should + pause before attempting to gain a failed lock. See + lock spin + count for more details. + +Default: lock spin time = 10 + + + + + +log filelog file (G) + This option allows you to override the name + of the Samba log file (also known as the debug file). + + This option takes the standard substitutions, allowing + you to have separate log files for each user or machine. + +No default +Example: log file = /usr/local/samba/var/log.%m + + + + +debuglevellog leveldebuglevelThis parameter is a synonym for log level. +log levellog level (G) + The value of the parameter (a astring) allows + the debug level (logging level) to be specified in the + smb.conf file. This parameter has been + extended since the 2.2.x series, now it allow to specify the debug + level for multiple debug classes. This is to give greater + flexibility in the configuration of the system. + + The default will be the log level specified on + the command line or level zero if none was specified. + + +No default +Example: log level = 3 passdb:5 auth:10 winbind:2 + + + + +logon drivelogon drive (G) + This parameter specifies the local path to + which the home directory will be connected (see + logon home) + and is only used by NT Workstations. + + Note that this option is only useful if Samba is set up as a + logon server. + +Default: logon drive = z: + + +Example: logon drive = h: + + + + +logon homelogon home (G) + This parameter specifies the home directory + location when a Win95/98 or NT Workstation logs into a Samba PDC. + It allows you to do + + C:\> + NET USE H: /HOME + + + from a command prompt, for example. + + This option takes the standard substitutions, allowing + you to have separate logon scripts for each user or machine. + + This parameter can be used with Win9X workstations to ensure + that roaming profiles are stored in a subdirectory of the user's + home directory. This is done in the following way: + + logon home = \\%N\%U\profile + + This tells Samba to return the above string, with + substitutions made when a client requests the info, generally + in a NetUserGetInfo request. Win9X clients truncate the info to + \\server\share when a user does net use /home + but use the whole string when dealing with profiles. + + Note that in prior versions of Samba, the + logon path was returned rather than + logon home. This broke net use /home but allowed profiles outside the home directory. + The current implementation is correct, and can be used for profiles if you use + the above trick. + + This option is only useful if Samba is set up as a logon + server. + +Default: logon home = \\%N\%U + + +Example: logon home = \\remote_smb_server\%U + + + + +logon pathlogon path (G) + This parameter specifies the home directory + where roaming profiles (NTuser.dat etc files for Windows NT) are + stored. Contrary to previous versions of these manual pages, it has + nothing to do with Win 9X roaming profiles. To find out how to + handle roaming profiles for Win 9X system, see the + logon home parameter. + + This option takes the standard substitutions, allowing you + to have separate logon scripts for each user or machine. It also + specifies the directory from which the "Application Data", + (desktop, start menu, + network neighborhood, programs + and other folders, and their contents, are loaded and displayed on + your Windows NT client. + + The share and the path must be readable by the user for + the preferences and directories to be loaded onto the Windows NT + client. The share must be writeable when the user logs in for the first + time, in order that the Windows NT client can create the NTuser.dat + and other directories. + + Thereafter, the directories and any of the contents can, + if required, be made read-only. It is not advisable that the + NTuser.dat file be made read-only - rename it to NTuser.man to + achieve the desired effect (a MANdatory + profile). + + Windows clients can sometimes maintain a connection to + the [homes] share, even though there is no user logged in. + Therefore, it is vital that the logon path does not include a + reference to the homes share (i.e. setting this parameter to + \%N\%U\profile_path will cause problems). + + This option takes the standard substitutions, allowing + you to have separate logon scripts for each user or machine. + + + + Do not quote the value. Setting this as \\%N\profile\%U + will break profile handling. + + + Note that this option is only useful if Samba is set up + as a logon server. + +Default: logon path = \\%N\%U\profile + + +Example: logon path = >\\PROFILESERVER\PROFILE\%U + + + + +logon scriptlogon script (G) + This parameter specifies the batch file (.bat) or + NT command file (.cmd) to be downloaded and run on a machine when + a user successfully logs in. The file must contain the DOS + style CR/LF line endings. Using a DOS-style editor to create the + file is recommended. + + The script must be a relative path to the [netlogon] + service. If the [netlogon] service specifies a + path of /usr/local/samba/netlogon, and logon script = STARTUP.BAT, then + the file that will be downloaded is: + + /usr/local/samba/netlogon/STARTUP.BAT + + The contents of the batch file are entirely your choice. A + suggested command would be to add NET TIME \\SERVER /SET + /YES, to force every machine to synchronize clocks with + the same time server. Another use would be to add NET USE + U: \\SERVER\UTILS for commonly used utilities, or + NET USE Q: \\SERVER\ISO9001_QA for example. + + Note that it is particularly important not to allow write + access to the [netlogon] share, or to grant users write permission + on the batch files in a secure environment, as this would allow + the batch files to be arbitrarily modified and security to be + breached. + + This option takes the standard substitutions, allowing you + to have separate logon scripts for each user or machine. + + This option is only useful if Samba is set up as a logon + server. + +Default: logon script = + + +Example: logon script = scripts\%U.bat + + + + +lppause commandlppause command (S) + This parameter specifies the command to be + executed on the server host in order to stop printing or spooling + a specific print job. + + This command should be a program or script which takes + a printer name and job number to pause the print job. One way + of implementing this is by using job priorities, where jobs + having a too low priority won't be sent to the printer. + + If a %p is given then the printer name + is put in its place. A %j is replaced with + the job number (an integer). On HPUX (see printing=hpux + ), if the -p%p option is added + to the lpq command, the job will show up with the correct status, i.e. + if the job priority is lower than the set fence priority it will + have the PAUSED status, whereas if the priority is equal or higher it + will have the SPOOLED or PRINTING status. + + Note that it is good practice to include the absolute path + in the lppause command as the PATH may not be available to the server. + +Default: lppause command = +# Currently no default value is given to + this string, unless the value of the printing + parameter is SYSV, in which case the default is : lp -i %p-%j -H hold or if the value of the printing parameter is SOFTQ, then the default is: qstat -s -j%j -h. + + +Example: lppause command = /usr/bin/lpalt %p-%j -p0 + + + + +lpq cache timelpq cache time (G) + This controls how long lpq info will be cached + for to prevent the lpq command being called too + often. A separate cache is kept for each variation of the + lpq command used by the system, so if you use different + lpq commands for different users then they won't + share cache information. + + The cache files are stored in /tmp/lpq.xxxx + where xxxx is a hash of the lpq command in use. + + The default is 10 seconds, meaning that the cached results + of a previous identical lpq command will be used + if the cached data is less than 10 seconds old. A large value may + be advisable if your lpq command is very slow. + +A value of 0 will disable caching completely. + +Default: lpq cache time = 10 + + +Example: lpq cache time = 30 + + + + +lpq commandlpq command (S) + This parameter specifies the command to be + executed on the server host in order to obtain lpq + -style printer status information. + + This command should be a program or script which + takes a printer name as its only parameter and outputs printer + status information. + + Currently nine styles of printer status information + are supported; BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX, CUPS, and SOFTQ. + This covers most UNIX systems. You control which type is expected + using the printing = option. + + Some clients (notably Windows for Workgroups) may not + correctly send the connection number for the printer they are + requesting status information about. To get around this, the + server reports on the first printer service connected to by the + client. This only happens if the connection number sent is invalid. + + If a %p is given then the printer name + is put in its place. Otherwise it is placed at the end of the + command. + + Note that it is good practice to include the absolute path + in the lpq command as the $PATH + may not be available to the server. When compiled with + the CUPS libraries, no lpq command is + needed because smbd will make a library call to obtain the + print queue listing. + +Default: lpq command = + + +Example: lpq command = /usr/bin/lpq -P%p + + + + +lpresume commandlpresume command (S) + This parameter specifies the command to be + executed on the server host in order to restart or continue + printing or spooling a specific print job. + + This command should be a program or script which takes + a printer name and job number to resume the print job. See + also the lppause command + parameter. + + If a %p is given then the printer name + is put in its place. A %j is replaced with + the job number (an integer). + + Note that it is good practice to include the absolute path + in the lpresume command as the PATH may not + be available to the server. + + See also the printing + parameter. + + Default: Currently no default value is given + to this string, unless the value of the printing + parameter is SYSV, in which case the default is : + + lp -i %p-%j -H resume + + or if the value of the printing parameter + is SOFTQ, then the default is: + + qstat -s -j%j -r + +Default: lpresume command = lpresume command = /usr/bin/lpalt %p-%j -p2 + + + + + +lprm commandlprm command (S) + This parameter specifies the command to be + executed on the server host in order to delete a print job. + + This command should be a program or script which takes + a printer name and job number, and deletes the print job. + + If a %p is given then the printer name + is put in its place. A %j is replaced with + the job number (an integer). + + Note that it is good practice to include the absolute + path in the lprm command as the PATH may not be + available to the server. + + +Default: lprm command = +# depends on the setting of printing + + +Example: lprm command = /usr/bin/lprm -P%p %j + +Example: lprm command = /usr/bin/cancel %p-%j + + + + +machine password timeoutmachine password timeout (G) + If a Samba server is a member of a Windows + NT Domain (see the security = domain + parameter) then periodically a running smbd + process will try and change the MACHINE ACCOUNT + PASSWORD stored in the TDB called private/secrets.tdb + . This parameter specifies how often this password + will be changed, in seconds. The default is one week (expressed in + seconds), the same as a Windows NT Domain member server. + + See also smbpasswd + 8, and the + security = domain parameter. + + +Default: machine password timeout = 604800 + + + + + +magic outputmagic output (S) + This parameter specifies the name of a file + which will contain output created by a magic script (see the + magic script + parameter below). + +If two clients use the same magic script + in the same directory the output file content + is undefined. + +Default: magic output = <magic script name>.out + + +Example: magic output = myfile.txt + + + + +magic scriptmagic script (S) + This parameter specifies the name of a file which, + if opened, will be executed by the server when the file is closed. + This allows a UNIX script to be sent to the Samba host and + executed on behalf of the connected user. + + Scripts executed in this way will be deleted upon + completion assuming that the user has the appropriate level + of privilege and the file permissions allow the deletion. + + If the script generates output, output will be sent to + the file specified by the + magic output parameter (see above). + + Note that some shells are unable to interpret scripts + containing CR/LF instead of CR as + the end-of-line marker. Magic scripts must be executable + as is on the host, which for some hosts and + some shells will require filtering at the DOS end. + + Magic scripts are EXPERIMENTAL and + should NOT be relied upon. + +Default: magic script = + + +Example: magic script = user.csh + + + + +mangled mapmangled map (S) + This is for those who want to directly map UNIX + file names which cannot be represented on Windows/DOS. The mangling + of names is not always what is needed. In particular you may have + documents with file extensions that differ between DOS and UNIX. + For example, under UNIX it is common to use .html + for HTML files, whereas under Windows/DOS .htm + is more commonly used. + + So to map html to htm + you would use: + + mangled map = (*.html *.htm) + + One very useful case is to remove the annoying ;1 + off the ends of filenames on some CDROMs (only visible + under some UNIXes). To do this use a map of (*;1 *;). + +Default: mangled map = +# no mangled map + + +Example: mangled map = (*;1 *;) + + + + +mangled namesmangled names (S) + This controls whether non-DOS names under UNIX + should be mapped to DOS-compatible names ("mangled") and made visible, + or whether non-DOS names should simply be ignored. + + See the section on NAME MANGLING for + details on how to control the mangling process. + + If mangling is used then the mangling algorithm is as follows: + + + + The first (up to) five alphanumeric characters + before the rightmost dot of the filename are preserved, forced + to upper case, and appear as the first (up to) five characters + of the mangled name. + + + + A tilde "~" is appended to the first part of the mangled + name, followed by a two-character unique sequence, based on the + original root name (i.e., the original filename minus its final + extension). The final extension is included in the hash calculation + only if it contains any upper case characters or is longer than three + characters. + + Note that the character to use may be specified using + the mangling char + option, if you don't like '~'. + + + + Files whose UNIX name begins with a dot will be + presented as DOS hidden files. The mangled name will be created as + for other filenames, but with the leading dot removed and "___" as + its extension regardless of actual original extension (that's three + underscores). + + + + The two-digit hash value consists of upper case alphanumeric characters. + + This algorithm can cause name collisions only if files + in a directory share the same first five alphanumeric characters. + The probability of such a clash is 1/1300. + + The name mangling (if enabled) allows a file to be + copied between UNIX directories from Windows/DOS while retaining + the long UNIX filename. UNIX files can be renamed to a new extension + from Windows/DOS and will retain the same basename. Mangled names + do not change between sessions. + +Default: mangled names = yes + + + + + +mangle prefixmangle prefix (G) + controls the number of prefix + characters from the original name used when generating + the mangled names. A larger value will give a weaker + hash and therefore more name collisions. The minimum + value is 1 and the maximum value is 6. + + + mangle prefix is effective only when mangling method is hash2. + + +Default: mangle prefix = 1 + + +Example: mangle prefix = 4 + + + + +mangling charmangling char (S) + This controls what character is used as + the magic character in name mangling. The + default is a '~' but this may interfere with some software. Use this option to set + it to whatever you prefer. This is effective only when mangling method is hash. + +Default: mangling char = ~ + + +Example: mangling char = ^ + + + + +mangling methodmangling method (G) + controls the algorithm used for the generating + the mangled names. Can take two different values, "hash" and + "hash2". "hash" is the algorithm that was used + used in Samba for many years and was the default in Samba 2.2.x "hash2" is + now the default and is newer and considered a better algorithm (generates less collisions) in + the names. Many Win32 applications store the mangled names and so + changing to algorithms must not be done lightly as these applications + may break unless reinstalled. + +Default: mangling method = hash2 + + +Example: mangling method = hash + + + + +map acl inheritmap acl inherit (S) + This boolean parameter controls whether smbd + 8 will attempt to map the 'inherit' and 'protected' + access control entry flags stored in Windows ACLs into an extended attribute + called user.SAMBA_PAI. This parameter only takes effect if Samba is being run + on a platform that supports extended attributes (Linux and IRIX so far) and + allows the Windows 2000 ACL editor to correctly use inheritance with the Samba + POSIX ACL mapping code. + + +Default: map acl inherit = no + + + + + +map archivemap archive (S) + This controls whether the DOS archive attribute + should be mapped to the UNIX owner execute bit. The DOS archive bit + is set when a file has been modified since its last backup. One + motivation for this option it to keep Samba/your PC from making + any file it touches from becoming executable under UNIX. This can + be quite annoying for shared source code, documents, etc... + + Note that this requires the create mask + parameter to be set such that owner execute bit is not masked out + (i.e. it must include 100). See the parameter + create mask for details. + +Default: map archive = yes + + + + + +map hiddenmap hidden (S) + This controls whether DOS style hidden files + should be mapped to the UNIX world execute bit. + + Note that this requires the create mask + to be set such that the world execute bit is not masked out (i.e. + it must include 001). See the parameter + create mask for details. + + +No default + + + +map systemmap system (S) + This controls whether DOS style system files + should be mapped to the UNIX group execute bit. + + Note that this requires the create mask + to be set such that the group execute bit is not masked out (i.e. + it must include 010). See the parameter + create mask for details. + +Default: map system = no + + + + + +map to guestmap to guest (G) + This parameter is only useful in + security modes other than security = share + - i.e. user, server, + and domain. + + This parameter can take three different values, which tell + smbd + 8 what to do with user + login requests that don't match a valid UNIX user in some way. + + The three settings are : + + + + Never - Means user login + requests with an invalid password are rejected. This is the + default. + + + + Bad User - Means user + logins with an invalid password are rejected, unless the username + does not exist, in which case it is treated as a guest login and + mapped into the + guest account. + + + + Bad Password - Means user logins + with an invalid password are treated as a guest login and mapped + into the guest account. Note that + this can cause problems as it means that any user incorrectly typing + their password will be silently logged on as "guest" - and + will not know the reason they cannot access files they think + they should - there will have been no message given to them + that they got their password wrong. Helpdesk services will + hate you if you set the map to + guest parameter this way :-). + + + + Note that this parameter is needed to set up "Guest" + share services when using security modes other than + share. This is because in these modes the name of the resource being + requested is not sent to the server until after + the server has successfully authenticated the client so the server + cannot make authentication decisions at the correct time (connection + to the share) for "Guest" shares. + + For people familiar with the older Samba releases, this + parameter maps to the old compile-time setting of the + GUEST_SESSSETUP value in local.h. + +Default: map to guest = Never + + +Example: map to guest = Bad User + + + + +max connectionsmax connections (S) + This option allows the number of simultaneous connections to a service to be limited. + If max connections is greater than 0 then connections + will be refused if this number of connections to the service are already open. A value + of zero mean an unlimited number of connections may be made. + + Record lock files are used to implement this feature. The lock files will be stored in + the directory specified by the + lock directory option. + +Default: max connections = 0 + + +Example: max connections = 10 + + + + +max disk sizemax disk size (G) + This option allows you to put an upper limit + on the apparent size of disks. If you set this option to 100 + then all shares will appear to be not larger than 100 MB in + size. + + Note that this option does not limit the amount of + data you can put on the disk. In the above case you could still + store much more than 100 MB on the disk, but if a client ever asks + for the amount of free disk space or the total disk size then the + result will be bounded by the amount specified in max + disk size. + + This option is primarily useful to work around bugs + in some pieces of software that can't handle very large disks, + particularly disks over 1GB in size. + + A max disk size of 0 means no limit. + +Default: max disk size = 0 + + +Example: max disk size = 1000 + + + + +max log sizemax log size (G) + This option (an integer in kilobytes) specifies + the max size the log file should grow to. Samba periodically checks + the size and if it is exceeded it will rename the file, adding + a .old extension. + +A size of 0 means no limit. + +Default: max log size = 5000 + +Default: max log size = 1000 + + + + + +max muxmax mux (G) + This option controls the maximum number of + outstanding simultaneous SMB operations that Samba tells the client + it will allow. You should never need to set this parameter. + +Default: max mux = 50 + + + + + +max open filesmax open files (G) + This parameter limits the maximum number of + open files that one smbd + 8 file + serving process may have open for a client at any one time. The + default for this parameter is set very high (10,000) as Samba uses + only one bit per unopened file. + + The limit of the number of open files is usually set + by the UNIX per-process file descriptor limit rather than + this parameter so you should never need to touch this parameter. + +Default: max open files = 10000 + + + + + +max print jobsmax print jobs (S) + This parameter limits the maximum number of + jobs allowable in a Samba printer queue at any given moment. + If this number is exceeded, smbd + 8 will remote "Out of Space" to the client. + + +Default: max print jobs = 1000 + + +Example: max print jobs = 5000 + + + + +protocolmax protocolprotocolThis parameter is a synonym for max protocol. +max protocolmax protocol (G) + The value of the parameter (a string) is the highest + protocol level that will be supported by the server. + + Possible values are : + + + CORE: Earliest version. No + concept of user names. + + + + COREPLUS: Slight improvements on + CORE for efficiency. + + + + LANMAN1: First + modern version of the protocol. Long filename + support. + + + + LANMAN2: Updates to Lanman1 protocol. + + + + NT1: Current up to date version of the protocol. + Used by Windows NT. Known as CIFS. + + + + Normally this option should not be set as the automatic + negotiation phase in the SMB protocol takes care of choosing + the appropriate protocol. + +Default: max protocol = NT1 + + +Example: max protocol = LANMAN1 + + + + +max reported print jobsmax reported print jobs (S) + This parameter limits the maximum number of + jobs displayed in a port monitor for Samba printer queue at any given + moment. If this number is exceeded, the excess jobs will not be shown. + A value of zero means there is no limit on the number of print + jobs reported. + +Default: max reported print jobs = 0 + + +Example: max reported print jobs = 1000 + + + + +max smbd processesmax smbd processes (G) + This parameter limits the maximum number of smbd + 8 processes concurrently running on a system and is intended + as a stopgap to prevent degrading service to clients in the event that the server has insufficient + resources to handle more than this number of connections. Remember that under normal operating + conditions, each user will have an smbd + 8 associated with him or her to handle connections to all + shares from a given host. + +Default: max smbd processes = 0 + + +Example: max smbd processes = 1000 + + + + +max stat cache sizemax stat cache size (G) + This parameter specifies the maximum amount of memory (in kilobytes) + smbd will use for the stat cache that speeds up case insensitive name mappings. + If set to zero (the default) there is no limit. Change this if your smbd processes + grow too large when servicing something like a back-up application. + +Default: max stat cache size = 0 + + + + + +max ttlmax ttl (G) + This option tells nmbd + 8 what the default 'time to live' + of NetBIOS names should be (in seconds) when nmbd is + requesting a name using either a broadcast packet or from a WINS server. You should + never need to change this parameter. The default is 3 days. + +Default: max ttl = 259200 + + + + + +max wins ttlmax wins ttl (G) + This option tells smbd + 8 when acting as a WINS server ( + wins support = yes) what the maximum + 'time to live' of NetBIOS names that nmbd + will grant will be (in seconds). You should never need to change this + parameter. The default is 6 days (518400 seconds). + +Default: max wins ttl = 518400 + + + + + +max xmitmax xmit (G) + This option controls the maximum packet size + that will be negotiated by Samba. The default is 65535, which + is the maximum. In some cases you may find you get better performance + with a smaller value. A value below 2048 is likely to cause problems. + + +Default: max xmit = 65535 + + +Example: max xmit = 8192 + + + + +message commandmessage command (G) + This specifies what command to run when the + server receives a WinPopup style message. + + This would normally be a command that would + deliver the message somehow. How this is to be done is + up to your imagination. + + An example is: + + message command = csh -c 'xedit %s;rm %s' & + + + This delivers the message using xedit, then + removes it afterwards. NOTE THAT IT IS VERY IMPORTANT + THAT THIS COMMAND RETURN IMMEDIATELY. That's why I + have the '&' on the end. If it doesn't return immediately then + your PCs may freeze when sending messages (they should recover + after 30 seconds, hopefully). + + All messages are delivered as the global guest user. + The command takes the standard substitutions, although + %u won't work (%U may be better + in this case). + + Apart from the standard substitutions, some additional + ones apply. In particular: + + + + %s = the filename containing + the message. + + + + %t = the destination that + the message was sent to (probably the server name). + + + + %f = who the message + is from. + + + + You could make this command send mail, or whatever else + takes your fancy. Please let us know of any really interesting + ideas you have. + + Here's a way of sending the messages as mail to root: + + message command = /bin/mail -s 'message from %f on + %m' root < %s; rm %s + + If you don't have a message command then the message + won't be delivered and Samba will tell the sender there was + an error. Unfortunately WfWg totally ignores the error code + and carries on regardless, saying that the message was delivered. + + + If you want to silently delete it then try: + + message command = rm %s + +Default: message command = + + +Example: message command = csh -c 'xedit %s; rm %s' & + + + + +min passwd lengthmin password lengthmin passwd lengthThis parameter is a synonym for min password length. +min password lengthmin password length (G) + This option sets the minimum length in characters of a + plaintext password that smbd will + accept when performing UNIX password changing. + +Default: min password length = 5 + + + + + +min print spacemin print space (S) + This sets the minimum amount of free disk + space that must be available before a user will be able to spool + a print job. It is specified in kilobytes. The default is 0, which + means a user can always spool a print job. + +Default: min print space = 0 + + +Example: min print space = 2000 + + + + +min protocolmin protocol (G) + The value of the parameter (a string) is the + lowest SMB protocol dialect than Samba will support. Please refer + to the max protocol + parameter for a list of valid protocol names and a brief description + of each. You may also wish to refer to the C source code in + source/smbd/negprot.c for a listing of known protocol + dialects supported by clients. + + If you are viewing this parameter as a security measure, you should + also refer to the lanman + auth parameter. Otherwise, you should never need + to change this parameter. + +Default: min protocol = CORE + + +Example: min protocol = NT1 + + + + +min wins ttlmin wins ttl (G) + This option tells nmbd + 8 + when acting as a WINS server ( + wins support = yes) what the minimum 'time to live' + of NetBIOS names that nmbd will grant will be (in + seconds). You should never need to change this parameter. The default + is 6 hours (21600 seconds). + +Default: min wins ttl = 21600 + + + + + +msdfs proxymsdfs proxy (S) + This parameter indicates that the share is a + stand-in for another CIFS share whose location is specified by + the value of the parameter. When clients attempt to connect to + this share, they are redirected to the proxied share using + the SMB-Dfs protocol. + + Only Dfs roots can act as proxy shares. Take a look at the + msdfs root + and host msdfs + options to find out how to set up a Dfs root share. + +No default +Example: msdfs proxy = \otherserver\someshare + + + + +msdfs rootmsdfs root (S) + If set to yes, Samba treats the + share as a Dfs root and allows clients to browse the + distributed file system tree rooted at the share directory. + Dfs links are specified in the share directory by symbolic + links of the form msdfs:serverA\\shareA,serverB\\shareB + and so on. For more information on setting up a Dfs tree on + Samba, refer to . + +Default: msdfs root = no + + + + + +name cache timeoutname cache timeout (G) + Specifies the number of seconds it takes before + entries in samba's hostname resolve cache time out. If + the timeout is set to 0. the caching is disabled. + + +Default: name cache timeout = 660 + + +Example: name cache timeout = 0 + + + + +name resolve ordername resolve order (G) + This option is used by the programs in the Samba + suite to determine what naming services to use and in what order + to resolve host names to IP addresses. Its main purpose to is to + control how netbios name resolution is performed. The option takes a space + separated string of name resolution options. + + The options are: "lmhosts", "host", + "wins" and "bcast". They cause names to be + resolved as follows: + + + + lmhosts : Lookup an IP + address in the Samba lmhosts file. If the line in lmhosts has + no name type attached to the NetBIOS name (see the lmhosts(5) for details) then + any name type matches for lookup. + + + + host : Do a standard host + name to IP address resolution, using the system /etc/hosts + , NIS, or DNS lookups. This method of name resolution + is operating system depended for instance on IRIX or Solaris this + may be controlled by the /etc/nsswitch.conf + file. Note that this method is used only if the NetBIOS name + type being queried is the 0x20 (server) name type or 0x1c (domain controllers). + The latter case is only useful for active directory domains and results in a DNS + query for the SRV RR entry matching _ldap._tcp.domain. + + + + wins : Query a name with + the IP address listed in the + wins server parameter. If no WINS server has + been specified this method will be ignored. + + + + bcast : Do a broadcast on + each of the known local interfaces listed in the interfaces + parameter. This is the least reliable of the name resolution + methods as it depends on the target host being on a locally + connected subnet. + + + + The example below will cause the local lmhosts file to be examined + first, followed by a broadcast attempt, followed by a normal + system hostname lookup. + + When Samba is functioning in ADS security mode (security = ads) + it is advised to use following settings for name resolve order: + + name resolve order = wins bcast + + DC lookups will still be done via DNS, but fallbacks to netbios names will + not inundate your DNS servers with needless querys for DOMAIN<0x1c> lookups. + + +Default: name resolve order = lmhosts host wins bcast + + +Example: name resolve order = lmhosts bcast host + + + + +netbios aliasesnetbios aliases (G) + This is a list of NetBIOS names that nmbd will + advertise as additional names by which the Samba server is known. This allows one machine + to appear in browse lists under multiple names. If a machine is acting as a browse server + or logon server none of these names will be advertised as either browse server or logon + servers, only the primary name of the machine will be advertised with these capabilities. + + +Default: netbios aliases = +# empty string (no additional names) + + +Example: netbios aliases = TEST TEST1 TEST2 + + + + +netbios namenetbios name (G) + This sets the NetBIOS name by which a Samba + server is known. By default it is the same as the first component + of the host's DNS name. If a machine is a browse server or + logon server this name (or the first component + of the hosts DNS name) will be the name that these services are + advertised under. + +Default: netbios name = +# machine DNS name + + +Example: netbios name = MYNAME + + + + +netbios scopenetbios scope (G) + This sets the NetBIOS scope that Samba will + operate under. This should not be set unless every machine + on your LAN also sets this value. + +Default: netbios scope = + + + + + +nis homedirnis homedir (G) + Get the home share server from a NIS map. For + UNIX systems that use an automounter, the user's home directory + will often be mounted on a workstation on demand from a remote + server. + + When the Samba logon server is not the actual home directory + server, but is mounting the home directories via NFS then two + network hops would be required to access the users home directory + if the logon server told the client to use itself as the SMB server + for home directories (one over SMB and one over NFS). This can + be very slow. + + This option allows Samba to return the home share as + being on a different server to the logon server and as + long as a Samba daemon is running on the home directory server, + it will be mounted on the Samba client directly from the directory + server. When Samba is returning the home share to the client, it + will consult the NIS map specified in + homedir map and return the server + listed there. + + Note that for this option to work there must be a working + NIS system and the Samba server with this option must also + be a logon server. + +Default: nis homedir = no + + + + + +nt acl supportnt acl support (S) + This boolean parameter controls whether smbd + 8 will attempt to map + UNIX permissions into Windows NT access control lists. + This parameter was formally a global parameter in releases + prior to 2.2.2. + +Default: nt acl support = yes + + + + + +ntlm authntlm auth (G) + This parameter determines whether or not smbd + 8 will attempt to + authenticate users using the NTLM encrypted password response. + If disabled, either the lanman password hash or an NTLMv2 response + will need to be sent by the client. + + If this option, and lanman + auth are both disabled, then only NTLMv2 logins will be + permited. Not all clients support NTLMv2, and most will require + special configuration to us it. + +Default: ntlm auth = yes + + + + + +nt pipe supportnt pipe support (G) + This boolean parameter controls whether + smbd + 8 will allow Windows NT + clients to connect to the NT SMB specific IPC$ + pipes. This is a developer debugging option and can be left + alone. + +Default: nt pipe support = yes + + + + + +nt status supportnt status support (G) + This boolean parameter controls whether smbd + 8 will negotiate NT specific status + support with Windows NT/2k/XP clients. This is a developer debugging option and should be left alone. + If this option is set to no then Samba offers + exactly the same DOS error codes that versions prior to Samba 2.2.3 + reported. + + You should not need to ever disable this parameter. + +Default: nt status support = yes + + + + + +null passwordsnull passwords (G) + Allow or disallow client access to accounts that have null passwords. + + See also smbpasswd + 5. + +Default: null passwords = no + + + + + +obey pam restrictionsobey pam restrictions (G) + When Samba 3.0 is configured to enable PAM support + (i.e. --with-pam), this parameter will control whether or not Samba + should obey PAM's account and session management directives. The + default behavior is to use PAM for clear text authentication only + and to ignore any account or session management. Note that Samba + always ignores PAM for authentication in the case of + encrypt passwords = yes. The reason + is that PAM modules cannot support the challenge/response + authentication mechanism needed in the presence of SMB password encryption. + + +Default: obey pam restrictions = no + + + + + +only useronly user (S) + This is a boolean option that controls whether + connections with usernames not in the user + list will be allowed. By default this option is disabled so that a + client can supply a username to be used by the server. Enabling + this parameter will force the server to only use the login + names from the user list and is only really + useful in share level + security. + + Note that this also means Samba won't try to deduce + usernames from the service name. This can be annoying for + the [homes] section. To get around this you could use user = + %S which means your user list + will be just the service name, which for home directories is the + name of the user. + +Default: only user = no + + + + + +oplock break wait timeoplock break wait time (G) + This is a tuning parameter added due to bugs in + both Windows 9x and WinNT. If Samba responds to a client too + quickly when that client issues an SMB that can cause an oplock + break request, then the network client can fail and not respond + to the break request. This tuning parameter (which is set in milliseconds) + is the amount of time Samba will wait before sending an oplock break + request to such (broken) clients. + + DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND + UNDERSTOOD THE SAMBA OPLOCK CODE. + +Default: oplock break wait time = 0 + + + + + +oplock contention limitoplock contention limit (S) + This is a very advanced + smbd + 8 tuning option to + improve the efficiency of the granting of oplocks under multiple + client contention for the same file. + + In brief it specifies a number, which causes smbd + 8not to grant an oplock even when requested + if the approximate number of clients contending for an oplock on the same file goes over this + limit. This causes smbd to behave in a similar + way to Windows NT. + +DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ + AND UNDERSTOOD THE SAMBA OPLOCK CODE. + + +Default: oplock contention limit = 2 + + + + + +oplocksoplocks (S) + This boolean option tells smbd whether to + issue oplocks (opportunistic locks) to file open requests on this + share. The oplock code can dramatically (approx. 30% or more) improve + the speed of access to files on Samba servers. It allows the clients + to aggressively cache files locally and you may want to disable this + option for unreliable network environments (it is turned on by + default in Windows NT Servers). For more information see the file + Speed.txt in the Samba docs/ + directory. + + Oplocks may be selectively turned off on certain files with a + share. See the + veto oplock files parameter. On some systems + oplocks are recognized by the underlying operating system. This + allows data synchronization between all access to oplocked files, + whether it be via Samba or NFS or a local UNIX process. See the + kernel oplocks parameter for details. + +Default: oplocks = yes + + + + + +os2 driver mapos2 driver map (G) + The parameter is used to define the absolute + path to a file containing a mapping of Windows NT printer driver + names to OS/2 printer driver names. The format is: + + <nt driver name> = <os2 driver name>.<device name> + + For example, a valid entry using the HP LaserJet 5 + printer driver would appear as HP LaserJet 5L = LASERJET.HP + LaserJet 5L. + + The need for the file is due to the printer driver namespace + problem described in . For more details on OS/2 clients, please + refer to . + +Default: os2 driver map = + + + + + +os levelos level (G) + This integer value controls what level Samba + advertises itself as for browse elections. The value of this + parameter determines whether nmbd + 8 + has a chance of becoming a local master browser for the + WORKGROUP in the local broadcast area. + + Note :By default, Samba will win + a local master browsing election over all Microsoft operating + systems except a Windows NT 4.0/2000 Domain Controller. This + means that a misconfigured Samba host can effectively isolate + a subnet for browsing purposes. See BROWSING.txt + in the Samba docs/ directory + for details. + +Default: os level = 20 + + +Example: os level = 65 + + + + +pam password changepam password change (G) + With the addition of better PAM support in Samba 2.2, + this parameter, it is possible to use PAM's password change control + flag for Samba. If enabled, then PAM will be used for password + changes when requested by an SMB client instead of the program listed in + passwd program. + It should be possible to enable this without changing your + passwd chat + parameter for most setups. + +Default: pam password change = no + + + + + +panic actionpanic action (G) + This is a Samba developer option that allows a + system command to be called when either smbd + 8 or smbd + 8 crashes. This is usually used to +draw attention to the fact that a problem occurred. + +Default: panic action = + + +Example: panic action = "/bin/sleep 90000" + + + + +paranoid server securityparanoid server security (G) + Some version of NT 4.x allow non-guest + users with a bad passowrd. When this option is enabled, samba will not + use a broken NT 4.x server as password server, but instead complain + to the logs and exit. + + + Disabling this option prevents Samba from making + this check, which involves deliberatly attempting a + bad logon to the remote server. + +Default: paranoid server security = yes + + + + + +passdb backendpassdb backend (G) + + This option allows the administrator to chose which backends + to retrieve and store passwords with. This allows (for example) both + smbpasswd and tdbsam to be used without a recompile. Multiple + backends can be specified, separated by spaces. The backends will be + searched in the order they are specified. New users are always added + to the first backend specified. + + This parameter is in two parts, the backend's name, and a 'location' + string that has meaning only to that particular backed. These are separated + by a : character. + + Available backends can include: + + + smbpasswd - The default smbpasswd + backend. Takes a path to the smbpasswd file as an optional argument. + + + + + tdbsam - The TDB based password storage + backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb + in the + private dir directory. + + + + ldapsam - The LDAP based passdb + backend. Takes an LDAP URL as an optional argument (defaults to + ldap://localhost) + + LDAP connections should be secured where possible. This may be done using either + Start-TLS (see ldap ssl) or by + specifying ldaps:// in + the URL argument. + + Multiple servers may also be specified in double-quotes, if your + LDAP libraries supports the LDAP URL notation. + (OpenLDAP does). + + + + + + nisplussam - + The NIS+ based passdb backend. Takes name NIS domain as + an optional argument. Only works with sun NIS+ servers. + + + + + mysql - + The MySQL based passdb backend. Takes an identifier as + argument. Read the Samba HOWTO Collection for configuration + details. + + + + + +Default: passdb backend = smbpasswd + + +Example: passdb backend = tdbsam:/etc/samba/private/passdb.tdb smbpasswd:/etc/samba/smbpasswd + +Example: passdb backend = ldapsam:ldaps://ldap.example.com + +Example: passdb backend = ldapsam:"ldap://ldap-1.example.com ldap://ldap-2.example.com" + +Example: passdb backend = mysql:my_plugin_args tdbsam + + + + +passwd chatpasswd chat (G) + This string controls the "chat" + conversation that takes places between smbd + 8 and the local password changing + program to change the user's password. The string describes a + sequence of response-receive pairs that smbd + 8 uses to determine what to send to the + passwd program + and what to expect back. If the expected output is not + received then the password is not changed. + + This chat sequence is often quite site specific, depending + on what local methods are used for password control (such as NIS + etc). + + Note that this parameter only is only used if the unix password sync + parameter is set to yes. This sequence is + then called AS ROOT when the SMB password in the + smbpasswd file is being changed, without access to the old password + cleartext. This means that root must be able to reset the user's password without + knowing the text of the previous password. In the presence of + NIS/YP, this means that the passwd program must + be executed on the NIS master. + + + + The string can contain the macro %n which is substituted + for the new password. The chat sequence can also contain the standard + macros \n, \r, \t and \s to + give line-feed, carriage-return, tab and space. The chat sequence string can also contain + a '*' which matches any sequence of characters. Double quotes can be used to collect strings with spaces + in them into a single string. + + If the send string in any part of the chat sequence is a full + stop ".", then no string is sent. Similarly, if the + expect string is a full stop then no string is expected. + + If the pam + password change parameter is set to yes, the chat pairs + may be matched in any order, and success is determined by the PAM result, + not any particular output. The \n macro is ignored for PAM conversions. + + + +Default: passwd chat = *new*password* %n\n*new*password* %n\n *changed* + + +Example: passwd chat = "*Enter OLD password*" %o\n "*Enter NEW password*" %n\n "*Reenter NEW password*" %n\n "*Password changed*" + + + + +passwd chat debugpasswd chat debug (G) + This boolean specifies if the passwd chat script + parameter is run in debug mode. In this mode the + strings passed to and received from the passwd chat are printed + in the smbd + 8 log with a + debug level + of 100. This is a dangerous option as it will allow plaintext passwords + to be seen in the smbd log. It is available to help + Samba admins debug their passwd chat scripts + when calling the passwd program and should + be turned off after this has been done. This option has no effect if the + pam password change + paramter is set. This parameter is off by default. + +Default: passwd chat debug = no + + + + + +passwd chat timeoutpasswd chat timeout (G) + This integer specifies the number of seconds smbd will wait for an initial + answer from a passwd chat script being run. Once the initial answer is received + the subsequent answers must be received in one tenth of this time. The default it + two seconds. + +Default: passwd chat timeout = 2 + + + + + +passwd programpasswd program (G) + The name of a program that can be used to set + UNIX user passwords. Any occurrences of %u + will be replaced with the user name. The user name is checked for + existence before calling the password changing program. + + Also note that many passwd programs insist in reasonable + passwords, such as a minimum length, or the inclusion + of mixed case chars and digits. This can pose a problem as some clients + (such as Windows for Workgroups) uppercase the password before sending + it. + + Note that if the unix + password sync parameter is set to yes + then this program is called AS ROOT + before the SMB password in the smbpasswd + file is changed. If this UNIX password change fails, then + smbd will fail to change the SMB password also + (this is by design). + + If the unix password sync parameter + is set this parameter MUST USE ABSOLUTE PATHS + for ALL programs called, and must be examined + for security implications. Note that by default unix + password sync is set to no. + +Default: passwd program = + + +Example: passwd program = /bin/passwd %u + + + + +password levelpassword level (G) + Some client/server combinations have difficulty + with mixed-case passwords. One offending client is Windows for + Workgroups, which for some reason forces passwords to upper + case when using the LANMAN1 protocol, but leaves them alone when + using COREPLUS! Another problem child is the Windows 95/98 + family of operating systems. These clients upper case clear + text passwords even when NT LM 0.12 selected by the protocol + negotiation request/response. + + This parameter defines the maximum number of characters + that may be upper case in passwords. + + For example, say the password given was "FRED". If + password level is set to 1, the following combinations + would be tried if "FRED" failed: + + "Fred", "fred", "fRed", "frEd","freD" + + If password level was set to 2, + the following combinations would also be tried: + + "FRed", "FrEd", "FreD", "fREd", "fReD", "frED", .. + + And so on. + + The higher value this parameter is set to the more likely + it is that a mixed case password will be matched against a single + case password. However, you should be aware that use of this + parameter reduces security and increases the time taken to + process a new connection. + + A value of zero will cause only two attempts to be + made - the password as is and the password in all-lower case. + + This parameter is used only when using plain-text passwords. It is + not at all used when encrypted passwords as in use (that is the default + since samba-3.0.0). Use this only when + encrypt passwords = No. + +Default: password level = 0 + + +Example: password level = 4 + + + + +password serverpassword server (G) + By specifying the name of another SMB server + or Active Directory domain controller with this option, + and using security = [ads|domain|server] + it is possible to get Samba to + to do all its username/password validation using a specific remote server. + + This option sets the name or IP address of the password server to use. + New syntax has been added to support defining the port to use when connecting + to the server the case of an ADS realm. To define a port other than the + default LDAP port of 389, add the port number using a colon after the + name or IP address (e.g. 192.168.1.100:389). If you do not specify a port, + Samba will use the standard LDAP port of tcp/389. Note that port numbers + have no effect on password servers for Windows NT 4.0 domains or netbios + connections. + + If parameter is a name, it is looked up using the + parameter name + resolve order and so may resolved + by any method and order described in that parameter. + + The password server must be a machine capable of using + the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in + user level security mode. + + Using a password server means your UNIX box (running + Samba) is only as secure as your password server. DO NOT + CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST. + + + Never point a Samba server at itself for password serving. + This will cause a loop and could lock up your Samba server! + + The name of the password server takes the standard + substitutions, but probably the only useful one is %m + , which means the Samba server will use the incoming + client as the password server. If you use this then you better + trust your clients, and you had better restrict them with hosts allow! + + If the security parameter is set to + domain or ads, then the list of machines in this + option must be a list of Primary or Backup Domain controllers for the + Domain or the character '*', as the Samba server is effectively + in that domain, and will use cryptographically authenticated RPC calls + to authenticate the user logging on. The advantage of using + security = domain is that if you list several hosts in the + password server option then smbd + will try each in turn till it finds one that responds. This + is useful in case your primary server goes down. + + If the password server option is set + to the character '*', then Samba will attempt to auto-locate the + Primary or Backup Domain controllers to authenticate against by + doing a query for the name WORKGROUP<1C> + and then contacting each server returned in the list of IP + addresses from the name resolution source. + + If the list of servers contains both names/IP's and the '*' + character, the list is treated as a list of preferred + domain controllers, but an auto lookup of all remaining DC's + will be added to the list as well. Samba will not attempt to optimize + this list by locating the closest DC. + + If the security parameter is + set to server, then there are different + restrictions that security = domain doesn't + suffer from: + + + + You may list several password servers in + the password server parameter, however if an + smbd makes a connection to a password server, + and then the password server fails, no more users will be able + to be authenticated from this smbd. This is a + restriction of the SMB/CIFS protocol when in security = server + mode and cannot be fixed in Samba. + + + + If you are using a Windows NT server as your + password server then you will have to ensure that your users + are able to login from the Samba server, as when in + security = server mode the network logon will appear to + come from there rather than from the users workstation. + + + +Default: password server = + + +Example: password server = NT-PDC, NT-BDC1, NT-BDC2, * + +Example: password server = windc.mydomain.com:389 192.168.1.101 * + +Example: password server = * + + + + +directorypathdirectoryThis parameter is a synonym for path. +pathpath (S) + This parameter specifies a directory to which + the user of the service is to be given access. In the case of + printable services, this is where print data will spool prior to + being submitted to the host for printing. + + For a printable service offering guest access, the service + should be readonly and the path should be world-writeable and + have the sticky bit set. This is not mandatory of course, but + you probably won't get the results you expect if you do + otherwise. + + Any occurrences of %u in the path + will be replaced with the UNIX username that the client is using + on this connection. Any occurrences of %m + will be replaced by the NetBIOS name of the machine they are + connecting from. These replacements are very useful for setting + up pseudo home directories for users. + + Note that this path will be based on + root dir if one was specified. + +Default: path = + + +Example: path = /home/fred + + + + +pid directorypid directory (G) + This option specifies the directory where pid + files will be placed. + +Default: pid directory = ${prefix}/var/locks + + +Example: pid directory = pid directory = /var/run/ + + + + +posix lockingposix locking (S) + The smbd + 8 + daemon maintains an database of file locks obtained by SMB clients. + The default behavior is to map this internal database to POSIX + locks. This means that file locks obtained by SMB clients are + consistent with those seen by POSIX compliant applications accessing + the files via a non-SMB method (e.g. NFS or local file access). + You should never need to disable this parameter. + +Default: posix locking = yes + + + + + +postexecpostexec (S) + This option specifies a command to be run + whenever the service is disconnected. It takes the usual + substitutions. The command may be run as the root on some + systems. + + An interesting example may be to unmount server + resources: + +postexec = /etc/umount /cdrom + +Default: postexec = + + +Example: postexec = echo \"%u disconnected from %S from %m (%I)\" >> /tmp/log + + + + +execpreexecexecThis parameter is a synonym for preexec. +preexecpreexec (S) + This option specifies a command to be run whenever + the service is connected to. It takes the usual substitutions. + + An interesting example is to send the users a welcome + message every time they log in. Maybe a message of the day? Here + is an example: + + preexec = csh -c 'echo \"Welcome to %S!\" | /usr/local/samba/bin/smbclient -M %m -I %I' & + + Of course, this could get annoying after a while :-) + + See also preexec close and postexec + . + +Default: preexec = + + +Example: preexec = echo \"%u connected to %S from %m (%I)\" >> /tmp/log + + + + +preexec closepreexec close (S) + This boolean option controls whether a non-zero + return code from preexec + should close the service being connected to. + +Default: preexec close = no + + + + + +prefered masterpreferred masterprefered masterThis parameter is a synonym for preferred master. +preferred masterpreferred master (G) + This boolean parameter controls if + nmbd + 8 is a preferred master + browser for its workgroup. + + If this is set to yes, on startup, nmbd + will force an election, and it will have a slight advantage in + winning the election. It is recommended that this parameter is + used in conjunction with + domain master = yes, so + that nmbd can guarantee becoming a domain master. + + Use this option with caution, because if there are several + hosts (whether Samba servers, Windows 95 or NT) that are + preferred master browsers on the same subnet, they will each + periodically and continuously attempt to become the local + master browser. This will result in unnecessary broadcast + traffic and reduced browsing capabilities. + +Default: preferred master = auto + + + + + +auto servicespreloadauto servicesThis parameter is a synonym for preload. +preloadpreload (G) + This is a list of services that you want to be + automatically added to the browse lists. This is most useful + for homes and printers services that would otherwise not be + visible. + + Note that if you just want all printers in your + printcap file loaded then the + load printers option is easier. + +Default: preload = + + +Example: preload = fred lp colorlp + + + + +preload modulespreload modules (G) + This is a list of paths to modules that should + be loaded into smbd before a client connects. This improves + the speed of smbd when reacting to new connections somewhat. + +Default: preload modules = + + +Example: preload modules = /usr/lib/samba/passdb/mysql.so + + + + +preserve casepreserve case (S) + This controls if new filenames are created + with the case that the client passes, or if they are forced to + be the default case + . + See the section on NAME MANGLING for a fuller discussion. + +Default: preserve case = yes + + + + + +print okprintableprint okThis parameter is a synonym for printable. +printableprintable (S) + If this parameter is yes, then + clients may open, write to and submit spool files on the directory + specified for the service. + + Note that a printable service will ALWAYS allow writing + to the service path (user privileges permitting) via the spooling + of print data. The read only + parameter controls only non-printing access to + the resource. + +Default: printable = no + + + + + +printcap cache timeprintcap cache time (G) + This option specifies the number of seconds before the printing + subsystem is again asked for the known printers. If the value + is greater than 60 the initial waiting time is set to 60 seconds + to allow an earlier first rescan of the printing subsystem. + + + Setting this parameter to 0 (the default) disables any + rescanning for new or removed printers after the initial startup. + + +Default: printcap cache time = 0 + + +Example: printcap cache time = 600 + + + + +printcapprintcap nameprintcapThis parameter is a synonym for printcap name. +printcap nameprintcap name (S) + This parameter may be used to override the + compiled-in default printcap name used by the server (usually + /etc/printcap). See the discussion of the [printers] section above for reasons + why you might want to do this. + + To use the CUPS printing interface set printcap name = cups + . This should be supplemented by an addtional setting + printing = cups in the [global] + section. printcap name = cups will use the + "dummy" printcap created by CUPS, as specified in your CUPS + configuration file. + + + On System V systems that use lpstat to + list available printers you can use printcap name = lpstat + to automatically obtain lists of available printers. This + is the default for systems that define SYSV at configure time in + Samba (this includes most System V based systems). If + printcap name is set to lpstat on + these systems then Samba will launch lpstat -v and + attempt to parse the output to obtain a printer list. + + A minimal printcap file would look something like this: + + +print1|My Printer 1 +print2|My Printer 2 +print3|My Printer 3 +print4|My Printer 4 +print5|My Printer 5 + + + where the '|' separates aliases of a printer. The fact + that the second alias has a space in it gives a hint to Samba + that it's a comment. + + Under AIX the default printcap + name is /etc/qconfig. Samba will assume the + file is in AIX qconfig format if the string + qconfig appears in the printcap filename. + +Default: printcap name = /etc/printcap + + +Example: printcap name = /etc/myprintcap + + + + +print commandprint command (S) + After a print job has finished spooling to + a service, this command will be used via a system() + call to process the spool file. Typically the command specified will + submit the spool file to the host's printing subsystem, but there + is no requirement that this be the case. The server will not remove + the spool file, so whatever command you specify should remove the + spool file when it has been processed, otherwise you will need to + manually remove old spool files. + + The print command is simply a text string. It will be used + verbatim after macro substitutions have been made: + + %s, %f - the path to the spool + file name + + %p - the appropriate printer + name + + %J - the job + name as transmitted by the client. + + %c - The number of printed pages + of the spooled job (if known). + + %z - the size of the spooled + print job (in bytes) + + The print command MUST contain at least + one occurrence of %s or %f + - the %p is optional. At the time + a job is submitted, if no printer name is supplied the %p + will be silently removed from the printer command. + + If specified in the [global] section, the print command given + will be used for any printable service that does not have its own + print command specified. + + If there is neither a specified print command for a + printable service nor a global print command, spool files will + be created but not processed and (most importantly) not removed. + + Note that printing may fail on some UNIXes from the + nobody account. If this happens then create + an alternative guest account that can print and set the + guest account + in the [global] section. + + You can form quite complex print commands by realizing + that they are just passed to a shell. For example the following + will log a print job, print the file, then remove it. Note that + ';' is the usual separator for command in shell scripts. + + print command = echo Printing %s >> + /tmp/print.log; lpr -P %p %s; rm %s + + You may have to vary this command considerably depending + on how you normally print files on your system. The default for + the parameter varies depending on the setting of the + printing parameter. + + Default: For printing = BSD, AIX, QNX, LPRNG + or PLP : + print command = lpr -r -P%p %s + + For printing = SYSV or HPUX : + print command = lp -c -d%p %s; rm %s + + For printing = SOFTQ : + print command = lp -d%p -s %s; rm %s + + For printing = CUPS : If SAMBA is compiled against + libcups, then printcap = cups + uses the CUPS API to + submit jobs, etc. Otherwise it maps to the System V + commands with the -oraw option for printing, i.e. it + uses lp -c -d%p -oraw; rm %s. + With printing = cups, + and if SAMBA is compiled against libcups, any manually + set print command will be ignored. + +No default +Example: print command = /usr/local/samba/bin/myprintscript %p %s + + + + +printer adminprinter admin (S) + + This lists users who can do anything to printers + via the remote administration interfaces offered + by MS-RPC (usually using a NT workstation). + This parameter can be set per-share or globally. + Note: The root user always has admin rights. Use + caution with use in the global stanza as this can + cause side effects. + + +Default: printer admin = + + +Example: printer admin = admin, @staff + + + + +printerprinter nameprinterThis parameter is a synonym for printer name. +printer nameprinter name (S) + This parameter specifies the name of the printer + to which print jobs spooled through a printable service will be sent. + + If specified in the [global] section, the printer + name given will be used for any printable service that does + not have its own printer name specified. + +Default: printer name = +# none (but may be lp on many systems) + + +Example: printer name = laserwriter + + + + +printingprinting (S) + This parameters controls how printer status information is + interpreted on your system. It also affects the default values for + the print command, lpq command, lppause command , lpresume command, and lprm command if specified in the + [global] section. + + Currently nine printing styles are supported. They are + BSD, AIX, + LPRNG, PLP, + SYSV, HPUX, + QNX, SOFTQ, + and CUPS. + + To see what the defaults are for the other print + commands when using the various options use the testparm + 1 program. + + This option can be set on a per printer basis. Please be + aware however, that you must place any of the various printing + commands (e.g. print command, lpq command, etc...) after defining + the value for the printing option since it will + reset the printing commands to default values. + + See also the discussion in the + [printers] section. + +No default + + + +private dirprivate dir (G) + This parameters defines the directory + smbd will use for storing such files as smbpasswd + and secrets.tdb. + + +Default: private dir = ${prefix}/private + + + + + +profile aclsprofile acls (S) + + This boolean parameter was added to fix the problems that people have been + having with storing user profiles on Samba shares from Windows 2000 or + Windows XP clients. New versions of Windows 2000 or Windows XP service + packs do security ACL checking on the owner and ability to write of the + profile directory stored on a local workstation when copied from a Samba + share. + + +When not in domain mode with winbindd then the security info copied + onto the local workstation has no meaning to the logged in user (SID) on + that workstation so the profile storing fails. Adding this parameter + onto a share used for profile storage changes two things about the + returned Windows ACL. Firstly it changes the owner and group owner + of all reported files and directories to be BUILTIN\\Administrators, + BUILTIN\\Users respectively (SIDs S-1-5-32-544, S-1-5-32-545). Secondly + it adds an ACE entry of "Full Control" to the SID BUILTIN\\Users to + every returned ACL. This will allow any Windows 2000 or XP workstation + user to access the profile. + + Note that if you have multiple users logging + on to a workstation then in order to prevent them from being able to access + each others profiles you must remove the "Bypass traverse checking" advanced + user right. This will prevent access to other users profile directories as + the top level profile directory (named after the user) is created by the + workstation profile code and has an ACL restricting entry to the directory + tree to the owning user. + + +Default: profile acls = no + + + + + +queuepause commandqueuepause command (S) + This parameter specifies the command to be + executed on the server host in order to pause the printer queue. + + This command should be a program or script which takes + a printer name as its only parameter and stops the printer queue, + such that no longer jobs are submitted to the printer. + + This command is not supported by Windows for Workgroups, + but can be issued from the Printers window under Windows 95 + and NT. + + If a %p is given then the printer name + is put in its place. Otherwise it is placed at the end of the command. + + + Note that it is good practice to include the absolute + path in the command as the PATH may not be available to the + server. + +No default +Example: queuepause command = disable %p + + + + +queueresume commandqueueresume command (S) + This parameter specifies the command to be + executed on the server host in order to resume the printer queue. It + is the command to undo the behavior that is caused by the + previous parameter ( + queuepause command). + + This command should be a program or script which takes + a printer name as its only parameter and resumes the printer queue, + such that queued jobs are resubmitted to the printer. + + This command is not supported by Windows for Workgroups, + but can be issued from the Printers window under Windows 95 + and NT. + + If a %p is given then the printer name + is put in its place. Otherwise it is placed at the end of the + command. + + Note that it is good practice to include the absolute + path in the command as the PATH may not be available to the + server. + +Default: queueresume command = + + +Example: queueresume command = enable %p + + + + +read bmpxread bmpx (G) + This boolean parameter controls whether + smbd + 8 will support the "Read + Block Multiplex" SMB. This is now rarely used and defaults to + no. You should never need to set this + parameter. + +Default: read bmpx = no + + + + + +read listread list (S) + This is a list of users that are given read-only + access to a service. If the connecting user is in this list then + they will not be given write access, no matter what the + read only + option is set to. The list can include group names using the + syntax described in the + invalid users parameter. + + This parameter will not work with the + security = share in + Samba 3.0. This is by design. + +Default: read list = + + +Example: read list = mary, @students + + + + +read onlyread only (S) + An inverted synonym is + writeable. + + If this parameter is yes, then users + of a service may not create or modify files in the service's + directory. + + Note that a printable service (printable = yes) + will ALWAYS allow writing to the directory + (user privileges permitting), but only via spooling operations. + +Default: read only = yes + + + + + +read rawread raw (G) + This parameter controls whether or not the server + will support the raw read SMB requests when transferring data + to clients. + + If enabled, raw reads allow reads of 65535 bytes in + one packet. This typically provides a major performance benefit. + + + However, some clients either negotiate the allowable + block size incorrectly or are incapable of supporting larger block + sizes, and for these clients you may need to disable raw reads. + +In general this parameter should be viewed as a system tuning + tool and left severely alone. + +Default: read raw = yes + + + + + +realmrealm (G) + This option specifies the kerberos realm to use. The realm is + used as the ADS equivalent of the NT4 domain. It + is usually set to the DNS name of the kerberos server. + + +Default: realm = + + +Example: realm = mysambabox.mycompany.com + + + + +remote announceremote announce (G) + This option allows you to setup nmbd + 8to periodically announce itself + to arbitrary IP addresses with an arbitrary workgroup name. + + This is useful if you want your Samba server to appear + in a remote workgroup for which the normal browse propagation + rules don't work. The remote workgroup can be anywhere that you + can send IP packets to. + + For example: + + remote announce = 192.168.2.255/SERVERS + 192.168.4.255/STAFF + + the above line would cause nmbd to announce itself + to the two given IP addresses using the given workgroup names. + If you leave out the workgroup name then the one given in + the workgroup + parameter is used instead. + + The IP addresses you choose would normally be the broadcast + addresses of the remote networks, but can also be the IP addresses + of known browse masters if your network config is that stable. + +See . + +Default: remote announce = + + + + + +remote browse syncremote browse sync (G) + This option allows you to setup nmbd + 8 to periodically request + synchronization of browse lists with the master browser of a Samba + server that is on a remote segment. This option will allow you to + gain browse lists for multiple workgroups across routed networks. This + is done in a manner that does not work with any non-Samba servers. + + This is useful if you want your Samba server and all local + clients to appear in a remote workgroup for which the normal browse + propagation rules don't work. The remote workgroup can be anywhere + that you can send IP packets to. + + For example: + + remote browse sync = 192.168.2.255 192.168.4.255 + + the above line would cause nmbd to request + the master browser on the specified subnets or addresses to + synchronize their browse lists with the local server. + + The IP addresses you choose would normally be the broadcast + addresses of the remote networks, but can also be the IP addresses + of known browse masters if your network config is that stable. If + a machine IP address is given Samba makes NO attempt to validate + that the remote machine is available, is listening, nor that it + is in fact the browse master on its segment. + +Default: remote browse sync = + + + + + +restrict anonymousrestrict anonymous (G) + The setting of this parameter determines whether user and + group list information is returned for an anonymous connection. + and mirrors the effects of the + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous registry key in Windows + 2000 and Windows NT. When set to 0, user and group list + information is returned to anyone who asks. When set + to 1, only an authenticated user can retrive user and + group list information. For the value 2, supported by + Windows 2000/XP and Samba, no anonymous connections are allowed at + all. This can break third party and Microsoft + applications which expect to be allowed to perform + operations anonymously. + + + The security advantage of using restrict anonymous = 1 is dubious, + as user and group list information can be obtained using other + means. + + + + + The security advantage of using restrict anonymous = 2 is removed + by setting guest + ok = yes on any share. + + + +Default: restrict anonymous = 0 + + + + + +rootroot directoryrootThis parameter is a synonym for root directory. +root dirroot directoryroot dirThis parameter is a synonym for root directory. +root directoryroot directory (G) + The server will chroot() (i.e. + Change its root directory) to this directory on startup. This is + not strictly necessary for secure operation. Even without it the + server will deny access to files not in one of the service entries. + It may also check for, and deny access to, soft links to other + parts of the filesystem, or attempts to use ".." in file names + to access other directories (depending on the setting of the + wide links + parameter). + + + Adding a root directory entry other + than "/" adds an extra level of security, but at a price. It + absolutely ensures that no access is given to files not in the + sub-tree specified in the root directory + option, including some files needed for + complete operation of the server. To maintain full operability + of the server you will need to mirror some system files + into the root directory tree. In particular + you will need to mirror /etc/passwd (or a + subset of it), and any binaries or configuration files needed for + printing (if required). The set of files that must be mirrored is + operating system dependent. + +Default: root directory = / + + +Example: root directory = /homes/smb + + + + +root postexecroot postexec (S) + This is the same as the postexec + parameter except that the command is run as root. This + is useful for unmounting filesystems + (such as CDROMs) after a connection is closed. + +Default: root postexec = + + + + + +root preexecroot preexec (S) + This is the same as the preexec + parameter except that the command is run as root. This + is useful for mounting filesystems (such as CDROMs) when a + connection is opened. + +Default: root preexec = + + + + + +root preexec closeroot preexec close (S) + This is the same as the preexec close + parameter except that the command is run as root. + +Default: root preexec close = no + + + + + +securitysecurity (G) + This option affects how clients respond to + Samba and is one of the most important settings in the + smb.conf file. + + The option sets the "security mode bit" in replies to + protocol negotiations with smbd + 8 to turn share level security on or off. Clients decide + based on this bit whether (and how) to transfer user and password + information to the server. + + + The default is security = user, as this is + the most common setting needed when talking to Windows 98 and + Windows NT. + + The alternatives are security = share, + security = server or security = domain + . + + In versions of Samba prior to 2.0.0, the default was + security = share mainly because that was + the only option at one stage. + + There is a bug in WfWg that has relevance to this + setting. When in user or server level security a WfWg client + will totally ignore the password you type in the "connect + drive" dialog box. This makes it very difficult (if not impossible) + to connect to a Samba service as anyone except the user that + you are logged into WfWg as. + + If your PCs use usernames that are the same as their + usernames on the UNIX machine then you will want to use + security = user. If you mostly use usernames + that don't exist on the UNIX box then use security = + share. + + You should also use security = share if you + want to mainly setup shares without a password (guest shares). This + is commonly used for a shared printer server. It is more difficult + to setup guest shares with security = user, see + the map to guest + parameter for details. + + It is possible to use smbd in a + hybrid mode where it is offers both user and share + level security under different + NetBIOS aliases. + + The different settings will now be explained. + + + SECURITY = SHARE + + When clients connect to a share level security server they + need not log onto the server with a valid username and password before + attempting to connect to a shared resource (although modern clients + such as Windows 95/98 and Windows NT will send a logon request with + a username but no password when talking to a security = share + server). Instead, the clients send authentication information + (passwords) on a per-share basis, at the time they attempt to connect + to that share. + + Note that smbd ALWAYS + uses a valid UNIX user to act on behalf of the client, even in + security = share level security. + + As clients are not required to send a username to the server + in share level security, smbd uses several + techniques to determine the correct UNIX user to use on behalf + of the client. + + A list of possible UNIX usernames to match with the given + client password is constructed using the following methods : + + + + If the guest + only parameter is set, then all the other + stages are missed and only the + guest account username is checked. + + + + + Is a username is sent with the share connection + request, then this username (after mapping - see + username map), + is added as a potential username. + + + + + If the client did a previous logon + request (the SessionSetup SMB call) then the + username sent in this SMB will be added as a potential username. + + + + + The name of the service the client requested is + added as a potential username. + + + + + The NetBIOS name of the client is added to + the list as a potential username. + + + + + Any users on the + user list are added as potential usernames. + + + + + If the guest only parameter is + not set, then this list is then tried with the supplied password. + The first user for whom the password matches will be used as the + UNIX user. + + If the guest only parameter is + set, or no username can be determined then if the share is marked + as available to the guest account, then this + guest user will be used, otherwise access is denied. + + Note that it can be very confusing + in share-level security as to which UNIX username will eventually + be used in granting access. + + See also the section + NOTE ABOUT USERNAME/PASSWORD VALIDATION. + + SECURITY = USER + + This is the default security setting in Samba 3.0. + With user-level security a client must first "log-on" with a + valid username and password (which can be mapped using the + username map + parameter). Encrypted passwords (see the + encrypted passwords parameter) can also + be used in this security mode. Parameters such as + user and + guest only if set are then applied and + may change the UNIX user to use on this connection, but only after + the user has been successfully authenticated. + + Note that the name of the resource being + requested is not sent to the server until after + the server has successfully authenticated the client. This is why + guest shares don't work in user level security without allowing + the server to automatically map unknown users into the + guest account. + See the map to guest + parameter for details on doing this. + + See also the section + NOTE ABOUT USERNAME/PASSWORD VALIDATION. + + SECURITY = DOMAIN + + This mode will only work correctly if net + 8 has been used to add this + machine into a Windows NT Domain. It expects the + encrypted passwords + parameter to be set to yes. In this + mode Samba will try to validate the username/password by passing + it to a Windows NT Primary or Backup Domain Controller, in exactly + the same way that a Windows NT Server would do. + + Note that a valid UNIX user must still + exist as well as the account on the Domain Controller to allow + Samba to have a valid UNIX account to map file access to. + + Note that from the client's point + of view security = domain is the same + as security = user. It only + affects how the server deals with the authentication, + it does not in any way affect what the client sees. + + Note that the name of the resource being + requested is not sent to the server until after + the server has successfully authenticated the client. This is why + guest shares don't work in user level security without allowing + the server to automatically map unknown users into the + guest account. + See the map to guest + parameter for details on doing this. + + See also the section + NOTE ABOUT USERNAME/PASSWORD VALIDATION. + + See also the password + server parameter and the + encrypted passwords + parameter. + + SECURITY = SERVER + + In this mode Samba will try to validate the username/password + by passing it to another SMB server, such as an NT box. If this + fails it will revert to security = + user. It expects the + encrypted passwords parameter + to be set to yes, unless the remote server + does not support them. However note that if encrypted passwords have been + negotiated then Samba cannot revert back to checking the UNIX password file, + it must have a valid smbpasswd file to check + users against. See the chapter about the User Database in the Samba HOWTO Collection for details on how to set this up. + + This mode of operation has + significant pitfalls, due to the fact that is activly initiates a + man-in-the-middle attack on the remote SMB server. In particular, + this mode of operation can cause significant resource consuption on + the PDC, as it must maintain an active connection for the duration + of the user's session. Furthermore, if this connection is lost, + there is no way to reestablish it, and futher authenticaions to the + Samba server may fail. (From a single client, till it disconnects). + + + From the client's point of + view security = server is the + same as security = user. It + only affects how the server deals with the authentication, it does + not in any way affect what the client sees. + + Note that the name of the resource being + requested is not sent to the server until after + the server has successfully authenticated the client. This is why + guest shares don't work in user level security without allowing + the server to automatically map unknown users into the + guest account. + See the map to guest + parameter for details on doing this. + + See also the section + NOTE ABOUT USERNAME/PASSWORD VALIDATION. + + See also the password + server parameter and the + encrypted passwords parameter. + + SECURITY = ADS + + In this mode, Samba will act as a domain member in an ADS realm. To operate + in this mode, the machine running Samba will need to have Kerberos installed + and configured and Samba will need to be joined to the ADS realm using the + net utility. + + Note that this mode does NOT make Samba operate as a Active Directory Domain + Controller. + + Read the chapter about Domain Membership in the HOWTO for details. + +Default: security = USER + + +Example: security = DOMAIN + + + + +security masksecurity mask (S) + This parameter controls what UNIX permission + bits can be modified when a Windows NT client is manipulating + the UNIX permission on a file using the native NT security + dialog box. + + This parameter is applied as a mask (AND'ed with) to + the changed permission bits, thus preventing any bits not in + this mask from being modified. Essentially, zero bits in this + mask may be treated as a set of bits the user is not allowed + to change. + + If not set explicitly this parameter is 0777, allowing + a user to modify all the user/group/world permissions on a file. + + + Note that users who can access the + Samba server through other means can easily bypass this + restriction, so it is primarily useful for standalone + "appliance" systems. Administrators of most normal systems will + probably want to leave it set to 0777. + +Default: security mask = 0777 + + +Example: security mask = 0770 + + + + +server schannelserver schannel (G) + This controls whether the server offers or even + demands the use of the netlogon schannel. + server schannel = no does not + offer the schannel, server schannel = + auto offers the schannel but does not + enforce it, and server schannel = + yes denies access if the client is not + able to speak netlogon schannel. This is only the case + for Windows NT4 before SP4. + + Please note that with this set to + no you will have to apply the + WindowsXP requireSignOrSeal-Registry patch found in + the docs/Registry subdirectory. + +Default: server schannel = auto + + +Example: server schannel = yes + + + + +server signingserver signing (G) + + This controls whether the server offers or requires + the client it talks to to use SMB signing. Possible values + are auto, mandatory + and disabled. + + + When set to auto, SMB signing is offered, but not enforced. + When set to mandatory, SMB signing is required and if set + to disabled, SMB signing is not offered either. + +Default: server signing = Disabled + + + + + +server stringserver string (G) + This controls what string will show up in the printer comment box in print + manager and next to the IPC connection in net view. It + can be any string that you wish to show to your users. + + It also sets what will appear in browse lists next + to the machine name. + + A %v will be replaced with the Samba + version number. + + A %h will be replaced with the + hostname. + +Default: server string = Samba %v + + +Example: server string = University of GNUs Samba Server + + + + +set directoryset directory (S) + If set directory = no, then + users of the service may not use the setdir command to change + directory. + + The setdir command is only implemented + in the Digital Pathworks client. See the Pathworks documentation + for details. + +Default: set directory = no + + + + + +set primary group scriptset primary group script (G) + + Thanks to the Posix subsystem in NT a Windows User has a + primary group in addition to the auxiliary groups. This script + sets the primary group in the unix userdatase when an + administrator sets the primary group from the windows user + manager or when fetching a SAM with net rpc + vampire. %u will be replaced + with the user whose primary group is to be set. + %g will be replaced with the group to + set. + +Default: set primary group script = + + +Example: set primary group script = /usr/sbin/usermod -g '%g' '%u' + + + + +set quota commandset quota command (G) + The set quota command should only be used + whenever there is no operating system API available from the OS that + samba can use. + + This option is only available if Samba was configured with the argument --with-sys-quotas or + on linux when ./configure --with-quotas was used and a working quota api + was found in the system. Most packages are configured with these options already. + + This parameter should specify the path to a script that + can set quota for the specified arguments. + + The specified script should take the following arguments: + + + 1 - quota type + + 1 - user quotas + 2 - user default quotas (uid = -1) + 3 - group quotas + 4 - group default quotas (gid = -1) + + + 2 - id (uid for user, gid for group, -1 if N/A) + 3 - quota state (0 = disable, 1 = enable, 2 = enable and enforce) + 4 - block softlimit + 5 - block hardlimit + 6 - inode softlimit + 7 - inode hardlimit + 8(optional) - block size, defaults to 1024 + + + The script should output at least one line of data on success. And nothing on failure. + +Default: set quota command = + + +Example: set quota command = /usr/local/sbin/set_quota + + + + +share modesshare modes (S) + This enables or disables the honoring of + the share modes during a file open. These + modes are used by clients to gain exclusive read or write access + to a file. + + These open modes are not directly supported by UNIX, so + they are simulated using shared memory, or lock files if your + UNIX doesn't support shared memory (almost all do). + + The share modes that are enabled by this option are + DENY_DOS, DENY_ALL, + DENY_READ, DENY_WRITE, + DENY_NONE and DENY_FCB. + + + This option gives full share compatibility and enabled + by default. + + You should NEVER turn this parameter + off as many Windows applications will break if you do so. + +Default: share modes = yes + + + + + +short preserve caseshort preserve case (S) + This boolean parameter controls if new files + which conform to 8.3 syntax, that is all in upper case and of + suitable length, are created upper case, or if they are forced + to be the default case + . This option can be use with preserve case = yes + to permit long filenames to retain their case, while short + names are lowered. + + See the section on NAME MANGLING. + +Default: short preserve case = yes + + + + + +show add printer wizardshow add printer wizard (G) + With the introduction of MS-RPC based printing support + for Windows NT/2000 client in Samba 2.2, a "Printers..." folder will + appear on Samba hosts in the share listing. Normally this folder will + contain an icon for the MS Add Printer Wizard (APW). However, it is + possible to disable this feature regardless of the level of privilege + of the connected user. + + Under normal circumstances, the Windows NT/2000 client will + open a handle on the printer server with OpenPrinterEx() asking for + Administrator privileges. If the user does not have administrative + access on the print server (i.e is not root or a member of the + printer admin group), the OpenPrinterEx() + call fails and the client makes another open call with a request for + a lower privilege level. This should succeed, however the APW + icon will not be displayed. + + Disabling the show add printer wizard + parameter will always cause the OpenPrinterEx() on the server + to fail. Thus the APW icon will never be displayed. + +This does not prevent the same user from having + administrative privilege on an individual printer. + +Default: show add printer wizard = yes + + + + + +shutdown scriptshutdown script (G) + This a full path name to a script called by + smbd + 8 that should + start a shutdown procedure. + + If the connected user posseses the SeRemoteShutdownPrivilege, + right, this command will be run as user. + + The %z %t %r %f variables are expanded as follows: + + + + %z will be substituted with the + shutdown message sent to the server. + + + + %t will be substituted with the + number of seconds to wait before effectively starting the + shutdown procedure. + + + + %r will be substituted with the + switch -r. It means reboot after shutdown + for NT. + + + + %f will be substituted with the + switch -f. It means force the shutdown + even if applications do not respond for NT. + + + + Shutdown script example: + +#!/bin/bash + +$time=0 +let "time/60" +let "time++" + +/sbin/shutdown $3 $4 +$time $1 & + +Shutdown does not return so we need to launch it in background. + + +Default: shutdown script = + + +Example: shutdown script = /usr/local/samba/sbin/shutdown %m %t %r %f + + + + +smb passwd filesmb passwd file (G) + This option sets the path to the encrypted smbpasswd file. By + default the path to the smbpasswd file is compiled into Samba. + +Default: smb passwd file = ${prefix}/private/smbpasswd + + +Example: smb passwd file = /etc/samba/smbpasswd + + + + +smb portssmb ports (G) + Specifies which ports the server should listen on for SMB traffic. + +Default: smb ports = 445 139 + + + + + +socket addresssocket address (G) + This option allows you to control what + address Samba will listen for connections on. This is used to + support multiple virtual interfaces on the one server, each + with a different configuration. + + By default Samba will accept connections on any + address. + +Default: socket address = + + +Example: socket address = 192.168.2.20 + + + + +socket optionssocket options (G) + This option allows you to set socket options + to be used when talking with the client. + + Socket options are controls on the networking layer + of the operating systems which allow the connection to be + tuned. + + This option will typically be used to tune your Samba server + for optimal performance for your local network. There is no way + that Samba can know what the optimal parameters are for your net, + so you must experiment and choose them yourself. We strongly + suggest you read the appropriate documentation for your operating + system first (perhaps man + setsockopt will help). + + You may find that on some systems Samba will say + "Unknown socket option" when you supply an option. This means you + either incorrectly typed it or you need to add an include file + to includes.h for your OS. If the latter is the case please + send the patch to + samba-technical@samba.org. + + Any of the supported socket options may be combined + in any way you like, as long as your OS allows it. + + This is the list of socket options currently settable + using this option: + + + SO_KEEPALIVE + SO_REUSEADDR + SO_BROADCAST + TCP_NODELAY + IPTOS_LOWDELAY + IPTOS_THROUGHPUT + SO_SNDBUF * + SO_RCVBUF * + SO_SNDLOWAT * + SO_RCVLOWAT * + + + Those marked with a '*' take an integer + argument. The others can optionally take a 1 or 0 argument to enable + or disable the option, by default they will be enabled if you + don't specify 1 or 0. + + To specify an argument use the syntax SOME_OPTION = VALUE + for example SO_SNDBUF = 8192. Note that you must + not have any spaces before or after the = sign. + + If you are on a local network then a sensible option + might be: + + socket options = IPTOS_LOWDELAY + + If you have a local network then you could try: + + socket options = IPTOS_LOWDELAY TCP_NODELAY + + If you are on a wide area network then perhaps try + setting IPTOS_THROUGHPUT. + + Note that several of the options may cause your Samba + server to fail completely. Use these options with caution! + +Default: socket options = TCP_NODELAY + + +Example: socket options = IPTOS_LOWDELAY + + + + +stat cachestat cache (G) + This parameter determines if smbd + 8 will use a cache in order to + speed up case insensitive name mappings. You should never need + to change this parameter. + +Default: stat cache = yes + + + + + +store dos attributesstore dos attributes (S) + If this parameter is set Samba no longer attempts to + map DOS attributes like SYSTEM, HIDDEN, ARCHIVE or READ-ONLY + to UNIX permission bits (such as the map hidden. Instead, DOS attributes will be stored onto an extended + attribute in the UNIX filesystem, associated with the file or directory. + For this to operate correctly, the parameters map hidden, map system, map archive must be set to off. + This parameter writes the DOS attributes as a string into the + extended attribute named "user.DOSATTRIB". This extended attribute + is explicitly hidden from smbd clients requesting an EA list. + On Linux the filesystem must have been mounted with the mount + option user_xattr in order for extended attributes to work, also + extended attributes must be compiled into the Linux kernel. + + +Default: store dos attributes = no + + + + + +strict allocatestrict allocate (S) + This is a boolean that controls the handling of + disk space allocation in the server. When this is set to yes + the server will change from UNIX behaviour of not committing real + disk storage blocks when a file is extended to the Windows behaviour + of actually forcing the disk system to allocate real storage blocks + when a file is created or extended to be a given size. In UNIX + terminology this means that Samba will stop creating sparse files. + This can be slow on some systems. + + When strict allocate is no the server does sparse + disk block allocation when a file is extended. + + Setting this to yes can help Samba return + out of quota messages on systems that are restricting the disk quota + of users. + +Default: strict allocate = no + + + + + +strict lockingstrict locking (S) + This is a boolean that controls the handling of + file locking in the server. When this is set to yes, + the server will check every read and write access for file locks, and + deny access if locks exist. This can be slow on some systems. + + When strict locking is disabled, the server performs file + lock checks only when the client explicitly asks for them. + + Well-behaved clients always ask for lock checks when it + is important. So in the vast majority of cases, strict + locking = no is acceptable. + +Default: strict locking = yes + + + + + +strict syncstrict sync (S) + Many Windows applications (including the Windows 98 explorer + shell) seem to confuse flushing buffer contents to disk with doing + a sync to disk. Under UNIX, a sync call forces the process to be + suspended until the kernel has ensured that all outstanding data in + kernel disk buffers has been safely stored onto stable storage. + This is very slow and should only be done rarely. Setting this + parameter to no (the default) means that + smbd + 8 ignores the Windows + applications requests for a sync call. There is only a possibility + of losing data if the operating system itself that Samba is running + on crashes, so there is little danger in this default setting. In + addition, this fixes many performance problems that people have + reported with the new Windows98 explorer shell file copies. + +Default: strict sync = no + + + + + +sync alwayssync always (S) + This is a boolean parameter that controls + whether writes will always be written to stable storage before + the write call returns. If this is no then the server will be + guided by the client's request in each write call (clients can + set a bit indicating that a particular write should be synchronous). + If this is yes then every write will be followed by a fsync() + call to ensure the data is written to disk. Note that + the strict sync parameter must be set to + yes in order for this parameter to have + any affect. + +Default: sync always = no + + + + + +syslogsyslog (G) + This parameter maps how Samba debug messages + are logged onto the system syslog logging levels. Samba debug + level zero maps onto syslog LOG_ERR, debug + level one maps onto LOG_WARNING, debug level + two maps onto LOG_NOTICE, debug level three + maps onto LOG_INFO. All higher levels are mapped to + LOG_DEBUG. + + This parameter sets the threshold for sending messages + to syslog. Only messages with debug level less than this value + will be sent to syslog. + +Default: syslog = 1 + + + + + +syslog onlysyslog only (G) + If this parameter is set then Samba debug + messages are logged into the system syslog only, and not to + the debug log files. + +Default: syslog only = no + + + + + +template homedirtemplate homedir (G) + When filling out the user information for a Windows NT + user, the winbindd + 8 daemon uses this + parameter to fill in the home directory for that user. If the + string %D is present it + is substituted with the user's Windows NT domain name. If the + string %U is present it + is substituted with the user's Windows NT user name. + +Default: template homedir = /home/%D/%U + + + + + +template primary grouptemplate primary group (G) + This option defines the default primary group for + each user created by winbindd + 8's local account management + functions (similar to the 'add user script'). + + +Default: template primary group = nobody + + + + + +template shelltemplate shell (G) + When filling out the user information for a Windows NT + user, the winbindd + 8 daemon uses this + parameter to fill in the login shell for that user. + +No default + + + +time offsettime offset (G) + This parameter is a setting in minutes to add + to the normal GMT to local time conversion. This is useful if + you are serving a lot of PCs that have incorrect daylight + saving time handling. + +Default: time offset = 0 + + +Example: time offset = 60 + + + + +time servertime server (G) + This parameter determines if nmbd + 8 advertises itself as a time server to Windows +clients. + +Default: time server = no + + + + + +unix charsetunix charset (G) + Specifies the charset the unix machine + Samba runs on uses. Samba needs to know this in order to be able to + convert text to the charsets other SMB clients use. + + + This is also the charset Samba will use when specifying arguments + to scripts that it invokes. + + +Default: unix charset = UTF8 + + +Example: unix charset = ASCII + + + + +unix extensionsunix extensions (G) + This boolean parameter controls whether Samba + implments the CIFS UNIX extensions, as defined by HP. + These extensions enable Samba to better serve UNIX CIFS clients + by supporting features such as symbolic links, hard links, etc... + These extensions require a similarly enabled client, and are of + no current use to Windows clients. + +Default: unix extensions = yes + + + + + +unix password syncunix password sync (G) + This boolean parameter controls whether Samba + attempts to synchronize the UNIX password with the SMB password + when the encrypted SMB password in the smbpasswd file is changed. + If this is set to yes the program specified in the passwd + programparameter is called AS ROOT - + to allow the new UNIX password to be set without access to the + old UNIX password (as the SMB password change code has no + access to the old password cleartext, only the new). + +Default: unix password sync = no + + + + + +update encryptedupdate encrypted (G) + + This boolean parameter allows a user logging on with + a plaintext password to have their encrypted (hashed) password in + the smbpasswd file to be updated automatically as they log + on. This option allows a site to migrate from plaintext + password authentication (users authenticate with plaintext + password over the wire, and are checked against a UNIX account + database) to encrypted password authentication (the SMB + challenge/response authentication mechanism) without forcing all + users to re-enter their passwords via smbpasswd at the time the + change is made. This is a convenience option to allow the change + over to encrypted passwords to be made over a longer period. + Once all users have encrypted representations of their passwords + in the smbpasswd file this parameter should be set to + no. + + In order for this parameter to work correctly the + encrypt passwords parameter must + be set to no when this parameter is set to yes. + + Note that even when this parameter is set a user + authenticating to smbd must still enter a valid + password in order to connect correctly, and to update their hashed + (smbpasswd) passwords. + +Default: update encrypted = no + + + + + +use client driveruse client driver (S) + This parameter applies only to Windows NT/2000 + clients. It has no effect on Windows 95/98/ME clients. When + serving a printer to Windows NT/2000 clients without first installing + a valid printer driver on the Samba host, the client will be required + to install a local printer driver. From this point on, the client + will treat the print as a local printer and not a network printer + connection. This is much the same behavior that will occur + when disable spoolss = yes. + + + The differentiating factor is that under normal + circumstances, the NT/2000 client will attempt to open the network + printer using MS-RPC. The problem is that because the client + considers the printer to be local, it will attempt to issue the + OpenPrinterEx() call requesting access rights associated with the + logged on user. If the user possesses local administator rights but + not root privilegde on the Samba host (often the case), the + OpenPrinterEx() call will fail. The result is that the client will + now display an "Access Denied; Unable to connect" message + in the printer queue window (even though jobs may successfully be + printed). + + If this parameter is enabled for a printer, then any attempt + to open the printer with the PRINTER_ACCESS_ADMINISTER right is mapped + to PRINTER_ACCESS_USE instead. Thus allowing the OpenPrinterEx() + call to succeed. This parameter MUST not be able enabled + on a print share which has valid print driver installed on the Samba + server. + +Default: use client driver = no + + + + + +use kerberos keytabuse kerberos keytab (G) + +Specifies whether Samba should attempt to maintain service principals in the systems +keytab file for host/FQDN and cifs/FQDN. + + +When you are using the heimdal Kerberos libraries, you must also +specify the following in /etc/krb5.conf: + + +[libdefaults] + default_keytab_name = FILE:/etc/krb5.keytab + + +Default: use kerberos keytab = False + + + + + +use mmapuse mmap (G) + This global parameter determines if the tdb internals of Samba can + depend on mmap working correctly on the running system. Samba requires a coherent + mmap/read-write system memory cache. Currently only HPUX does not have such a + coherent cache, and so this parameter is set to no by + default on HPUX. On all other systems this parameter should be left alone. This + parameter is provided to help the Samba developers track down problems with + the tdb internal code. + + +Default: use mmap = yes + + + + + +userusernameuserThis parameter is a synonym for username. +usersusernameusersThis parameter is a synonym for username. +usernameusername (S) + Multiple users may be specified in a comma-delimited + list, in which case the supplied password will be tested against + each username in turn (left to right). + + The username line is needed only when + the PC is unable to supply its own username. This is the case + for the COREPLUS protocol or where your users have different WfWg + usernames to UNIX usernames. In both these cases you may also be + better using the \\server\share%user syntax instead. + + The username line is not a great + solution in many cases as it means Samba will try to validate + the supplied password against each of the usernames in the + username line in turn. This is slow and + a bad idea for lots of users in case of duplicate passwords. + You may get timeouts or security breaches using this parameter + unwisely. + + Samba relies on the underlying UNIX security. This + parameter does not restrict who can login, it just offers hints + to the Samba server as to what usernames might correspond to the + supplied password. Users can login as whoever they please and + they will be able to do no more damage than if they started a + telnet session. The daemon runs as the user that they log in as, + so they cannot do anything that user cannot do. + + To restrict a service to a particular set of users you + can use the valid users + parameter. + + If any of the usernames begin with a '@' then the name + will be looked up first in the NIS netgroups list (if Samba + is compiled with netgroup support), followed by a lookup in + the UNIX groups database and will expand to a list of all users + in the group of that name. + + If any of the usernames begin with a '+' then the name + will be looked up only in the UNIX groups database and will + expand to a list of all users in the group of that name. + + If any of the usernames begin with a '&' then the name + will be looked up only in the NIS netgroups database (if Samba + is compiled with netgroup support) and will expand to a list + of all users in the netgroup group of that name. + + Note that searching though a groups database can take + quite some time, and some clients may time out during the + search. + + See the section NOTE ABOUT + USERNAME/PASSWORD VALIDATION for more information on how +this parameter determines access to the services. + +Default: username = +# The guest account if a guest service, + else <empty string>. + + +Example: username = fred, mary, jack, jane, @users, @pcgroup + + + + +username levelusername level (G) + This option helps Samba to try and 'guess' at + the real UNIX username, as many DOS clients send an all-uppercase + username. By default Samba tries all lowercase, followed by the + username with the first letter capitalized, and fails if the + username is not found on the UNIX machine. + + If this parameter is set to non-zero the behavior changes. + This parameter is a number that specifies the number of uppercase + combinations to try while trying to determine the UNIX user name. The + higher the number the more combinations will be tried, but the slower + the discovery of usernames will be. Use this parameter when you have + strange usernames on your UNIX machine, such as AstrangeUser + . + + This parameter is needed only on UNIX systems that have case + sensitive usernames. + +Default: username level = 0 + + +Example: username level = 5 + + + + +username mapusername map (G) + This option allows you to specify a file containing + a mapping of usernames from the clients to the server. This can be + used for several purposes. The most common is to map usernames + that users use on DOS or Windows machines to those that the UNIX + box uses. The other is to map multiple users to a single username + so that they can more easily share files. + + The map file is parsed line by line. Each line should + contain a single UNIX username on the left then a '=' followed + by a list of usernames on the right. The list of usernames on the + right may contain names of the form @group in which case they + will match any UNIX username in that group. The special client + name '*' is a wildcard and matches any name. Each line of the + map file may be up to 1023 characters long. + + The file is processed on each line by taking the + supplied username and comparing it with each username on the right + hand side of the '=' signs. If the supplied name matches any of + the names on the right hand side then it is replaced with the name + on the left. Processing then continues with the next line. + + If any line begins with a '#' or a ';' then it is ignored + + If any line begins with an '!' then the processing + will stop after that line if a mapping was done by the line. + Otherwise mapping continues with every line being processed. + Using '!' is most useful when you have a wildcard mapping line + later in the file. + + For example to map from the name admin + or administrator to the UNIX name + root you would use: + + root = admin administrator + + Or to map anyone in the UNIX group system + to the UNIX name sys you would use: + + sys = @system + + You can have as many mappings as you like in a username map file. + + + If your system supports the NIS NETGROUP option then + the netgroup database is checked before the /etc/group + database for matching groups. + + You can map Windows usernames that have spaces in them + by using double quotes around the name. For example: + + tridge = "Andrew Tridgell" + + would map the windows username "Andrew Tridgell" to the + unix username "tridge". + + The following example would map mary and fred to the + unix user sys, and map the rest to guest. Note the use of the + '!' to tell Samba to stop processing if it gets a match on + that line. + + +!sys = mary fred +guest = * + + + Note that the remapping is applied to all occurrences + of usernames. Thus if you connect to \\server\fred and + fred is remapped to mary then you + will actually be connecting to \\server\mary and will need to + supply a password suitable for mary not + fred. The only exception to this is the + username passed to the + password server (if you have one). The password + server will receive whatever username the client supplies without + modification. + + Also note that no reverse mapping is done. The main effect + this has is with printing. Users who have been mapped may have + trouble deleting print jobs as PrintManager under WfWg will think + they don't own the print job. + + + Samba versions prior to 3.0.8 would only support reading the fully qualified + username (e.g.: DOMAIN\user) from the username map when performing a + kerberos login from a client. However, when looking up a map + entry for a user authenticated by NTLM[SSP], only the login name would be + used for matches. This resulted in inconsistent behavior sometimes + even on the same server. + + + + The following functionality is obeyed in version 3.0.8 and later: + + + + When performing local authentication, the username map is + applied to the login name before attempting to authenticate + the connection. + + + + When relying upon a external domain controller for validating + authentication requests, smbd will apply the username map + to the fully qualified username (i.e. DOMAIN\user) only + after the user has been successfully authenticated. + + +Default: username map = +# no username map + + +Example: username map = /usr/local/samba/lib/users.map + + + + +use sendfileuse sendfile (S) + If this parameter is yes, and the sendfile() system call is supported by the underlying operating system, then some SMB read calls (mainly ReadAndX + and ReadRaw) will use the more efficient sendfile system call for files that + are exclusively oplocked. This may make more efficient use of the system CPU's + and cause Samba to be faster. Samba automatically turns this off for clients + that use protocol levels lower than NT LM 0.12 and when it detects a client is + Windows 9x (using sendfile from Linux will cause these clients to fail). + + +Default: use sendfile = yes + + + + + +use spnegouse spnego (G) + This variable controls controls whether samba will try + to use Simple and Protected NEGOciation (as specified by rfc2478) with + WindowsXP and Windows2000 clients to agree upon an authentication mechanism. + + + + Unless further issues are discovered with our SPNEGO + implementation, there is no reason this should ever be + disabled. + +Default: use spnego = yes + + + + + +utmputmp (G) + This boolean parameter is only available if + Samba has been configured and compiled with the option + --with-utmp. If set to yes then Samba will attempt + to add utmp or utmpx records (depending on the UNIX system) whenever a + connection is made to a Samba server. Sites may use this to record the + user connecting to a Samba share. + + Due to the requirements of the utmp record, we + are required to create a unique identifier for the + incoming user. Enabling this option creates an n^2 + algorithm to find this number. This may impede + performance on large installations. + +Default: utmp = no + + + + + +utmp directoryutmp directory (G) + This parameter is only available if Samba has + been configured and compiled with the option + --with-utmp. It specifies a directory pathname that is + used to store the utmp or utmpx files (depending on the UNIX system) that + record user connections to a Samba server. By default this is + not set, meaning the system will use whatever utmp file the + native system is set to use (usually + /var/run/utmp on Linux). + +Default: utmp directory = +# Determined automatically + + +Example: utmp directory = /var/run/utmp + + + + +-valid-valid (S) + This parameter indicates whether a share is + valid and thus can be used. When this parameter is set to false, + the share will be in no way visible nor accessible. + + + + This option should not be + used by regular users but might be of help to developers. + Samba uses this option internally to mark shares as deleted. + + +Default: -valid = yes + + + + + +valid usersvalid users (S) + This is a list of users that should be allowed + to login to this service. Names starting with '@', '+' and '&' + are interpreted using the same rules as described in the + invalid users parameter. + + If this is empty (the default) then any user can login. + If a username is in both this list and the invalid + users list then access is denied for that user. + + The current servicename is substituted for %S + . This is useful in the [homes] section. + +Default: valid users = +# No valid users list (anyone can login) + + +Example: valid users = greg, @pcusers + + + + +veto filesveto files (S) + This is a list of files and directories that + are neither visible nor accessible. Each entry in the list must + be separated by a '/', which allows spaces to be included + in the entry. '*' and '?' can be used to specify multiple files + or directories as in DOS wildcards. + + Each entry must be a unix path, not a DOS path and + must not include the unix directory + separator '/'. + + Note that the case sensitive option + is applicable in vetoing files. + + One feature of the veto files parameter that it + is important to be aware of is Samba's behaviour when + trying to delete a directory. If a directory that is + to be deleted contains nothing but veto files this + deletion will fail unless you also set + the delete veto files parameter to + yes. + + Setting this parameter will affect the performance + of Samba, as it will be forced to check all files and directories + for a match as they are scanned. + +Default: veto files = +# No files or directories are vetoed. + + +Example: veto files = +; Veto any files containing the word Security, +; any ending in .tmp, and any directory containing the +; word root. +veto files = /*Security*/*.tmp/*root*/ + +; Veto the Apple specific files that a NetAtalk server +; creates. +veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ + + + + + +veto oplock filesveto oplock files (S) + This parameter is only valid when the + oplocks + parameter is turned on for a share. It allows the Samba administrator + to selectively turn off the granting of oplocks on selected files that + match a wildcarded list, similar to the wildcarded list used in the + veto files + parameter. + + + You might want to do this on files that you know will + be heavily contended for by clients. A good example of this + is in the NetBench SMB benchmark program, which causes heavy + client contention for files ending in .SEM. + To cause Samba not to grant oplocks on these files you would use + the line (either in the [global] section or in the section for + the particular NetBench share : + +Default: veto oplock files = +# No files are vetoed for oplock grants + + +Example: veto oplock files = /.*SEM/ + + + + +vfs objectvfs objectsvfs objectThis parameter is a synonym for vfs objects. +vfs objectsvfs objects (S) + This parameter specifies the backend names which + are used for Samba VFS I/O operations. By default, normal + disk I/O operations are used but these can be overloaded + with one or more VFS objects. + +Default: vfs objects = + + +Example: vfs objects = extd_audit recycle + + + + +volumevolume (S) + This allows you to override the volume label + returned for a share. Useful for CDROMs with installation programs + that insist on a particular volume label. + +Default: volume = +# the name of the share + + + + + +wide linkswide links (S) + This parameter controls whether or not links + in the UNIX file system may be followed by the server. Links + that point to areas within the directory tree exported by the + server are always allowed; this parameter controls access only + to areas that are outside the directory tree being exported. + + Note that setting this parameter can have a negative + effect on your server performance due to the extra system calls + that Samba has to do in order to perform the link checks. + +Default: wide links = yes + + + + + +winbind cache timewinbind cache time (G) + This parameter specifies the number of + seconds the winbindd + 8 daemon will cache + user and group information before querying a Windows NT server + again. + This does not apply to authentication requests, + these are always evaluated in real time. + +Default: winbind cache time = 300 + + + + + +winbind enable local accountswinbind enable local accounts (G) + This parameter controls whether or not winbindd + will act as a stand in replacement for the various account + management hooks in smb.conf (e.g. 'add user script'). + If enabled, winbindd will support the creation of local + users and groups as another source of UNIX account information + available via getpwnam() or getgrgid(), etc... + + +Default: winbind enable local accounts = no + + + + + +winbind enum groupswinbind enum groups (G) + On large installations using winbindd + 8 it may be necessary to suppress + the enumeration of groups through the setgrent(), + getgrent() and + endgrent() group of system calls. If + the winbind enum groups parameter is + no, calls to the getgrent() system + call will not return any data. + +Turning off group enumeration may cause some programs to behave oddly. + +Default: winbind enum groups = yes + + + + + +winbind enum userswinbind enum users (G) + On large installations using winbindd + 8 it may be + necessary to suppress the enumeration of users through the setpwent(), + getpwent() and + endpwent() group of system calls. If + the winbind enum users parameter is + no, calls to the getpwent system call + will not return any data. + +Turning off user + enumeration may cause some programs to behave oddly. For + example, the finger program relies on having access to the + full user list when searching for matching + usernames. + +Default: winbind enum users = yes + + + + + +winbind nested groupswinbind nested groups (G) + If set to yes, this parameter activates the support for nested + groups. Nested groups are also called local groups or + aliases. They work like their counterparts in Windows: Nested + groups are defined locally on any machine (they are shared + between DC's through their SAM) and can contain users and + global groups from any trusted SAM. To be able to use nested + groups, you need to run nss_winbind. + Please note that per 3.0.3 this is a new feature, so + handle with care. + +Default: winbind nested groups = no + + + + + +winbind separatorwinbind separator (G) + This parameter allows an admin to define the character + used when listing a username of the form of DOMAIN + \user. This parameter + is only applicable when using the pam_winbind.so + and nss_winbind.so modules for UNIX services. + + + Please note that setting this parameter to + causes problems + with group membership at least on glibc systems, as the character + + is used as a special character for NIS in /etc/group. + +Default: winbind separator = '\' + + +Example: winbind separator = + + + + + +winbind trusted domains onlywinbind trusted domains only (G) + This parameter is designed to allow Samba servers that + are members of a Samba controlled domain to use UNIX accounts + distributed via NIS, rsync, or LDAP as the uid's for winbindd users + in the hosts primary domain. Therefore, the user DOMAIN\user1 would + be mapped to the account user1 in /etc/passwd instead of allocating + a new uid for him or her. + + +Default: winbind trusted domains only = no + + + + + +winbind use default domainwinbind use default domain (G) + This parameter specifies whether the + winbindd + 8 daemon should operate on users + without domain component in their username. Users without a domain + component are treated as is part of the winbindd server's own + domain. While this does not benifit Windows users, it makes SSH, FTP and + e-mail function in a way much closer to the way they + would in a native unix system. + +Default: winbind use default domain = no + + +Example: winbind use default domain = yes + + + + +wins hookwins hook (G) + When Samba is running as a WINS server this + allows you to call an external program for all changes to the + WINS database. The primary use for this option is to allow the + dynamic update of external name resolution databases such as + dynamic DNS. + + The wins hook parameter specifies the name of a script + or executable that will be called as follows: + + wins_hook operation name nametype ttl IP_list + + + + The first argument is the operation and is + one of "add", "delete", or + "refresh". In most cases the operation + can be ignored as the rest of the parameters + provide sufficient information. Note that + "refresh" may sometimes be called when + the name has not previously been added, in that + case it should be treated as an add. + + + + The second argument is the NetBIOS name. If the + name is not a legal name then the wins hook is not called. + Legal names contain only letters, digits, hyphens, underscores + and periods. + + + + The third argument is the NetBIOS name + type as a 2 digit hexadecimal number. + + + + The fourth argument is the TTL (time to live) + for the name in seconds. + + + + The fifth and subsequent arguments are the IP + addresses currently registered for that name. If this list is + empty then the name should be deleted. + + + + An example script that calls the BIND dynamic DNS update + program nsupdate is provided in the examples + directory of the Samba source code. + +No default + + + +wins proxywins proxy (G) + This is a boolean that controls if nmbd + 8 will respond to broadcast name + queries on behalf of other hosts. You may need to set this + to yes for some older clients. + +Default: wins proxy = no + + + + + +wins serverwins server (G) + This specifies the IP address (or DNS name: IP + address for preference) of the WINS server that nmbd + 8 should register with. If you have a WINS server on + your network then you should set this to the WINS server's IP. + + You should point this at your WINS server if you have a + multi-subnetted network. + + If you want to work in multiple namespaces, you can + give every wins server a 'tag'. For each tag, only one + (working) server will be queried for a name. The tag should be + separated from the ip address by a colon. + + + You need to set up Samba to point + to a WINS server if you have multiple subnets and wish cross-subnet + browsing to work correctly. + See the . + +Default: wins server = + + +Example: wins server = mary:192.9.200.1 fred:192.168.3.199 mary:192.168.2.61 + +# For this example when querying a certain name, 192.19.200.1 will + be asked first and if that doesn't respond 192.168.2.61. If either + of those doesn't know the name 192.168.3.199 will be queried. + +Example: wins server = 192.9.200.1 192.168.2.61 + + + + +wins supportwins support (G) + This boolean controls if the nmbd + 8 process in Samba will act as a WINS server. You should + not set this to yes unless you have a multi-subnetted network and + you wish a particular nmbd to be your WINS server. + Note that you should NEVER set this to yes + on more than one machine in your network. + + +Default: wins support = no + + + + + +workgroupworkgroup (G) + This controls what workgroup your server will + appear to be in when queried by clients. Note that this parameter + also controls the Domain name used with + the security = domain + setting. + +Default: workgroup = WORKGROUP + + +Example: workgroup = MYGROUP + + + + +writablewriteablewritableThis parameter is a synonym for writeable. +writeablewriteable (S) + Inverted synonym for + read only. + +No default + + + +write cache sizewrite cache size (S) + If this integer parameter is set to non-zero value, + Samba will create an in-memory cache for each oplocked file + (it does not do this for + non-oplocked files). All writes that the client does not request + to be flushed directly to disk will be stored in this cache if possible. + The cache is flushed onto disk when a write comes in whose offset + would not fit into the cache or when the file is closed by the client. + Reads for the file are also served from this cache if the data is stored + within it. + + This cache allows Samba to batch client writes into a more + efficient write size for RAID disks (i.e. writes may be tuned to + be the RAID stripe size) and can improve performance on systems + where the disk subsystem is a bottleneck but there is free + memory for userspace programs. + + The integer parameter specifies the size of this cache + (per oplocked file) in bytes. + +Default: write cache size = 0 + + +Example: write cache size = 262144 +# for a 256k cache size per file + + + + +write listwrite list (S) + This is a list of users that are given read-write + access to a service. If the connecting user is in this list then + they will be given write access, no matter what the + read only + option is set to. The list can include group names using the + @group syntax. + + Note that if a user is in both the read list and the + write list then they will be given write access. + + This parameter will not work with the + security = share in + Samba 3.0. This is by design. + + +Default: write list = + + +Example: write list = admin, root, @staff + + + + +write rawwrite raw (G) + This parameter controls whether or not the server + will support raw write SMB's when transferring data from clients. + You should never need to change this parameter. + +Default: write raw = yes + + + + + +wtmp directorywtmp directory (G) + This parameter is only available if Samba has + been configured and compiled with the option + --with-utmp. It specifies a directory pathname that is + used to store the wtmp or wtmpx files (depending on the UNIX system) that + record user connections to a Samba server. The difference with + the utmp directory is the fact that user info is kept after a user + has logged out. + + + By default this is + not set, meaning the system will use whatever utmp file the + native system is set to use (usually + /var/run/wtmp on Linux). + +Default: wtmp directory = + + +Example: wtmp directory = /var/log/wtmp + + + + diff --git a/docs/manpages-4/gentest.1.xml b/docs/manpages-4/gentest.1.xml new file mode 100644 index 00000000000..377d2f2e967 --- /dev/null +++ b/docs/manpages-4/gentest.1.xml @@ -0,0 +1,158 @@ + + + + + + + gentest + 1 + + + + + gentest + Run random generic SMB operations against two SMB servers + and show the differences in behavior + + + + + gentest + //server1/share1 + //server2/share2 + -U user%pass + -U user%pass + -s seed + -o numops + -a + -A + -i FILE + -O + -S FILE + -L + -F + -C + -X + + + + + + DESCRIPTION + + gentest is a utility for + detecting differences in behaviour between SMB servers. + It will run a random set of generic operations against + //server1/share1 and then the same + random set against //server2/share2 + and display the differences in the responses it gets. + + + + This utility is used by the Samba team to find differences in + behaviour between Samba and Windows servers. + + + + + + OPTIONS + + + + -U user%pass + + Specify the user and password to use when logging on + on the shares. This parameter is mandatory and has to + be specified twice. + + + + + -s seed + + Seed the random number generator with the specified value. + + + + + -o numops + Set the number of operations to perform. + + + + -a + Print the operations that are performed. + + + + -A + Backtrack to find minimal number of operations + required to make the response to a certain call differ. + + + + + -i FILE + + Specify a file containing the names of fields that + have to be ignored (such as time fields). See + below for a description of the file format. + + + + + -O + Enable oplocks. + + + + -S FILE + Set preset seeds file. The default is gentest_seeds.dat. + + + + -L + Use preset seeds + + + + -F + Fast reconnect (just close files) + + + + -C + Continuous analysis mode + + + + -X + Analyse even when the test succeeded. + + + + + + VERSION + + This man page is correct for version 4.0 of the Samba suite. + + + + SEE ALSO + + Samba + + + + + AUTHOR + + gentest was written by Andrew Tridgell. + + This manpage was written by Jelmer Vernooij. + + + + diff --git a/docs/manpages-4/gregedit.1.xml b/docs/manpages-4/gregedit.1.xml new file mode 100644 index 00000000000..c89a7df520f --- /dev/null +++ b/docs/manpages-4/gregedit.1.xml @@ -0,0 +1,86 @@ + + + + + + + gregedit + 1 + + + + + gregedit + Windows registry file viewer for GTK+ + + + + + gregedit + --help + --backend=BACKEND + --credentials=CREDENTIALS + location + + + + + DESCRIPTION + + gregedit is a GTK+ frontend to the Windows registry file support + in Samba4. It currently supports NT4 file, 9x file, gconf, remote + Windows registries and a file system backend. + + + gregedit tries to imitate the Windows regedit.exe program as much + as possible. + + + + + + OPTIONS + + + + --help + + Show list of available options. + + + + --backend BACKEND + Name of backend to load. Possible values are: + w95, nt4, gconf, dir and rpc. The default is dir. + + + + + --credentials=CREDENTIALS + + Credentials to use, if any. Password should be separated from user name by a percent sign. + + + + +&man.registry.backends; + + + VERSION + + This man page is correct for version 4.0 of the Samba suite. + + + + SEE ALSO + + + + + AUTHOR + + This manpage and gregedit were written by Jelmer Vernooij. + + + + diff --git a/docs/manpages-4/ldb.7.xml b/docs/manpages-4/ldb.7.xml new file mode 100644 index 00000000000..aae16806f04 --- /dev/null +++ b/docs/manpages-4/ldb.7.xml @@ -0,0 +1,120 @@ + + + + + + ldb + 7 + + + + + ldb + Lightweight DataBase + + + + DESCRIPTION + + Ldb is a library providing simple LDAP-like database system that + can use either tdb or LDAP as its backend. It's internal API is similar to + that of LDAP. + + ldb is used heavily in Samba 4. It's aim is to provide a LDAP-like + database system at all times, even when no LDAP server is available. + + + + + LDB URLS + + FIXME + + + + + FUNCTIONS + + + ldb_connect(2) + + Connect to an LDAP server or local LDB database stored in TDB. + + + ldb_close(2) + + Close connection to the server. + + + ldb_search(2) + + Search for specified attributes of records that match a LDAP-like search string. + + + ldb_search_free(2) + + Free search results. + + + ldb_add(2) + + Add records. + + + ldb_modify(2) + + Modify records. + + + ldb_delete(2) + + Delete records. + + + ldb_errstring(2) + + Return extended error information from last call. + + + ldb_casefold(2) + + Casefold a string. + + + + + + + + PERFORMANCE + + FIXME + + + + COMPATIBILITY WITH LDAP + FIXME + + + + SEE ALSO + + ldap + + + + VERSION + + This man page is correct for version 4.0 of the Samba suite. + + + + AUTHOR + + ldb was written by Andrew Tridgell. + + This manpage was written by Jelmer Vernooij. + + + + diff --git a/docs/manpages-4/ldbadd.1.xml b/docs/manpages-4/ldbadd.1.xml new file mode 100644 index 00000000000..0b3122ab327 --- /dev/null +++ b/docs/manpages-4/ldbadd.1.xml @@ -0,0 +1,99 @@ + + + + + + ldbadd + 1 + + + + + ldbadd + Command-line utility for adding records to an LDB + + + + + ldbadd + -h + -H LDB-URL + ldif-file1 + ldif-file2 + ... + + + + + DESCRIPTION + + ldbadd adds records to an ldb(7) database. It reads + the ldif(5) files specified on the command line and adds + the records from these files to the LDB database, which is specified + by the -H option or the LDB_URL environment variable. + + + If - is specified as a ldb file, the ldif input is read from + standard input. + + + + + + OPTIONS + + + + -h + + Show list of available options. + + + + -H <ldb-url> + + LDB URL to connect to. See ldb(7) for details. + + + + + + + + + ENVIRONMENT + + + LDB_URL + LDB URL to connect to (can be overrided by using the + -H command-line option.) + + + + + + + VERSION + + This man page is correct for version 4.0 of the Samba suite. + + + + SEE ALSO + + ldb(7), ldbmodify, ldbdel, ldif(5) + + + + + AUTHOR + + &man.credits.samba; + + ldbadd was written by Andrew Tridgell. + + This manpage was written by Jelmer Vernooij. + + + + diff --git a/docs/manpages-4/ldbdel.1.xml b/docs/manpages-4/ldbdel.1.xml new file mode 100644 index 00000000000..2f98f9d427b --- /dev/null +++ b/docs/manpages-4/ldbdel.1.xml @@ -0,0 +1,97 @@ + + + + + + ldbdel + 1 + + + + + ldbdel + Command-line program for deleting LDB records + + + + + ldbdel + -h + -H LDB-URL + dn + ... + + + + + DESCRIPTION + + ldbdel deletes records from an ldb(7) database. + It deletes the records identified by the dn's specified + on the command-line. + + ldbdel uses either the database that is specified with + the -H option or the database specified by the LDB_URL environment + variable. + + + + + + OPTIONS + + + + -h + + Show list of available options. + + + + -H <ldb-url> + + LDB URL to connect to. See ldb(7) for details. + + + + + + + + + ENVIRONMENT + + + LDB_URL + LDB URL to connect to (can be overrided by using the + -H command-line option.) + + + + + + + VERSION + + This man page is correct for version 4.0 of the Samba suite. + + + + SEE ALSO + + ldb(7), ldbmodify, ldbadd, ldif(5) + + + + + AUTHOR + + &man.credits.samba; + + ldbdel was written by Andrew Tridgell. + + This manpage was written by Jelmer Vernooij. + + + + diff --git a/docs/manpages-4/ldbedit.1.xml b/docs/manpages-4/ldbedit.1.xml new file mode 100644 index 00000000000..0b5c63a17a8 --- /dev/null +++ b/docs/manpages-4/ldbedit.1.xml @@ -0,0 +1,125 @@ + + + + + + ldbedit + 1 + + + + + ldbedit + Edit LDB databases using your favorite editor + + + + + ldbedit + -h + -s base|one|sub + -b basedn + -a + -e editor + -H LDB-URL + expression + attributes + + + + + DESCRIPTION + + ldbedit is a utility that allows you to edit LDB files using + your favorite editor. ldbedit generates an LDIF file based on + your query, allows you to edit it and then merges it back + into the LDB database. + + + + + + + OPTIONS + + + + -h + + Show list of available options. + + + + -H <ldb-url> + + LDB URL to connect to. See ldb(7) for details. + + + + + -s one|sub|base + Search scope to use. One-level, subtree or base. + + + + -a + Edit all records. + + + + -e editor + Specify the editor that should be used (overrides + the VISUAL and EDITOR environment variables). + + + + -b basedn + Specify Base DN to use. + + + + + + + + ENVIRONMENT + + + LDB_URL + LDB URL to connect to (can be overrided by using the + -H command-line option.) + + VISUAL and EDITOR + Environment variables used to determine what + editor to use. If VISUAL isn't set, EDITOR is used. + + + + + + + + VERSION + + This man page is correct for version 4.0 of the Samba suite. + + + + SEE ALSO + + ldb(7), ldbmodify, ldbdel, ldif(5) + + + + + AUTHOR + + &man.credits.samba; + + ldbedit was written by Andrew Tridgell. + + This manpage was written by Jelmer Vernooij. + + + + diff --git a/docs/manpages-4/ldbmodify.1.xml b/docs/manpages-4/ldbmodify.1.xml new file mode 100644 index 00000000000..e39f74fffaf --- /dev/null +++ b/docs/manpages-4/ldbmodify.1.xml @@ -0,0 +1,87 @@ + + + + + + ldbmodify + 1 + + + + + ldbmodify + Modify records in a LDB database + + + + + ldbmodify + -H LDB-URL + ldif-file + + + + + DESCRIPTION + + + ldbmodify changes, adds and deletes records in a LDB database. + The changes that should be made to the LDB database are read from + the specified LDIF-file. If - is specified as the filename, input is read from stdin. + + + For now, see ldapmodify(1) for details on the LDIF file format. + + + + + + OPTIONS + + + + -H <ldb-url> + + LDB URL to connect to. See ldb(7) for details. + + + + + + + ENVIRONMENT + + + LDB_URL + LDB URL to connect to (can be overrided by using the + -H command-line option.) + + + + + + + VERSION + + This man page is correct for version 4.0 of the Samba suite. + + + + SEE ALSO + + ldb(7), ldbedit + + + + + AUTHOR + + &man.credits.samba; + + ldbmodify was written by Andrew Tridgell. + + This manpage was written by Jelmer Vernooij. + + + + diff --git a/docs/manpages-4/ldbrename.1.xml b/docs/manpages-4/ldbrename.1.xml new file mode 100644 index 00000000000..32456243af2 --- /dev/null +++ b/docs/manpages-4/ldbrename.1.xml @@ -0,0 +1,101 @@ + + + + + + ldbrename + 1 + + + + + ldbrename + Edit LDB databases using your favorite editor + + + + + ldbrename + -h + -o options + olddn + newdb + + + + + DESCRIPTION + + ldbrename is a utility that allows you to rename trees in + an LDB database based by DN. This utility takes + two arguments: the original + DN name of the top element and the DN to change it to. + + + + + + + OPTIONS + + + + -h + + Show list of available options. + + + + -H <ldb-url> + + LDB URL to connect to. See ldb(7) for details. + + + + + -o options + Extra ldb options, such as + modules. + + + + + + + + ENVIRONMENT + + + LDB_URL + LDB URL to connect to (can be overrided by using the + -H command-line option.) + + + + + + + VERSION + + This man page is correct for version 4.0 of the Samba suite. + + + + SEE ALSO + + ldb(7), ldbmodify, ldbdel, ldif(5) + + + + + AUTHOR + + &man.credits.samba; + + ldbrename was written by Andrew Tridgell. + + This manpage was written by Jelmer Vernooij. + + + + diff --git a/docs/manpages-4/ldbsearch.1.xml b/docs/manpages-4/ldbsearch.1.xml new file mode 100644 index 00000000000..8361aa97ffc --- /dev/null +++ b/docs/manpages-4/ldbsearch.1.xml @@ -0,0 +1,113 @@ + + + + + + ldbsearch + 1 + + + + + ldbsearch + Search for records in a LDB database + + + + + ldbsearch + -h + -s base|one|sub + -b basedn + -i + -H LDB-URL + expression + attributes + + + + + DESCRIPTION + + ldbsearch searches a LDB database for records matching the + specified expression (see the ldapsearch(1) manpage for + a description of the expression format). For each + record, the specified attributes are printed. + + + + + + + OPTIONS + + + + -h + + Show list of available options. + + + + -H <ldb-url> + + LDB URL to connect to. See ldb(7) for details. + + + + + -s one|sub|base + Search scope to use. One-level, subtree or base. + + + + -i + Read search expressions from stdin. + + + + -b basedn + Specify Base DN to use. + + + + + + + + ENVIRONMENT + + + LDB_URL + LDB URL to connect to (can be overrided by using the + -H command-line option.) + + + + + + + VERSION + + This man page is correct for version 4.0 of the Samba suite. + + + + SEE ALSO + + ldb(7), ldbedit + + + + + AUTHOR + + &man.credits.samba; + + ldbsearch was written by Andrew Tridgell. + + This manpage was written by Jelmer Vernooij. + + + + diff --git a/docs/manpages-4/locktest.1.xml b/docs/manpages-4/locktest.1.xml new file mode 100644 index 00000000000..5b386fdeb24 --- /dev/null +++ b/docs/manpages-4/locktest.1.xml @@ -0,0 +1,157 @@ + + + + + + locktest + 1 + + + + + locktest + Find differences in locking between two SMB servers + + + + + locktest + //server1/share1 + //server2/share2 + -U user%pass + -U user%pass + -s seed + -o numops + -a + -O + -E + -Z + -R range + -B base + -M min + + + + + + DESCRIPTION + + locktest is a utility for + detecting differences in behaviour in locking between SMB servers. + It will run a random set of locking operations against + //server1/share1 and then the same + random set against //server2/share2 + and display the differences in the responses it gets. + + + + This utility is used by the Samba team to find differences in + behaviour between Samba and Windows servers. + + + + + + OPTIONS + + + + -U user%pass + + Specify the user and password to use when logging on + on the shares. This parameter can be specified twice + (once for the first server, once for the second). + + + + + -s seed + + Seed the random number generator with the specified value. + + + + + -o numops + Set the number of operations to perform. + + + + -a + Print the operations that are performed. + + + + -A + Backtrack to find minimal number of operations + required to make the response to a certain call differ. + + + + + -O + Enable oplocks. + + + + -u + Hide unlock fails. + + + + -E + enable exact error code checking + + + + -Z + enable the zero/zero lock + + + + -R range + set lock range + + + + -B base + set lock base + + + + -M min + set min lock length + + + + -k + Use kerberos + + + + + + VERSION + + This man page is correct for version 4.0 of the Samba suite. + + + + SEE ALSO + + Samba + + + + + AUTHOR + + &man.credits.samba; + + locktest was written by Andrew Tridgell. + + This manpage was written by Jelmer Vernooij. + + + + diff --git a/docs/manpages-4/masktest.1.xml b/docs/manpages-4/masktest.1.xml new file mode 100644 index 00000000000..3dad70bb043 --- /dev/null +++ b/docs/manpages-4/masktest.1.xml @@ -0,0 +1,139 @@ + + + + + + masktest + 1 + + + + + masktest + Find differences in wildcard matching between + Samba's implementation and that of a remote server. + + + + + masktest + //server/share + -U user%pass + -d debuglevel + -W workgroup + -n numloops + -s seed + -a + -E + -M max protocol + -f filechars + -m maskchars + -v + + + + + + DESCRIPTION + + masktest is a utility for + detecting differences in behaviour between Samba's + own implementation and that of a remote server. + It will run generate random filenames/masks and + check if these match the same files they do on the remote file as + they do on the local server. It will display any differences it finds. + + + + This utility is used by the Samba team to find differences in + behaviour between Samba and Windows servers. + + + + + + OPTIONS + + + + -U user%pass + + Specify the user and password to use when logging on + on the shares. This parameter can be specified twice + (once for the first server, once for the second). + + + + + -s seed + + Seed the random number generator with the specified value. + + + + + -n numops + Set the number of operations to perform. + + + + -a + Print the operations that are performed. + + + + -M max_protocol + + Maximum protocol to use. + + + + + -f + Specify characters that can be used + when generating file names. Default: abcdefghijklm. + + + + -E + Abort when difference in behaviour is found. + + + + -m maskchars + Specify characters used for wildcards. + + + + -v + Be verbose + + + + + + + VERSION + + This man page is correct for version 4.0 of the Samba suite. + + + + SEE ALSO + + Samba + + + + + AUTHOR + + &man.credits.samba; + + masktest was written by Andrew Tridgell. + + This manpage was written by Jelmer Vernooij. + + + + diff --git a/docs/manpages-4/ndrdump.1.xml b/docs/manpages-4/ndrdump.1.xml new file mode 100644 index 00000000000..55ac95491a6 --- /dev/null +++ b/docs/manpages-4/ndrdump.1.xml @@ -0,0 +1,83 @@ + + + + + + ndrdump + 1 + + + + + ndrdump + DCE/RPC Packet Parser and Dumper + + + + + ndrdump + -c context + pipe + function + in|out + filename + + + ndrdump + pipe + + + ndrdump + + + + + DESCRIPTION + + ndrdump tries to parse the specified filename + using Samba's parser for the specified pipe and function. The + third argument should be + either in or out, depending + on whether the data should be parsed as a request or a reply. + + Running ndrdump without arguments will list the pipes for which + parsers are available. + + Running ndrdump with one argument will list the functions that + Samba can parse for the specified pipe. + + The primary function of ndrdump is debugging Samba's internal + DCE/RPC parsing functions. The file being parsed is usually + one exported by ethereal's Export selected packet bytes + function. + + The context argument can be used to load context data from the request + packet when parsing reply packets (such as array lengths). + + + + + VERSION + + This man page is correct for version 4.0 of the Samba suite. + + + + SEE ALSO + + ethereal, pidl + + + + + AUTHOR + + &man.credits.samba; + + ndrdump was written by Andrew Tridgell. + + This manpage was written by Jelmer Vernooij. + + + + diff --git a/docs/manpages-4/ntlm_auth.1.xml b/docs/manpages-4/ntlm_auth.1.xml new file mode 100644 index 00000000000..1677500112d --- /dev/null +++ b/docs/manpages-4/ntlm_auth.1.xml @@ -0,0 +1,269 @@ + + + + + + ntlm_auth + 1 + + + + + ntlm_auth + tool to allow external access to Winbind's NTLM authentication function + + + + + ntlm_auth + -d debuglevel + -l logdir + -s <smb config file> + + + + + DESCRIPTION + + This tool is part of the samba + 7 suite. + + ntlm_auth is a helper utility that authenticates + users using NT/LM authentication. It returns 0 if the users is authenticated + successfully and 1 if access was denied. ntlm_auth uses winbind to access + the user and authentication data for a domain. This utility + is only indended to be used by other programs (currently squid). + + + + + OPERATIONAL REQUIREMENTS + + + The winbindd + 8 daemon must be operational + for many of these commands to function. + + Some of these commands also require access to the directory + winbindd_privileged in + $LOCKDIR. This should be done either by running + this command as root or providing group access + to the winbindd_privileged directory. For + security reasons, this directory should not be world-accessable. + + + + + + OPTIONS + + + + --helper-protocol=PROTO + + Operate as a stdio-based helper. Valid helper protocols are: + + + + squid-2.4-basic + + Server-side helper for use with Squid 2.4's basic (plaintext) + authentication. + + + + squid-2.5-basic + + Server-side helper for use with Squid 2.5's basic (plaintext) + authentication. + + + + squid-2.5-ntlmssp + + Server-side helper for use with Squid 2.5's NTLMSSP + authentication. + Requires access to the directory + winbindd_privileged in + $LOCKDIR. The protocol used is + described here: http://devel.squid-cache.org/ntlm/squid_helper_protocol.html + + + + + ntlmssp-client-1 + + Cleint-side helper for use with arbitary external + programs that may wish to use Samba's NTLMSSP + authentication knowlege. + This helper is a client, and as such may be run by any + user. The protocol used is + effectivly the reverse of the previous protocol. + + + + + + gss-spnego + + Server-side helper that implements GSS-SPNEGO. This + uses a protocol that is almost the same as + squid-2.5-ntlmssp, but has some + subtle differences that are undocumented outside the + source at this stage. + + Requires access to the directory + winbindd_privileged in + $LOCKDIR. + + + + + + gss-spnego-client + + Client-side helper that implements GSS-SPNEGO. This + also uses a protocol similar to the above helpers, but + is currently undocumented. + + + + + + + + + --username=USERNAME + + Specify username of user to authenticate + + + + + + --domain=DOMAIN + + Specify domain of user to authenticate + + + + + --workstation=WORKSTATION + + Specify the workstation the user authenticated from + + + + + --challenge=STRING + NTLM challenge (in HEXADECIMAL) + + + + + --lm-response=RESPONSE + LM Response to the challenge (in HEXADECIMAL) + + + + --nt-response=RESPONSE + NT or NTLMv2 Response to the challenge (in HEXADECIMAL) + + + + --password=PASSWORD + User's plaintext passwordIf + not specified on the command line, this is prompted for when + required. + + + + --request-lm-key + Retreive LM session key + + + + --request-nt-key + Request NT key + + + + --diagnostics + Perform Diagnostics on the authentication + chain. Uses the password from --password + or prompts for one. + + + + + --require-membership-of={SID|Name} + Require that a user be a member of specified + group (either name or SID) for authentication to succeed. + + + + &popt.common.samba; + &stdarg.help; + + + + + + EXAMPLE SETUP + + To setup ntlm_auth for use by squid 2.5, with both basic and + NTLMSSP authentication, the following + should be placed in the squid.conf file. + +auth_param ntlm program ntlm_auth --helper-protocol=squid-2.5-ntlmssp +auth_param basic program ntlm_auth --helper-protocol=squid-2.5-basic +auth_param basic children 5 +auth_param basic realm Squid proxy-caching web server +auth_param basic credentialsttl 2 hours + + +This example assumes that ntlm_auth has been installed into your + path, and that the group permissions on + winbindd_privileged are as described above. + + To setup ntlm_auth for use by squid 2.5 with group limitation in addition to the above + example, the following should be added to the squid.conf file. + +auth_param ntlm program ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of='WORKGROUP\Domain Users' +auth_param basic program ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of='WORKGROUP\Domain Users' + + + + + + TROUBLESHOOTING + + If you're experiencing problems with authenticating Internet Explorer running + under MS Windows 9X or Millenium Edition against ntlm_auth's NTLMSSP authentication + helper (--helper-protocol=squid-2.5-ntlmssp), then please read + + the Microsoft Knowledge Base article #239869 and follow instructions described there. + + + + + VERSION + + This man page is correct for version 3.0 of the Samba + suite. + + + + AUTHOR + + The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed. + + The ntlm_auth manpage was written by Jelmer Vernooij and + Andrew Bartlett. + + + diff --git a/docs/manpages-4/pidl.1.xml b/docs/manpages-4/pidl.1.xml new file mode 100644 index 00000000000..574c4200503 --- /dev/null +++ b/docs/manpages-4/pidl.1.xml @@ -0,0 +1,516 @@ + + + + + + pidl + 1 + + + + + pidl + IDL Compiler written in Perl + + + + + pidl + --help + --output OUTNAME + --parse + --dump + --header + --parser + --server + --template + --eparser + --diff + --keep + idlfile + + + + + DESCRIPTION + + pidl is an IDL compiler written in Perl that aims to be somewhat + compatible with the midl compiler. IDL stands for + "Interface Definition Language". + + pidl can generate stubs for DCE/RPC server code, DCE/RPC + client code and ethereal dissectors for DCE/RPC traffic. + + IDL compilers like pidl take a description + of an interface as their input and use it to generate C + (though support for other languages may be added later) code that + can use these interfaces, pretty print data sent + using these interfaces, or even generate ethereal + dissectors that can parse data sent over the + wire by these interfaces. + + pidl takes IDL files in the same format that is used by midl, + converts it to a .pidl file (which contains pidl's internal representation of the interface) and can then generate whatever output you need. + .pidl files should be used for debugging purposes only. Write your + interface definitions in (midl) .idl format. + + + + The goal of pidl is to implement a IDL compiler that can be used + while developing the RPC subsystem in Samba (for + both marshalling/un-marshalling and debugging purposes). + + + + + OPTIONS + + + + --help + + Show list of available options. + + + + --output OUTNAME + Write output files to OUTNAME.*, e.g. + OUTNAME.pidl. If --output is not used, the name of + the input IDL file is used without the extension and the dot + before the extension. + + + + + --parse + + Tell pidl the files specified are (midl-style) IDL files. + + + + + --dump + + Convert .pidl files to (midl-style) IDL files. FIle will be named OUTNAME.idl. + + + + + --header + + Generate a C header file for the specified interface. File will be named OUTNAME.h. + + + + + --parser + + Generate a C file capable of parsing data sent using the interface. + File will be named OUTNAME.c. + + + + + + --server + + Generate boilerplate for the RPC server that implements + the interface. Generates OUTNAME_s.c + + + + + --template + + Generate stubs for a RPC server that implements + the interface. Output will be written to stdout. + + + + + + --eparser + + Generate an Ethereal dissector (in C) for the interface. Output will + be written to packet-dcerpc-OUTNAME.c. + + + + + + --diff + + Convert an IDL file to a pidl file and then back to a + IDL file and see if there are any differences with the + original IDL file. Useful for debugging pidl. + + + + + --keep + + Tell pidl to keep the pidl files (used as intermediate files + between the IDL files and the parser/server/etc code). Useful + for debugging pidl. + + + + + + SYNTAX + + IDL files are always preprocessed using the C preprocessor. + + Each IDL file describes exactly one interface. Interfaces + can contain several C-like function definitions. + + Pretty much everything in an interface (the interface itself, + functions, parameters) can have attributes (or properties + whatever name you give them). Attributes + always prepend the element they apply to and are surrounded + by square brackets ([]). Multiple attributes + are separated by comma's; arguments to attributes are + specified between parentheses. + + See the section COMPATIBILITY for the list of attributes that + pidl supports. + + C-style comments can be used. + + + + + MIDL TYPES + + +pidl uses slightly different types to midl by default. The following +defines in your MS IDL may make things easier to use the same IDL on +both platforms. + + + +#define unistr [string] wchar_t * +#define uint8 char +#define uint16 short +#define uint32 long +#define HYPER_T hyper + + + + Let's look at the multiple ways you can encode an array. + + + + CONFORMANT ARRAYS + + +A conformant array is one with that ends in [*] or []. The strange +things about conformant arrays are: + + + + they can only appear as the last element of a structure + the array size appears before the structure itself on the wire. + + + + So, in this example: + + + + typedef struct { + long abc; + long count; + long foo; + [size_is(count)] long s[*]; + } Struct1; + + + +it appears like this: + + + +[size_is] [abc] [count] [foo] [s...] + + + +the first [size_is] field is the allocation size of the array, and +occurs before the array elements and even before the structure +alignment. + + + +Note that size_is() can refer to a constant, but that doesn't change +the wire representation. It does not make the array a fixed array. + + + +midl.exe would write the above array as the following C header: + + + + typedef struct { + long abc; + long count; + long foo; + long s[1]; + } Struct1; + + + +pidl takes a different approach, and writes it like this: + + + + typedef struct { + long abc; + long count; + long foo; + long *s; + } Struct1; + + + + + + VARYING ARRAYS + + + +A varying array looks like this: + + + + typedef struct { + long abc; + long count; + long foo; + [size_is(count)] long *s; + } Struct1; + + + +This will look like this on the wire: + + + +[abc] [count] [foo] [PTR_s] [count] [s...] + + + + + + FIXED ARRAYS + + +A fixed array looks like this: + + + + typedef struct { + long s[10]; + } Struct1; + + + +The NDR representation looks just like 10 separate long +declarations. The array size is not encoded on the wire. + + + +pidl also supports "inline" arrays, which are not part of the IDL/NDR +standard. These are declared like this: + + + + typedef struct { + uint32 foo; + uint32 count; + uint32 bar; + long s[count]; + } Struct1; + + + +This appears like this: + + + +[foo] [count] [bar] [s...] + + + +Fixed arrays are an extension added to support some of the strange +embedded structures in security descriptors and spoolss. + + + + + + + COMPATIBILITY WITH MIDL + + + Asynchronous communication + + + + + + Typelibs (.tlb files) + + + + + + Pointers + + Pidl does not support "full" pointers in the DCE meaning of the word. However, its "unique" pointer is compatible with MIDL's full ("ptr") pointer support. + + Pidl does not assume all top level pointers for functions are + "ref". + + + + Datagram support + + ncadg is not supported yet. + + + + Supported properties (attributes is the MIDL term) + + +in, out, ref, length_is, switch_is, size_is, uuid, case, default, string, unique, ptr, pointer_default, v1_enum, object, helpstring, range, local, call_as, endpoint, switch_type, progid, coclass, iid_is. + + + + + + PIDL Specific properties + + + public + +The [public] property on a structure or union is a pidl extension that +forces the generated pull/push functions to be non-static. This allows +you to declare types that can be used between modules. If you don't +specify [public] then pull/push functions for other than top-level +functions are declared static. + + + + noprint + +The [noprint] property is a pidl extension that allows you to specify +that pidl should not generate a ndr_print_*() function for that +structure or union. This is used when you wish to define your own +print function that prints a structure in a nicer manner. A good +example is the use of [noprint] on dom_sid, which allows the +pretty-printing of SIDs. + + + + value + +The [value(expression)] property is a pidl extension that allows you +to specify the value of a field when it is put on the wire. This +allows fields that always have a well-known value to be automatically +filled in, thus making the API more programmer friendly. The +expression can be any C expression, although if you refer to variables +in the current structure you will need to dereference them with +r->. See samr_Name as a good example. + + + + relative + +The [relative] property can be supplied on a pointer. When it is used +it declares the pointer as a spoolss style "relative" pointer, which +means it appears on the wire as an offset within the current +encapsulating structure. This is not part of normal IDL/NDR, but it is +a very useful extension as it avoids the manual encoding of many +complex structures. + + + + subcontext(length) + + Specifies that a size of length + bytes should be read, followed by a blob of that size, + which will be parsed as NDR. + + + + flag + + Specify boolean options, mostly used for + low-level NDR options. Several options + can be specified using the | character. + Note that flags are inherited by substructures! + + + + nodiscriminant + +The [nodiscriminant] property on a union means that the usual uint16 +discriminent field at the start of the union on the wire is +omitted. This is not normally allowed in IDL/NDR, but is used for some +spoolss structures. + + + + align + + Force the alignment of the field this attribute is placed + on to the number of bytes specified. + + + + + + + Unsupported MIDL properties + +aggregatable, appobject, async_uuid, bindable, control, cpp_quote, defaultbind, defaultcollelem, defaultvalue, defaultvtable, dispinterface, displaybind, dual, entry, first_is, helpcontext, helpfile, helpstringcontext, helpstringdll, hidden, idl_module, idl_quote, id, immediatebind, importlib, import, include, includelib, last_is, lcid, licensed, max_is, module, ms_union, no_injected_text, nonbrowsable, noncreatable, nonextensible, odl, oleautomation, optional, pragma, propget, propputref, propput, readonly, requestedit, restricted, retval, source, transmit_as, uidefault, usesgetlasterror, vararg, vi_progid, wire_marshal. + + + + + + + BUGS + + + Input should be validated better. + + + + + + VERSION + + This man page is correct for version 4.0 of the Samba suite. + + + + SEE ALSO + + Field Attributes [Remote Procedure Call], ethereal + + + + + AUTHOR + + &man.credits.samba; + + pidl was written by Andrew Tridgell, Stefan Metzmacher, Tim + Potter and Jelmer Vernooij. + + This manpage was written by Andrew Tridgell and Jelmer Vernooij. + + + + diff --git a/docs/manpages-4/regdiff.1.xml b/docs/manpages-4/regdiff.1.xml new file mode 100644 index 00000000000..d4d9d75b912 --- /dev/null +++ b/docs/manpages-4/regdiff.1.xml @@ -0,0 +1,102 @@ + + + + + + regdiff + 1 + + + + + regdiff + Diff program for Windows registry files + + + + + regdiff + --help + --backend=BACKEND + --backend=BACKEND + --credentials=CREDENTIALS + --credentials=CREDENTIALS + location + location + + + + + DESCRIPTION + + regdiff compares two Windows registry files key by key + and value by value and generates a text file that contains the + differences between the two files. + + A file generated by regdiff can later be applied to a + registry file by the regpatch utility. + + regdiff and regpatch use the same file format as + the regedit32.exe utility from Windows. + + + + + OPTIONS + + + + --help + + Show list of available options. + + + + --backend BACKEND + Name of backend to load. Possible values are: + w95, nt4, gconf, dir and rpc. The default is dir. + + + This argument can be specified twice: once for the first + registry file and once for the second. + + + + + --credentials=CREDENTIALS + + Credentials to use, if any. Password should be separated from user name by a percent sign. + + + This argument can be specified twice: once for the first + registry file and once for the second. + + + + + +&man.registry.backends; + + + VERSION + + This man page is correct for version 4.0 of the Samba suite. + + + + SEE ALSO + + gregedit, regshell, regpatch, regtree, samba, patch, diff + + + + + AUTHOR + + &man.credits.samba; + + This manpage and regdiff were written by Jelmer Vernooij. + + + + diff --git a/docs/manpages-4/regpatch.1.xml b/docs/manpages-4/regpatch.1.xml new file mode 100644 index 00000000000..f1792d8bc9f --- /dev/null +++ b/docs/manpages-4/regpatch.1.xml @@ -0,0 +1,88 @@ + + + + + + regpatch + 1 + + + + + regpatch + Applies registry patches to registry files + + + + + regpatch + --help + --backend=BACKEND + --credentials=CREDENTIALS + location + patch-file + + + + + DESCRIPTION + + The regpatch utility applies registry patches to Windows registry + files. The patch files should have the same format as is being used + by the regdiff utility and regedit32.exe from Windows. + + If no patch file is specified on the command line, + regpatch attempts to read it from standard input. + + + + + OPTIONS + + + + --help + + Show list of available options. + + + + --backend BACKEND + Name of backend to load. Possible values are: + w95, nt4, gconf, dir and rpc. The default is dir. + + + + + --credentials=CREDENTIALS + + Credentials to use, if any. Password should be separated from user name by a percent sign. + + + + +&man.registry.backends; + + + VERSION + + This man page is correct for version 4.0 of the Samba suite. + + + + SEE ALSO + + regdiff, regtree, regshell, gregedit, samba, diff, patch + + + + + AUTHOR + + &man.credits.samba; + + This manpage and regpatch were written by Jelmer Vernooij. + + + + diff --git a/docs/manpages-4/regshell.1.xml b/docs/manpages-4/regshell.1.xml new file mode 100644 index 00000000000..fbfff86b09c --- /dev/null +++ b/docs/manpages-4/regshell.1.xml @@ -0,0 +1,188 @@ + + + + + + regshell + 1 + + + + + regshell + Windows registry file browser using readline + + + + + regshell + --help + --backend=BACKEND + --credentials=CREDENTIALS + location + + + + + DESCRIPTION + + + regshell is a utility that lets you browse thru a Windows registry + file as if you were using a regular unix shell to browse thru a + file system. + + + + + + + OPTIONS + + + + --help + + Show list of available options. + + + + --backend BACKEND + Name of backend to load. Possible values are: + w95, nt4, gconf, dir and rpc. The default is dir. + + + + + --credentials=CREDENTIALS + + Credentials to use, if any. Password should be separated from user name by a percent sign. + + + + + + COMMANDS + + + + ck|cd <keyname> + + Go to the specified subkey. + + + + + ch|predef [predefined-key-name] + + Go to the specified predefined key. + + + + + list|ls + + List subkeys and values of the current key. + + + + + mkkey|mkdir <keyname> + + Create a key with the specified keyname as a subkey of the current key. + + + + + rmval|rm <valname> + + Delete the specified value. + + + + + rmkey|rmdir <keyname> + + Delete the specified subkey recursively. + + + + + pwd|pwk + Print the full name of the current key. + + + + set|update + Update the value of a key value. Not implemented at the moment. + + + + help|? + Print a list of available commands. + + + exit|quit + Leave regshell. + + + + +&man.registry.backends; + + + EXAMPLES + + Browsing thru a nt4 registry file + +regshell -b nt4 NTUSER.DAT +$$$PROTO.HIV> ls +K AppEvents +K Console +K Control Panel +K Environment +K Identities +K Keyboard Layout +K Network +K Printers +K Software +K UNICODE Program Groups +K Windows 3.1 Migration Status +$$$PROTO.HIV> exit + + +Listing the subkeys of HKEY_CURRENT_USER\AppEvents on a remote computer: + +regshell --remote=ncacn_np:aurelia -c "jelmer%secret" +HKEY_CURRENT_MACHINE> predef HKEY_CURRENT_USER +HKEY_CURRENT_USER> cd AppEvents +Current path is: HKEY_CURRENT_USER\AppEvents +HKEY_CURRENT_USER\AppEvents> ls +K EventLabels +K Schemes +HKEY_CURRENT_USER\AppEvents> exit + + + + + VERSION + + This man page is correct for version 4.0 of the Samba suite. + + + + SEE ALSO + + regtree, regdiff, regpatch, gregedit, samba + + + + + AUTHOR + + &man.credits.samba; + + This manpage and regshell were written by Jelmer Vernooij. + + + + diff --git a/docs/manpages-4/regtree.1.xml b/docs/manpages-4/regtree.1.xml new file mode 100644 index 00000000000..7fc0de27215 --- /dev/null +++ b/docs/manpages-4/regtree.1.xml @@ -0,0 +1,101 @@ + + + + + + regtree + 1 + + + + + regtree + Text-mode registry viewer + + + + + regtree + --help + --backend=BACKEND + --fullpath + --no-values + --credentials=CREDENTIALS + location + + + + + DESCRIPTION + + The regtree utility prints out all the contents of a + Windows registry file. Subkeys are printed with one level + more indentation then their parents. + + + + + + OPTIONS + + + + --help + + Show list of available options. + + + + --backend BACKEND + Name of backend to load. Possible values are: + w95, nt4, gconf, dir and rpc. The default is dir. + + + + + --credentials=CREDENTIALS + + Credentials to use, if any. Password should be separated from user name by a percent sign. + + + + --fullpath + + Print the full path to each key instead of only its name. + + + + + --no-values + Don't print values, just keys. + + + + + + +&man.registry.backends; + + + VERSION + + This man page is correct for version 4.0 of the Samba suite. + + + + SEE ALSO + + gregedit, regshell, regdiff, regpatch, samba + + + + + AUTHOR + + &man.credits.samba; + + This manpage and regtree were written by Jelmer Vernooij. + + + + diff --git a/docs/manpages-4/smbtorture.1.xml b/docs/manpages-4/smbtorture.1.xml new file mode 100644 index 00000000000..1c0ac9485f5 --- /dev/null +++ b/docs/manpages-4/smbtorture.1.xml @@ -0,0 +1,172 @@ + + + + + + smbtorture + 1 + + + + + smbtorture + Run a series of tests against a SMB server + + + + + smbtorture + + + + smbtorture + //server/share + -d debuglevel + -U user%pass + -k + -N numprocs + -n netbios_name + -W workgroup + -o num_operations + -e num files(entries) + -O socket_options + -m maximum_protocol + -L + -c CLIENT.TXT + -t timelimit + -C filename + -A + -p port + -s seed + -f max_failures + -X + TEST1 TEST2 ... + + + + + + DESCRIPTION + + smbtorture is a testsuite that runs several tests + against a SMB server. All tests are known to succeed + against a Windows 2003 server (?). Smbtorture's primary + goal is finding differences in implementations of the SMB protocol + and testing SMB servers. + + + Any number of tests can be specified + on the command-line. If no tests are specified, all tests + are run. + + If no arguments are specified at all, all available options + and tests are listed. + + + + + + OPTIONS + + + -d debuglevel + Use the specified Samba debug level. A higher debug level + means more output. + + -U user%pass + Use the specified username/password combination when logging in to a remote server. + + -k + Use kerberos when authenticating. + + -W workgroup + Use specified name as our workgroup name. + + -n netbios_name + Use specified name as our NetBIOS name. + + + -O socket_options + Use specified socket options, equivalent of the smb.conf option socket options. See the smb.conf(5) manpage for details. + + + -m max_protocol + Specify the maximum SMB dialect that should be used. Possible values are: CORE, COREPLUS, LANMAN1, LANMAN2, NT1 + + + -s seed + Initialize the randomizer using seed as seed. + + + -L + Use oplocks. + + + -X + Enable dangerous tests. Use with care! This might crash your server... + + + -t timelimit + Specify the NBENCH time limit in seconds. Defaults to 600. + + + -p ports + Specify ports to connect to. + + + -c file + Read NBENCH commands from file instead of from CLIENT.TXT. + + + -A + Show not just OK or FAILED but more detailed + output. Used only by DENY test at the moment. + + + -C filename + Load a list of UNC names from the specified filename. Smbtorture instances will connect to a random host from this list. + + + -N numprocs + Specify number of smbtorture processes to launch. + + + -o num_operations + Number of times some operations should be tried before assuming they're output is consistent (default:100). + + + -e num_files + Number of entries to use in certain tests (such as creating X files) (default: 1000). + + + -f max_failures + Number of failures before aborting a test (default: 1). + + + + + + VERSION + + This man page is correct for version 4.0 of the Samba suite. + + + + SEE ALSO + + Samba + + + + + AUTHOR + + &man.credits.samba; + + smbtorture was written by Andrew Tridgell. + + This manpage was written by Jelmer Vernooij. + + + + -- 2.11.4.GIT