From 9181ef9b4df2e2988bde053befd104d4d738ded5 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 21 May 2005 00:23:25 +0000 Subject: [PATCH] Fix manpage (This used to be commit 1f519597dec979a471e866e107c407444bdba4da) --- docs/manpages-3/smb.conf.5.xml | 8468 ++++------------------------------------ 1 file changed, 656 insertions(+), 7812 deletions(-) rewrite docs/manpages-3/smb.conf.5.xml (99%) diff --git a/docs/manpages-3/smb.conf.5.xml b/docs/manpages-3/smb.conf.5.xml dissimilarity index 99% index ba010de3174..ad9e3fbe97d 100644 --- a/docs/manpages-3/smb.conf.5.xml +++ b/docs/manpages-3/smb.conf.5.xml @@ -1,7812 +1,656 @@ - - - - -abort shutdown scriptabort shutdown script (G) - This a full path name to a script called by smbd - 8 that - should stop a shutdown procedure issued by the - shutdown script. - - If the connected user posseses the SeRemoteShutdownPrivilege, - right, this command will be run as user. - -Default: abort shutdown script = - - -Example: abort shutdown script = /sbin/shutdown -c - - - - -acl compatibilityacl compatibility (S) - This parameter specifies what OS ACL semantics should - be compatible with. Possible values are winnt for Windows NT 4, - win2k for Windows 2000 and above and auto. - If you specify auto, the value for this parameter - will be based upon the version of the client. There should - be no reason to change this parameter from the default. - -Default: acl compatibility = Auto - - -Example: acl compatibility = win2k - - - - -add group scriptadd group script (G) - This is the full pathname to a script that will be run - AS ROOT by - smbd8 - when a new group is requested. It will expand any %g to the group name passed. This - script is only useful for installations using the Windows NT - domain administration tools. The script is free to create a - group with an arbitrary name to circumvent unix group name - restrictions. In that case the script must print the numeric gid - of the created group on stdout. - -No default - - - -add machine scriptadd machine script (G) - This is the full pathname to a script that will be run by - smbd - 8 when a machine is added - to it's domain using the administrator username and password - method. - - This option is only required when using sam back-ends tied - to the Unix uid method of RID calculation such as smbpasswd. - This option is only available in Samba 3.0. - -Default: add machine script = - - -Example: add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /var/lib/nobody -s /bin/false %u - - - - -addprinter commandaddprinter command (G) - With the introduction of MS-RPC based printing - support for Windows NT/2000 clients in Samba 2.2, The MS Add - Printer Wizard (APW) icon is now also available in the - "Printers..." folder displayed a share listing. The APW - allows for printers to be add remotely to a Samba or Windows - NT/2000 print server. - - For a Samba host this means that the printer must be - physically added to the underlying printing system. The add - printer command defines a script to be run which - will perform the necessary operations for adding the printer - to the print system and to add the appropriate service definition - to the smb.conf file in order that it can be - shared by smbd - 8. - - The addprinter command is - automatically invoked with the following parameter (in - order): - - - printer name - share name - port name - driver name - location - Windows 9x driver location - - - All parameters are filled in from the PRINTER_INFO_2 structure sent - by the Windows NT/2000 client with one exception. The "Windows 9x - driver location" parameter is included for backwards compatibility - only. The remaining fields in the structure are generated from answers - to the APW questions. - - Once the addprinter command has - been executed, smbd will reparse the - smb.conf to determine if the share defined by the APW - exists. If the sharename is still invalid, then smbd - will return an ACCESS_DENIED error to the client. - - - The "add printer command" program can output a single line of text, - which Samba will set as the port the new printer is connected to. - If this line isn't output, Samba won't reload its printer shares. - - - -Default: addprinter command = - - -Example: addprinter command = /usr/bin/addprinter - - - - -add share commandadd share command (G) - Samba 2.2.0 introduced the ability to dynamically - add and delete shares via the Windows NT 4.0 Server Manager. The - add share command is used to define an - external program or script which will add a new service definition - to smb.conf. In order to successfully - execute the add share command, smbd - requires that the administrator be connected using a root account (i.e. - uid == 0). - - - - When executed, smbd will automatically invoke the - add share command with four parameters. - - - - - configFile - the location - of the global smb.conf file. - - - - - shareName - the name of the new - share. - - - - - pathName - path to an **existing** - directory on disk. - - - - - comment - comment string to associate - with the new share. - - - - - - This parameter is only used for add file shares. To add printer shares, - see the addprinter - command. - - -Default: add share command = - - -Example: add share command = /usr/local/bin/addshare - - - - -add user scriptadd user script (G) - This is the full pathname to a script that will - be run AS ROOT by smbd - 8 under special circumstances described below. - - Normally, a Samba server requires that UNIX users are - created for all users accessing files on this server. For sites - that use Windows NT account databases as their primary user database - creating these users and keeping the user list in sync with the - Windows NT PDC is an onerous task. This option allows smbd to create the required UNIX users - ON DEMAND when a user accesses the Samba server. - - In order to use this option, smbd - 8 must NOT be set to security = share - and add user script - must be set to a full pathname for a script that will create a UNIX - user given one argument of %u, which expands into - the UNIX user name to create. - - When the Windows user attempts to access the Samba server, - at login (session setup in the SMB protocol) time, smbd - 8 contacts the password server and - attempts to authenticate the given user with the given password. If the - authentication succeeds then smbd - attempts to find a UNIX user in the UNIX password database to map the - Windows user into. If this lookup fails, and add user script - is set then smbd will - call the specified script AS ROOT, expanding - any %u argument to be the user name to create. - - If this script successfully creates the user then smbd - will continue on as though the UNIX user - already existed. In this way, UNIX users are dynamically created to - match existing Windows NT accounts. - - See also - security, - password server, - delete user - script. - -Default: add user script = - - -Example: add user script = /usr/local/samba/bin/add_user %u - - - - -add user to group scriptadd user to group script (G) - Full path to the script that will be called when - a user is added to a group using the Windows NT domain administration - tools. It will be run by smbd - 8 AS ROOT. - Any %g will be replaced with the group name and - any %u will be replaced with the user name. - - - Note that the adduser command used in the example below does - not support the used syntax on all systems. - - -Default: add user to group script = - - -Example: add user to group script = /usr/sbin/adduser %u %g - - - - -admin usersadmin users (S) - This is a list of users who will be granted - administrative privileges on the share. This means that they - will do all file operations as the super-user (root). - - You should use this option very carefully, as any user in - this list will be able to do anything they like on the share, - irrespective of file permissions. - - This parameter will not work with the - security = share in - Samba 3.0. This is by design. - - -Default: admin users = - - -Example: admin users = jason - - - - -afs shareafs share (S) - This parameter controls whether special AFS features are enabled - for this share. If enabled, it assumes that the directory exported via - the path parameter is a local AFS import. The - special AFS features include the attempt to hand-craft an AFS token - if you enabled --with-fake-kaserver in configure. - - -Default: afs share = no - - - - - -afs username mapafs username map (G) - If you are using the fake kaserver AFS feature, you might - want to hand-craft the usernames you are creating tokens for. - For example this is necessary if you have users from several domain - in your AFS Protection Database. One possible scheme to code users - as DOMAIN+User as it is done by winbind with the + as a separator. - - - The mapped user name must contain the cell name to log into, - so without setting this parameter there will be no token. - -Default: afs username map = - - -Example: afs username map = %u@afs.samba.org - - - - -algorithmic rid basealgorithmic rid base (G) - This determines how Samba will use its - algorithmic mapping from uids/gid to the RIDs needed to construct - NT Security Identifiers. - - - Setting this option to a larger value could be useful to sites - transitioning from WinNT and Win2k, as existing user and - group rids would otherwise clash with sytem users etc. - - - All UIDs and GIDs must be able to be resolved into SIDs for - the correct operation of ACLs on the server. As such the algorithmic - mapping can't be 'turned off', but pushing it 'out of the way' should - resolve the issues. Users and groups can then be assigned 'low' RIDs - in arbitary-rid supporting backends. - - -Default: algorithmic rid base = 1000 - - -Example: algorithmic rid base = 100000 - - - - -allocation roundup sizeallocation roundup size (S) - This parameter allows an administrator to tune the - allocation size reported to Windows clients. The default - size of 1Mb generally results in improved Windows client - performance. However, rounding the allocation size may cause - difficulties for some applications, e.g. MS Visual Studio. - If the MS Visual Studio compiler starts to crash with an - internal error, set this parameter to zero for this share. - - - The integer parameter specifies the roundup size in bytes. - -Default: allocation roundup size = 1048576 - - -Example: allocation roundup size = 0 -# (to disable roundups) - - - - -allow trusted domainsallow trusted domains (G) - This option only takes effect when the - security option is set to - server or domain. - If it is set to no, then attempts to connect to a resource from - a domain or workgroup other than the one which smbd is running - in will fail, even if that domain is trusted by the remote server - doing the authentication. - - This is useful if you only want your Samba server to - serve resources to users in the domain it is a member of. As - an example, suppose that there are two domains DOMA and DOMB. DOMB - is trusted by DOMA, which contains the Samba server. Under normal - circumstances, a user with an account in DOMB can then access the - resources of a UNIX account with the same account name on the - Samba server even if they do not have an account in DOMA. This - can make implementing a security boundary difficult. - -Default: allow trusted domains = yes - - - - - -announce asannounce as (G) - This specifies what type of server nmbd - 8 will announce itself as, to a network neighborhood browse - list. By default this is set to Windows NT. The valid options - are : "NT Server" (which can also be written as "NT"), - "NT Workstation", "Win95" or "WfW" meaning Windows NT Server, - Windows NT Workstation, Windows 95 and Windows for Workgroups - respectively. Do not change this parameter unless you have a - specific need to stop Samba appearing as an NT server as this - may prevent Samba servers from participating as browser servers - correctly. - -Default: announce as = NT Server - - -Example: announce as = Win95 - - - - -announce versionannounce version (G) - This specifies the major and minor version numbers - that nmbd will use when announcing itself as a server. The default - is 4.9. Do not change this parameter unless you have a specific - need to set a Samba server to be a downlevel server. - -Default: announce version = 4.9 - - -Example: announce version = 2.0 - - - - -auth methodsauth methods (G) - This option allows the administrator to chose what - authentication methods smbd will use when authenticating - a user. This option defaults to sensible values based on - security. This should be considered - a developer option and used only in rare circumstances. In the majority (if not all) - of production servers, the default setting should be adequate. - - Each entry in the list attempts to authenticate the user in turn, until - the user authenticates. In practice only one method will ever actually - be able to complete the authentication. - - - Possible options include guest (anonymous access), - sam (lookups in local list of accounts based on netbios - name or domain name), winbind (relay authentication requests - for remote users through winbindd), ntdomain (pre-winbindd - method of authentication for remote domain users; deprecated in favour of winbind method), - trustdomain (authenticate trusted users by contacting the - remote DC directly from smbd; deprecated in favour of winbind method). - -Default: auth methods = - - -Example: auth methods = guest sam winbind - - - - -availableavailable (S) - This parameter lets you "turn off" a service. If - available = no, then ALL - attempts to connect to the service will fail. Such failures are - logged. - - -Default: available = yes - - - - - -bind interfaces onlybind interfaces only (G) - This global parameter allows the Samba admin - to limit what interfaces on a machine will serve SMB requests. It - affects file service smbd - 8 and name service nmbd - 8 in a slightly different ways. - - For name service it causes nmbd to bind - to ports 137 and 138 on the interfaces listed in - the interfaces parameter. nmbd also - binds to the "all addresses" interface (0.0.0.0) - on ports 137 and 138 for the purposes of reading broadcast messages. - If this option is not set then nmbd will service - name requests on all of these sockets. If bind interfaces - only is set then nmbd will check the - source address of any packets coming in on the broadcast sockets - and discard any that don't match the broadcast addresses of the - interfaces in the interfaces parameter list. - As unicast packets are received on the other sockets it allows - nmbd to refuse to serve names to machines that - send packets that arrive through any interfaces not listed in the - interfaces list. IP Source address spoofing - does defeat this simple check, however, so it must not be used - seriously as a security feature for nmbd. - - For file service it causes smbd - 8 to bind only to the interface list - given in the interfaces parameter. This - restricts the networks that smbd will serve - to packets coming in those interfaces. Note that you should not use this parameter - for machines that are serving PPP or other intermittent or non-broadcast network - interfaces as it will not cope with non-permanent interfaces. - - If bind interfaces only is set then - unless the network address 127.0.0.1 is added - to the interfaces parameter - list smbpasswd - 8 and swat - 8 may not work as expected due - to the reasons covered below. - - To change a users SMB password, the smbpasswd - by default connects to the localhost - 127.0.0.1 - address as an SMB client to issue the password change request. If - bind interfaces only is set then unless the - network address 127.0.0.1 is added to the - interfaces parameter list then - smbpasswd will fail to connect in it's default mode. - smbpasswd can be forced to use the primary IP interface - of the local host by using its smbpasswd - 8 -r remote machine - parameter, with remote machine set - to the IP name of the primary interface of the local host. - - The swat status page tries to connect with - smbd and nmbd at the address - 127.0.0.1 to determine if they are running. - Not adding 127.0.0.1 will cause - smbd and nmbd to always show - "not running" even if they really are. This can prevent - swat from starting/stopping/restarting smbd - and nmbd. - - -Default: bind interfaces only = no - - - - - -blocking locksblocking locks (S) - This parameter controls the behavior - of smbd - 8 when given a request by a client - to obtain a byte range lock on a region of an open file, and the - request has a time limit associated with it. - - If this parameter is set and the lock range requested - cannot be immediately satisfied, samba will internally - queue the lock request, and periodically attempt to obtain - the lock until the timeout period expires. - - If this parameter is set to no, then - samba will behave as previous versions of Samba would and - will fail the lock request immediately if the lock range - cannot be obtained. - - -Default: blocking locks = yes - - - - - -block sizeblock size (S) - This parameter controls the behavior of smbd - 8 when reporting disk free - sizes. By default, this reports a disk block size of 1024 bytes. - - - Changing this parameter may have some effect on the - efficiency of client writes, this is not yet confirmed. This - parameter was added to allow advanced administrators to change - it (usually to a higher value) and test the effect it has on - client write performance without re-compiling the code. As this - is an experimental option it may be removed in a future release. - - - Changing this option does not change the disk free reporting - size, just the block size unit reported to the client. - - -No default - - - -browsablebrowseablebrowsableThis parameter is a synonym for browseable. -browseablebrowseable (S) - This controls whether this share is seen in - the list of available shares in a net view and in the browse list. - - -Default: browseable = yes - - - - - -browse listbrowse list (G) - This controls whether smbd - 8 will serve a browse list to - a client doing a NetServerEnum call. Normally - set to yes. You should never need to change - this. - - -Default: browse list = yes - - - - - -casesignamescase sensitivecasesignamesThis parameter is a synonym for case sensitive. -case sensitivecase sensitive (S) - See the discussion in the section NAME MANGLING. - -Default: case sensitive = no - - - - - -change notify timeoutchange notify timeout (G) - This SMB allows a client to tell a server to - "watch" a particular directory for any changes and only reply to - the SMB request when a change has occurred. Such constant scanning of - a directory is expensive under UNIX, hence an smbd - 8 daemon only performs such a scan - on each requested directory once every change notify - timeout seconds. - -Default: change notify timeout = 60 - - -Example: change notify timeout = 300 -# Would change the scan time to every 5 minutes. - - - - -change share commandchange share command (G) - Samba 2.2.0 introduced the ability to dynamically - add and delete shares via the Windows NT 4.0 Server Manager. The - change share command is used to define an - external program or script which will modify an existing service definition - in smb.conf. In order to successfully - execute the change share command, smbd - requires that the administrator be connected using a root account (i.e. - uid == 0). - - - - When executed, smbd will automatically invoke the - change share command with four parameters. - - - - - configFile - the location - of the global smb.conf file. - - - - - shareName - the name of the new - share. - - - - - pathName - path to an **existing** - directory on disk. - - - - - comment - comment string to associate - with the new share. - - - - - - This parameter is only used modify existing file shares definitions. To modify - printer shares, use the "Printers..." folder as seen when browsing the Samba host. - - -Default: change share command = - - -Example: change share command = /usr/local/bin/addshare - - - - -check password scriptcheck password script (G) - The name of a program that can be used to check password - complexity. The password is sent to the program's standrad input. - - The program must return 0 on good password any other value otherwise. - In case the password is considered weak (the program do not return 0) the - user will be notified and the password change will fail. - - Note: In the example directory there is a sample program called crackcheck - that uses cracklib to checkpassword quality. - - -Default: check password script = Disabled - - -Example: check password script = check password script = /usr/local/sbin/crackcheck - - - - -client lanman authclient lanman auth (G) - This parameter determines whether or not smbclient - 8 and other samba client - tools will attempt to authenticate itself to servers using the - weaker LANMAN password hash. If disabled, only server which support NT - password hashes (e.g. Windows NT/2000, Samba, etc... but not - Windows 95/98) will be able to be connected from the Samba client. - - The LANMAN encrypted response is easily broken, due to it's - case-insensitive nature, and the choice of algorithm. Clients - without Windows 95/98 servers are advised to disable - this option. - - Disabling this option will also disable the client plaintext auth option - - Likewise, if the client ntlmv2 - auth parameter is enabled, then only NTLMv2 logins will be - attempted. - -Default: client lanman auth = yes - - - - - -client ntlmv2 authclient ntlmv2 auth (G) - This parameter determines whether or not smbclient - 8 will attempt to - authenticate itself to servers using the NTLMv2 encrypted password - response. - - If enabled, only an NTLMv2 and LMv2 response (both much more - secure than earlier versions) will be sent. Many servers - (including NT4 < SP4, Win9x and Samba 2.2) are not compatible with - NTLMv2. - - Similarly, if enabled, NTLMv1, client lanman auth and client plaintext auth - authentication will be disabled. This also disables share-level - authentication. - - If disabled, an NTLM response (and possibly a LANMAN response) - will be sent by the client, depending on the value of client lanman auth. - - Note that some sites (particularly - those following 'best practice' security polices) only allow NTLMv2 - responses, and not the weaker LM or NTLM. - -Default: client ntlmv2 auth = no - - - - - -client plaintext authclient plaintext auth (G) - Specifies whether a client should send a plaintext - password if the server does not support encrypted passwords. - -Default: client plaintext auth = yes - - - - - -client schannelclient schannel (G) - - This controls whether the client offers or even - demands the use of the netlogon schannel. - client schannel = no does not - offer the schannel, client schannel = - auto offers the schannel but does not - enforce it, and client schannel = - yes denies access if the server is not - able to speak netlogon schannel. - -Default: client schannel = auto - - -Example: client schannel = yes - - - - -client signingclient signing (G) - This controls whether the client offers or requires - the server it talks to to use SMB signing. Possible values - are auto, mandatory - and disabled. - - - When set to auto, SMB signing is offered, but not enforced. - When set to mandatory, SMB signing is required and if set - to disabled, SMB signing is not offered either. - -Default: client signing = auto - - - - - -client use spnegoclient use spnego (G) - This variable controls whether Samba clients will try - to use Simple and Protected NEGOciation (as specified by rfc2478) with - supporting servers (including WindowsXP, Windows2000 and Samba - 3.0) to agree upon an authentication - mechanism. This enables Kerberos authentication in particular. - -Default: client use spnego = yes - - - - - -commentcomment (S) - This is a text field that is seen next to a share - when a client does a queries the server, either via the network - neighborhood or via net view to list what shares - are available. - - If you want to set the string that is displayed next to the - machine name then see the - server string parameter. - - -Default: comment = -# No comment - - -Example: comment = Fred's Files - - - - -config fileconfig file (G) - This allows you to override the config file - to use, instead of the default (usually smb.conf). - There is a chicken and egg problem here as this option is set - in the config file! - - For this reason, if the name of the config file has changed - when the parameters are loaded then it will reload them from - the new config file. - - This option takes the usual substitutions, which can - be very useful. - - If the config file doesn't exist then it won't be loaded - (allowing you to special case the config files of just a few - clients). - -No default -Example: config file = /usr/local/samba/lib/smb.conf.%m - - - - -copycopy (S) - This parameter allows you to "clone" service - entries. The specified service is simply duplicated under the - current service's name. Any parameters specified in the current - section will override those in the section being copied. - - This feature lets you set up a 'template' service and - create similar services easily. Note that the service being - copied must occur earlier in the configuration file than the - service doing the copying. - -Default: copy = - - -Example: copy = otherservice - - - - -create modecreate maskcreate modeThis parameter is a synonym for create mask. -create maskcreate mask (S) - When a file is created, the necessary permissions are - calculated according to the mapping from DOS modes to UNIX - permissions, and the resulting UNIX mode is then bit-wise 'AND'ed - with this parameter. This parameter may be thought of as a bit-wise - MASK for the UNIX modes of a file. Any bit not - set here will be removed from the modes set on a file when it is - created. - - The default value of this parameter removes the - 'group' and 'other' write and execute bits from the UNIX modes. - - Following this Samba will bit-wise 'OR' the UNIX mode created - from this parameter with the value of the - force create mode - parameter which is set to 000 by default. - - This parameter does not affect directory modes. See the - parameter directory mode - for details. - - Note that this parameter does not apply to permissions - set by Windows NT/2000 ACL editors. If the administrator wishes to enforce - a mask on access control lists also, they need to set the - security mask. - -Default: create mask = 0744 - - -Example: create mask = 0775 - - - - -csc policycsc policy (S) - This stands for client-side caching - policy, and specifies how clients capable of offline - caching will cache the files in the share. The valid values - are: manual, documents, programs, disable. - - These values correspond to those used on Windows servers. - - For example, shares containing roaming profiles can have - offline caching disabled using csc policy = disable. - -Default: csc policy = manual - - -Example: csc policy = programs - - - - -cups optionscups options (S) - This parameter is only applicable if printing is - set to cups. Its value is a free form string of options - passed directly to the cups library. - - - You can pass any generic print option known to CUPS (as listed - in the CUPS "Software Users' Manual"). You can also pass any printer - specific option (as listed in "lpoptions -d printername -l") - valid for the target queue. - - You should set this parameter to raw if your CUPS server - error_log file contains messages such as - "Unsupported format 'application/octet-stream'" when printing from a Windows client - through Samba. It is no longer necessary to enable - system wide raw printing in /etc/cups/mime.{convs,types}. - - - -Default: cups options = "" - - -Example: cups options = "raw,media=a4,job-sheets=secret,secret" - - - - -cups servercups server (G) - This parameter is only applicable if printing is - set to cups. - - - If set, this option overrides the ServerName option in the CUPS - client.conf. This is necessary if you have virtual - samba servers that connect to different CUPS daemons. - -Default: cups server = "" - - -Example: cups server = MYCUPSSERVER - - - - -deadtimedeadtime (G) - The value of the parameter (a decimal integer) - represents the number of minutes of inactivity before a connection - is considered dead, and it is disconnected. The deadtime only takes - effect if the number of open files is zero. - - This is useful to stop a server's resources being - exhausted by a large number of inactive connections. - - Most clients have an auto-reconnect feature when a - connection is broken so in most cases this parameter should be - transparent to users. - - Using this parameter with a timeout of a few minutes - is recommended for most systems. - - A deadtime of zero indicates that no auto-disconnection - should be performed. - -Default: deadtime = 0 - - -Example: deadtime = 15 - - - - -debug hires timestampdebug hires timestamp (G) - Sometimes the timestamps in the log messages - are needed with a resolution of higher that seconds, this - boolean parameter adds microsecond resolution to the timestamp - message header when turned on. - - Note that the parameter - debug timestamp must be on for this to have an - effect. - - -Default: debug hires timestamp = no - - - - - -debug piddebug pid (G) - When using only one log file for more then one forked - smbd - 8-process there may be hard to - follow which process outputs which message. This boolean parameter - is adds the process-id to the timestamp message headers in the - logfile when turned on. - - Note that the parameter - debug timestamp must be on for this to have an - effect. - -Default: debug pid = no - - - - - -timestamp logsdebug timestamptimestamp logsThis parameter is a synonym for debug timestamp. -debug timestampdebug timestamp (G) - Samba debug log messages are timestamped - by default. If you are running at a high - debug level these timestamps - can be distracting. This boolean parameter allows timestamping - to be turned off. - -Default: debug timestamp = yes - - - - - -debug uiddebug uid (G) - Samba is sometimes run as root and sometime - run as the connected user, this boolean parameter inserts the - current euid, egid, uid and gid to the timestamp message headers - in the log file if turned on. - - Note that the parameter - debug timestamp must be on for this to have an - effect. - -Default: debug uid = no - - - - - -default casedefault case (S) - See the section on - NAME MANGLING. Also note the - short preserve case parameter. - -Default: default case = lower - - - - - -default devmodedefault devmode (S) - This parameter is only applicable to printable services. - When smbd is serving Printer Drivers to Windows NT/2k/XP clients, each printer on the Samba - server has a Device Mode which defines things such as paper size and - orientation and duplex settings. The device mode can only correctly be - generated by the printer driver itself (which can only be executed on a - Win32 platform). Because smbd is unable to execute the driver code - to generate the device mode, the default behavior is to set this field - to NULL. - - - Most problems with serving printer drivers to Windows NT/2k/XP clients - can be traced to a problem with the generated device mode. Certain drivers - will do things such as crashing the client's Explorer.exe with a NULL devmode. - However, other printer drivers can cause the client's spooler service - (spoolsv.exe) to die if the devmode was not created by the driver itself - (i.e. smbd generates a default devmode). - - - This parameter should be used with care and tested with the printer - driver in question. It is better to leave the device mode to NULL - and let the Windows client set the correct values. Because drivers do not - do this all the time, setting default devmode = yes - will instruct smbd to generate a default one. - - - For more information on Windows NT/2k printing and Device Modes, - see the MSDN documentation. - - -Default: default devmode = no - - - - - -defaultdefault servicedefaultThis parameter is a synonym for default service. -default servicedefault service (G) - This parameter specifies the name of a service - which will be connected to if the service actually requested cannot - be found. Note that the square brackets are NOT - given in the parameter value (see example below). - - There is no default value for this parameter. If this - parameter is not given, attempting to connect to a nonexistent - service results in an error. - - Typically the default service would be a - guest ok, - read-only service. - - Also note that the apparent service name will be changed - to equal that of the requested service, this is very useful as it - allows you to use macros like %S to make - a wildcard service. - - Note also that any "_" characters in the name of the service - used in the default service will get mapped to a "/". This allows for - interesting things. - -Default: default service = - - -Example: default service = pub - - - - -defer sharing violationsdefer sharing violations (G) - - Windows allows specifying how a file will be shared with - other processes when it is opened. Sharing violations occur when - a file is opened by a different process using options that violate - the share settings specified by other processes. This parameter causes - smbd to act as a Windows server does, and defer returning a "sharing - violation" error message for up to one second, allowing the client - to close the file causing the violation in the meantime. - - - Unix by default does not have this behaviour. - - - There should be no reason to turn off this parameter, as it is - designed to enable Samba to more correctly emulate Windows. - - -Default: defer sharing violations = True - - - - - -delete group scriptdelete group script (G) - This is the full pathname to a script that will - be run AS ROOT smbd - 8 when a group is requested to be deleted. - It will expand any %g to the group name passed. - This script is only useful for installations using the Windows NT domain administration tools. - - -Default: delete group script = - - - - - -deleteprinter commanddeleteprinter command (G) - With the introduction of MS-RPC based printer - support for Windows NT/2000 clients in Samba 2.2, it is now - possible to delete printer at run time by issuing the - DeletePrinter() RPC call. - - For a Samba host this means that the printer must be - physically deleted from underlying printing system. The - deleteprinter command defines a script to be run which - will perform the necessary operations for removing the printer - from the print system and from smb.conf. - - - The deleteprinter command is - automatically called with only one parameter: - "printer name". - - Once the deleteprinter command has - been executed, smbd will reparse the - smb.conf to associated printer no longer exists. - If the sharename is still valid, then smbd - will return an ACCESS_DENIED error to the client. - -Default: deleteprinter command = - - -Example: deleteprinter command = /usr/bin/removeprinter - - - - -delete readonlydelete readonly (S) - This parameter allows readonly files to be deleted. - This is not normal DOS semantics, but is allowed by UNIX. - - This option may be useful for running applications such - as rcs, where UNIX file ownership prevents changing file - permissions, and DOS semantics prevent deletion of a read only file. - -Default: delete readonly = no - - - - - -delete share commanddelete share command (G) - Samba 2.2.0 introduced the ability to dynamically - add and delete shares via the Windows NT 4.0 Server Manager. The - delete share command is used to define an - external program or script which will remove an existing service - definition from smb.conf. In order to successfully - execute the delete share command, smbd - requires that the administrator be connected using a root account (i.e. - uid == 0). - - - - When executed, smbd will automatically invoke the - delete share command with two parameters. - - - - - configFile - the location - of the global smb.conf file. - - - - - shareName - the name of - the existing service. - - - - - - This parameter is only used to remove file shares. To delete printer shares, - see the deleteprinter - command. - - -Default: delete share command = - - -Example: delete share command = /usr/local/bin/delshare - - - - -delete user from group scriptdelete user from group script (G) - Full path to the script that will be called when - a user is removed from a group using the Windows NT domain administration - tools. It will be run by smbd - 8 AS ROOT. - Any %g will be replaced with the group name and - any %u will be replaced with the user name. - - -Default: delete user from group script = - - -Example: delete user from group script = /usr/sbin/deluser %u %g - - - - -delete user scriptdelete user script (G) - This is the full pathname to a script that will - be run by smbd - 8 when managing users - with remote RPC (NT) tools. - - - This script is called when a remote client removes a user - from the server, normally using 'User Manager for Domains' or - rpcclient. - - This script should delete the given UNIX username. - -Default: delete user script = - - -Example: delete user script = /usr/local/samba/bin/del_user %u - - - - -delete veto filesdelete veto files (S) - This option is used when Samba is attempting to - delete a directory that contains one or more vetoed directories - (see the veto files - option). If this option is set to no (the default) then if a vetoed - directory contains any non-vetoed files or directories then the - directory delete will fail. This is usually what you want. - - If this option is set to yes, then Samba - will attempt to recursively delete any files and directories within - the vetoed directory. This can be useful for integration with file - serving systems such as NetAtalk which create meta-files within - directories you might normally veto DOS/Windows users from seeing - (e.g. .AppleDouble) - - Setting delete veto files = yes allows these - directories to be transparently deleted when the parent directory - is deleted (so long as the user has permissions to do so). - -Default: delete veto files = no - - - - - -dfree commanddfree command (G) - - The dfree command setting - should only be used on systems where a problem occurs with the - internal disk space calculations. This has been known to happen - with Ultrix, but may occur with other operating systems. The - symptom that was seen was an error of "Abort Retry - Ignore" at the end of each directory listing. - - This setting allows the replacement of the internal routines to - calculate the total disk space and amount available with an external - routine. The example below gives a possible script that might fulfill - this function. - - The external program will be passed a single parameter indicating - a directory in the filesystem being queried. This will typically consist - of the string ./. The script should return two - integers in ASCII. The first should be the total disk space in blocks, - and the second should be the number of available blocks. An optional - third return value can give the block size in bytes. The default - blocksize is 1024 bytes. - - Note: Your script should NOT be setuid or - setgid and should be owned by (and writeable only by) root! - - Where the script dfree (which must be made executable) could be: - - -#!/bin/sh -df $1 | tail -1 | awk '{print $2" "$4}' - - - or perhaps (on Sys V based systems): - - -#!/bin/sh -/usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}' - - - Note that you may have to replace the command names with full path names on some systems. - - -Default: dfree command = -# By default internal routines for - determining the disk capacity and remaining space will be used. - - -Example: dfree command = /usr/local/samba/bin/dfree - - - - -directory modedirectory maskdirectory modeThis parameter is a synonym for directory mask. -directory maskdirectory mask (S) - This parameter is the octal modes which are - used when converting DOS modes to UNIX modes when creating UNIX - directories. - - When a directory is created, the necessary permissions are - calculated according to the mapping from DOS modes to UNIX permissions, - and the resulting UNIX mode is then bit-wise 'AND'ed with this - parameter. This parameter may be thought of as a bit-wise MASK for - the UNIX modes of a directory. Any bit not set - here will be removed from the modes set on a directory when it is - created. - - The default value of this parameter removes the 'group' - and 'other' write bits from the UNIX mode, allowing only the - user who owns the directory to modify it. - - Following this Samba will bit-wise 'OR' the UNIX mode - created from this parameter with the value of the - force directory mode parameter. - This parameter is set to 000 by default (i.e. no extra mode bits are added). - - Note that this parameter does not apply to permissions - set by Windows NT/2000 ACL editors. If the administrator wishes to enforce - a mask on access control lists also, they need to set the - directory security mask. - -Default: directory mask = 0755 - - -Example: directory mask = 0775 - - - - -directory security maskdirectory security mask (S) - This parameter controls what UNIX permission bits - can be modified when a Windows NT client is manipulating the UNIX - permission on a directory using the native NT security dialog - box. - - This parameter is applied as a mask (AND'ed with) to - the changed permission bits, thus preventing any bits not in - this mask from being modified. Essentially, zero bits in this - mask may be treated as a set of bits the user is not allowed - to change. - - If not set explicitly this parameter is set to 0777 - meaning a user is allowed to modify all the user/group/world - permissions on a directory. - - Note that users who can access the - Samba server through other means can easily bypass this restriction, - so it is primarily useful for standalone "appliance" systems. - Administrators of most normal systems will probably want to leave - it as the default of 0777. - -Default: directory security mask = 0777 - - -Example: directory security mask = 0700 - - - - -disable netbiosdisable netbios (G) - Enabling this parameter will disable netbios support - in Samba. Netbios is the only available form of browsing in - all windows versions except for 2000 and XP. - - Clients that only support netbios won't be able to - see your samba server when netbios support is disabled. - - -Default: disable netbios = no - - - - - -disable spoolssdisable spoolss (G) - Enabling this parameter will disable Samba's support - for the SPOOLSS set of MS-RPC's and will yield identical behavior - as Samba 2.0.x. Windows NT/2000 clients will downgrade to using - Lanman style printing commands. Windows 9x/ME will be uneffected by - the parameter. However, this will also disable the ability to upload - printer drivers to a Samba server via the Windows NT Add Printer - Wizard or by using the NT printer properties dialog window. It will - also disable the capability of Windows NT/2000 clients to download - print drivers from the Samba host upon demand. - Be very careful about enabling this parameter. - - -Default: disable spoolss = no - - - - - -display charsetdisplay charset (G) - Specifies the charset that samba will use - to print messages to stdout and stderr and SWAT will use. - Should generally be the same as the unix charset. - - -Default: display charset = ASCII - - -Example: display charset = UTF8 - - - - -dns proxydns proxy (G) - Specifies that nmbd - 8 when acting as a WINS server and - finding that a NetBIOS name has not been registered, should treat the - NetBIOS name word-for-word as a DNS name and do a lookup with the DNS server - for that name on behalf of the name-querying client. - - Note that the maximum length for a NetBIOS name is 15 - characters, so the DNS name (or DNS alias) can likewise only be - 15 characters, maximum. - - nmbd spawns a second copy of itself to do the - DNS name lookup requests, as doing a name lookup is a blocking - action. - -Default: dns proxy = yes - - - - - -domain logonsdomain logons (G) - - If set to yes, the Samba server will - provide the netlogon service for Windows 9X network logons for the - - workgroup it is in. - This will also cause the Samba server to act as a domain - controller for NT4 style domain services. For more details on - setting up this feature see the Domain Control chapter of the - Samba HOWTO Collection. - - -Default: domain logons = no - - - - - -domain masterdomain master (G) - Tell smbd - 8 to enable WAN-wide browse list - collation. Setting this option causes nmbd to - claim a special domain specific NetBIOS name that identifies - it as a domain master browser for its given - workgroup. Local master browsers - in the same workgroup on broadcast-isolated - subnets will give this nmbd their local browse lists, - and then ask smbd - 8 for a complete copy of the browse - list for the whole wide area network. Browser clients will then contact - their local master browser, and will receive the domain-wide browse list, - instead of just the list for their broadcast-isolated subnet. - - Note that Windows NT Primary Domain Controllers expect to be - able to claim this workgroup specific special - NetBIOS name that identifies them as domain master browsers for - that workgroup by default (i.e. there is no - way to prevent a Windows NT PDC from attempting to do this). This - means that if this parameter is set and nmbd claims - the special name for a workgroup before a Windows - NT PDC is able to do so then cross subnet browsing will behave - strangely and may fail. - - If domain logons = yes - , then the default behavior is to enable the domain - master parameter. If domain logons is - not enabled (the default setting), then neither will domain - master be enabled by default. - - -Default: domain master = auto - - - - - -dont descenddont descend (S) - There are certain directories on some systems - (e.g., the /proc tree under Linux) that are either not - of interest to clients or are infinitely deep (recursive). This - parameter allows you to specify a comma-delimited list of directories - that the server should always show as empty. - - Note that Samba can be very fussy about the exact format - of the "dont descend" entries. For example you may need - ./proc instead of just /proc. - Experimentation is the best policy :-) - -Default: dont descend = - - -Example: dont descend = /proc,/dev - - - - -dos charsetdos charset (G) - DOS SMB clients assume the server has - the same charset as they do. This option specifies which - charset Samba should talk to DOS clients. - - - The default depends on which charsets you have installed. - Samba tries to use charset 850 but falls back to ASCII in - case it is not available. Run testparm - 1 to check the default on your system. - -No default - - - -dos filemodedos filemode (S) - The default behavior in Samba is to provide - UNIX-like behavior where only the owner of a file/directory is - able to change the permissions on it. However, this behavior - is often confusing to DOS/Windows users. Enabling this parameter - allows a user who has write access to the file (by whatever - means) to modify the permissions on it. Note that a user - belonging to the group owning the file will not be allowed to - change permissions if the group is only granted read access. - Ownership of the file/directory is not changed, only the permissions - are modified. - -Default: dos filemode = no - - - - - -dos filetime resolutiondos filetime resolution (S) - Under the DOS and Windows FAT filesystem, the finest - granularity on time resolution is two seconds. Setting this parameter - for a share causes Samba to round the reported time down to the - nearest two second boundary when a query call that requires one second - resolution is made to smbd - 8. - - This option is mainly used as a compatibility option for Visual - C++ when used against Samba shares. If oplocks are enabled on a - share, Visual C++ uses two different time reading calls to check if a - file has changed since it was last read. One of these calls uses a - one-second granularity, the other uses a two second granularity. As - the two second call rounds any odd second down, then if the file has a - timestamp of an odd number of seconds then the two timestamps will not - match and Visual C++ will keep reporting the file has changed. Setting - this option causes the two timestamps to match, and Visual C++ is - happy. - -Default: dos filetime resolution = no - - - - - -dos filetimesdos filetimes (S) - Under DOS and Windows, if a user can write to a - file they can change the timestamp on it. Under POSIX semantics, - only the owner of the file or root may change the timestamp. By - default, Samba runs with POSIX semantics and refuses to change the - timestamp on a file if the user smbd is acting - on behalf of is not the file owner. Setting this option to - yes allows DOS semantics and smbd - 8 will change the file - timestamp as DOS requires. Due to changes in Microsoft Office 2000 and beyond, - the default for this parameter has been changed from "no" to "yes" in Samba 3.0.14 - and above. Microsoft Excel will display dialog box warnings about the file being - changed by another user if this parameter is not set to "yes" and files are being - shared between users. - - -Default: dos filetimes = yes - - - - - -ea supportea support (S) - This boolean parameter controls whether smbd - 8 will allow clients to attempt to store OS/2 style Extended - attributes on a share. In order to enable this parameter the underlying filesystem exported by - the share must support extended attributes (such as provided on XFS and EXT3 on Linux, with the - correct kernel patches). On Linux the filesystem must have been mounted with the mount - option user_xattr in order for extended attributes to work, also - extended attributes must be compiled into the Linux kernel. - -Default: ea support = no - - - - - -enable privilegesenable privileges (G) - This parameter controls whether or not smbd will honor - privileges assigned to specific SIDs via either net rpc rights - or one of the Windows user and group manager tools. This parameter is - disabled by default to prevent members of the Domain Admins group from - being able to assign privileges to users or groups which can then result in certain - smbd operations running as root that would normally run under the context - of the connected user. - - An example of how privileges can be used is to assign - the right to join clients to a Samba controlled domain without - providing root access to the server via smbd. - - Please read the extended description provided in the - Samba documentation before enabling this option. - - -Default: enable privileges = no - - - - - -enable rid algorithmenable rid algorithm (G) - This option is used to control whether or not smbd in Samba 3.0 should fallback - to the algorithm used by Samba 2.2 to generate user and group RIDs. The longterm - development goal is to remove the algorithmic mappings of RIDs altogether, but - this has proved to be difficult. This parameter is mainly provided so that - developers can turn the algorithm on and off and see what breaks. This parameter - should not be disabled by non-developers because certain features in Samba will fail - to work without it. - - - -Default: enable rid algorithm = yes - - - - - -encrypt passwordsencrypt passwords (G) - This boolean controls whether encrypted passwords - will be negotiated with the client. Note that Windows NT 4.0 SP3 and - above and also Windows 98 will by default expect encrypted passwords - unless a registry entry is changed. To use encrypted passwords in - Samba see the chapter "User Database" in the Samba HOWTO Collection. - - - - MS Windows clients that expect Microsoft encrypted passwords and that - do not have plain text password support enabled will be able to - connect only to a Samba server that has encypted password support - enabled and for which the user accounts have a valid encrypted password. - Refer to the smbpasswd command man page for information regarding the - creation of encrypted passwords for user accounts. - - - - The use of plain text passwords is NOT advised as support for this feature - is no longer maintained in Microsoft Windows products. If you want to use - plain text passwords you must set this parameter to no. - - - In order for encrypted passwords to work correctly - smbd - 8 must either - have access to a local smbpasswd - 5 file (see the smbpasswd - 8 program for information on how to set up - and maintain this file), or set the security = [server|domain|ads] parameter which - causes smbd to authenticate against another - server. - -Default: encrypt passwords = yes - - - - - -enhanced browsingenhanced browsing (G) - This option enables a couple of enhancements to - cross-subnet browse propagation that have been added in Samba - but which are not standard in Microsoft implementations. - - - The first enhancement to browse propagation consists of a regular - wildcard query to a Samba WINS server for all Domain Master Browsers, - followed by a browse synchronization with each of the returned - DMBs. The second enhancement consists of a regular randomised browse - synchronization with all currently known DMBs. - - You may wish to disable this option if you have a problem with empty - workgroups not disappearing from browse lists. Due to the restrictions - of the browse protocols these enhancements can cause a empty workgroup - to stay around forever which can be annoying. - - In general you should leave this option enabled as it makes - cross-subnet browse propagation much more reliable. - - -Default: enhanced browsing = yes - - - - - -enumports commandenumports command (G) - The concept of a "port" is fairly foreign - to UNIX hosts. Under Windows NT/2000 print servers, a port - is associated with a port monitor and generally takes the form of - a local port (i.e. LPT1:, COM1:, FILE:) or a remote port - (i.e. LPD Port Monitor, etc...). By default, Samba has only one - port defined--"Samba Printer Port". Under - Windows NT/2000, all printers must have a valid port name. - If you wish to have a list of ports displayed (smbd - does not use a port name for anything) other than - the default "Samba Printer Port", you - can define enumports command to point to - a program which should generate a list of ports, one per line, - to standard output. This listing will then be used in response - to the level 1 and 2 EnumPorts() RPC. - -Default: enumports command = - - -Example: enumports command = /usr/bin/listports - - - - -fake directory create timesfake directory create times (S) - NTFS and Windows VFAT file systems keep a create - time for all files and directories. This is not the same as the - ctime - status change time - that Unix keeps, so Samba by default - reports the earliest of the various times Unix does keep. Setting - this parameter for a share causes Samba to always report midnight - 1-1-1980 as the create time for directories. - - This option is mainly used as a compatibility option for - Visual C++ when used against Samba shares. Visual C++ generated - makefiles have the object directory as a dependency for each object - file, and a make rule to create the directory. Also, when NMAKE - compares timestamps it uses the creation time when examining a - directory. Thus the object directory will be created if it does not - exist, but once it does exist it will always have an earlier - timestamp than the object files it contains. - - However, Unix time semantics mean that the create time - reported by Samba will be updated whenever a file is created or - or deleted in the directory. NMAKE finds all object files in - the object directory. The timestamp of the last one built is then - compared to the timestamp of the object directory. If the - directory's timestamp if newer, then all object files - will be rebuilt. Enabling this option - ensures directories always predate their contents and an NMAKE build - will proceed as expected. - -Default: fake directory create times = no - - - - - -fake oplocksfake oplocks (S) - Oplocks are the way that SMB clients get permission - from a server to locally cache file operations. If a server grants - an oplock (opportunistic lock) then the client is free to assume - that it is the only one accessing the file and it will aggressively - cache file data. With some oplock types the client may even cache - file open/close operations. This can give enormous performance benefits. - - - When you set fake oplocks = yes, - smbd8 will - always grant oplock requests no matter how many clients are using the file. - - It is generally much better to use the real - oplocks support rather - than this parameter. - - If you enable this option on all read-only shares or - shares that you know will only be accessed from one client at a - time such as physically read-only media like CDROMs, you will see - a big performance improvement on many operations. If you enable - this option on shares where multiple clients may be accessing the - files read-write at the same time you can get data corruption. Use - this option carefully! - -Default: fake oplocks = no - - - - - -follow symlinksfollow symlinks (S) - This parameter allows the Samba administrator - to stop smbd - 8 from following symbolic - links in a particular share. Setting this - parameter to no prevents any file or directory - that is a symbolic link from being followed (the user will get an - error). This option is very useful to stop users from adding a - symbolic link to /etc/passwd in their home - directory for instance. However it will slow filename lookups - down slightly. - - This option is enabled (i.e. smbd will - follow symbolic links) by default. - -Default: follow symlinks = yes - - - - - -force create modeforce create mode (S) - This parameter specifies a set of UNIX mode bit - permissions that will always be set on a - file created by Samba. This is done by bitwise 'OR'ing these bits onto - the mode bits of a file that is being created or having its - permissions changed. The default for this parameter is (in octal) - 000. The modes in this parameter are bitwise 'OR'ed onto the file - mode after the mask set in the create mask - parameter is applied. - - The example below would force all created files to have read and execute - permissions set for 'group' and 'other' as well as the - read/write/execute bits set for the 'user'. - - -Default: force create mode = 000 - - -Example: force create mode = 0755 - - - - -force directory modeforce directory mode (S) - This parameter specifies a set of UNIX mode bit - permissions that will always be set on a directory - created by Samba. This is done by bitwise 'OR'ing these bits onto the - mode bits of a directory that is being created. The default for this - parameter is (in octal) 0000 which will not add any extra permission - bits to a created directory. This operation is done after the mode - mask in the parameter directory mask is - applied. - - The example below would force all created directories to have read and execute - permissions set for 'group' and 'other' as well as the - read/write/execute bits set for the 'user'. - -Default: force directory mode = 000 - - -Example: force directory mode = 0755 - - - - -force directory security modeforce directory security mode (S) - This parameter controls what UNIX permission bits - can be modified when a Windows NT client is manipulating the UNIX - permission on a directory using the native NT security dialog box. - - This parameter is applied as a mask (OR'ed with) to the - changed permission bits, thus forcing any bits in this mask that - the user may have modified to be on. Essentially, one bits in this - mask may be treated as a set of bits that, when modifying security - on a directory, the user has always set to be 'on'. - - If not set explicitly this parameter is 000, which - allows a user to modify all the user/group/world permissions on a - directory without restrictions. - - Users who can access the - Samba server through other means can easily bypass this restriction, - so it is primarily useful for standalone "appliance" systems. - Administrators of most normal systems will probably want to leave - it set as 0000. - - -Default: force directory security mode = 0 - - -Example: force directory security mode = 700 - - - - -groupforce groupgroupThis parameter is a synonym for force group. -force groupforce group (S) - This specifies a UNIX group name that will be - assigned as the default primary group for all users connecting - to this service. This is useful for sharing files by ensuring - that all access to files on service will use the named group for - their permissions checking. Thus, by assigning permissions for this - group to the files and directories within this service the Samba - administrator can restrict or allow sharing of these files. - - In Samba 2.0.5 and above this parameter has extended - functionality in the following way. If the group name listed here - has a '+' character prepended to it then the current user accessing - the share only has the primary group default assigned to this group - if they are already assigned as a member of that group. This allows - an administrator to decide that only users who are already in a - particular group will create files with group ownership set to that - group. This gives a finer granularity of ownership assignment. For - example, the setting force group = +sys means - that only users who are already in group sys will have their default - primary group assigned to sys when accessing this Samba share. All - other users will retain their ordinary primary group. - - If the force user - parameter is also set the group specified in - force group will override the primary group - set in force user. - - -Default: force group = - - -Example: force group = agroup - - - - -force printernameforce printername (S) - When printing from Windows NT (or later), - each printer in smb.conf has two - associated names which can be used by the client. The first - is the sharename (or shortname) defined in smb.conf. This - is the only printername available for use by Windows 9x clients. - The second name associated with a printer can be seen when - browsing to the "Printers" (or "Printers and Faxes") folder - on the Samba server. This is referred to simply as the printername - (not to be confused with the printer name option). - - - When assigning a new driver to a printer on a remote - Windows compatible print server such as Samba, the Windows client - will rename the printer to match the driver name just uploaded. - This can result in confusion for users when multiple - printers are bound to the same driver. To prevent Samba from - allowing the printer's printername to differ from the sharename - defined in smb.conf, set force printername = yes. - - - Be aware that enabling this parameter may affect migrating - printers from a Windows server to Samba since Windows has no way to - force the sharename and printername to match. - - It is recommended that this parameter's value not be changed - once the printer is in use by clients as this could cause a user - not be able to delete printer connections from their local Printers - folder. - - -Default: force printername = no - - - - - -force security modeforce security mode (S) - This parameter controls what UNIX permission - bits can be modified when a Windows NT client is manipulating - the UNIX permission on a file using the native NT security dialog - box. - - This parameter is applied as a mask (OR'ed with) to the - changed permission bits, thus forcing any bits in this mask that - the user may have modified to be on. Essentially, one bits in this - mask may be treated as a set of bits that, when modifying security - on a file, the user has always set to be 'on'. - - If not set explicitly this parameter is set to 0, - and allows a user to modify all the user/group/world permissions on a file, - with no restrictions. - - Note that users who can access - the Samba server through other means can easily bypass this restriction, - so it is primarily useful for standalone "appliance" systems. - Administrators of most normal systems will probably want to leave - this set to 0000. - - -Default: force security mode = 0 - - -Example: force security mode = 700 - - - - -force unknown acl userforce unknown acl user (S) - If this parameter is set, a Windows NT ACL that contains an unknown - SID (security descriptor, or representation of a user or group - id) as the owner or group owner of the file will be silently - mapped into the current UNIX uid or gid of the currently - connected user. - - This is designed to allow Windows NT clients to copy files and - folders containing ACLs that were created locally on the client - machine and contain users local to that machine only (no domain - users) to be copied to a Samba server (usually with XCOPY /O) - and have the unknown userid and groupid of the file owner map to - the current connected user. This can only be fixed correctly - when winbindd allows arbitrary mapping from any Windows NT SID - to a UNIX uid or gid. - - Try using this parameter when XCOPY /O gives an ACCESS_DENIED - error. - -Default: force unknown acl user = no - - - - - -force userforce user (S) - This specifies a UNIX user name that will be - assigned as the default user for all users connecting to this service. - This is useful for sharing files. You should also use it carefully - as using it incorrectly can cause security problems. - - This user name only gets used once a connection is established. - Thus clients still need to connect as a valid user and supply a - valid password. Once connected, all file operations will be performed - as the "forced user", no matter what username the client connected - as. This can be very useful. - - In Samba 2.0.5 and above this parameter also causes the - primary group of the forced user to be used as the primary group - for all file activity. Prior to 2.0.5 the primary group was left - as the primary group of the connecting user (this was a bug). - - -Default: force user = - - -Example: force user = auser - - - - -fstypefstype (S) - This parameter allows the administrator to - configure the string that specifies the type of filesystem a share - is using that is reported by smbd - 8 when a client queries the filesystem type - for a share. The default type is NTFS for - compatibility with Windows NT but this can be changed to other - strings such as Samba or FAT - if required. - -Default: fstype = NTFS - - -Example: fstype = Samba - - - - -get quota commandget quota command (G) - The get quota command should only be used - whenever there is no operating system API available from the OS that - samba can use. - - This option is only available with ./configure --with-sys-quotas. - Or on linux when ./configure --with-quotas was used and a working quota api - was found in the system. - - This parameter should specify the path to a script that - queries the quota information for the specified - user/group for the partition that - the specified directory is on. - - Such a script should take 3 arguments: - - - directory - type of query - uid of user or gid of group - - - The type of query can be one of : - - - 1 - user quotas - 2 - user default quotas (uid = -1) - 3 - group quotas - 4 - group default quotas (gid = -1) - - - This script should print one line as output with spaces between the arguments. The arguments are: - - - - Arg 1 - quota flags (0 = no quotas, 1 = quotas enabled, 2 = quotas enabled and enforced) - Arg 2 - number of currently used blocks - Arg 3 - the softlimit number of blocks - Arg 4 - the hardlimit number of blocks - Arg 5 - currently used number of inodes - Arg 6 - the softlimit number of inodes - Arg 7 - the hardlimit number of inodes - Arg 8(optional) - the number of bytes in a block(default is 1024) - - -Default: get quota command = - - -Example: get quota command = /usr/local/sbin/query_quota - - - - -getwd cachegetwd cache (G) - This is a tuning option. When this is enabled a - caching algorithm will be used to reduce the time taken for getwd() - calls. This can have a significant impact on performance, especially - when the wide links - parameter is set to no. - -Default: getwd cache = yes - - - - - -guest accountguest account (G) - This is a username which will be used for access - to services which are specified as - guest ok (see below). Whatever privileges this - user has will be available to any client connecting to the guest service. - This user must exist in the password file, but does not require - a valid login. The user account "ftp" is often a good choice - for this parameter. - - - On some systems the default guest account "nobody" may not - be able to print. Use another account in this case. You should test - this by trying to log in as your guest user (perhaps by using the - su - command) and trying to print using the - system print command such as lpr(1) or - lp(1). - - This parameter does not accept % macros, because - many parts of the system require this value to be - constant for correct operation. - -Default: guest account = nobody -# default can be changed at compile-time - - -Example: guest account = ftp - - - - -publicguest okpublicThis parameter is a synonym for guest ok. -guest okguest ok (S) - If this parameter is yes for - a service, then no password is required to connect to the service. - Privileges will be those of the - guest account. - - This paramater nullifies the benifits of setting - restrict - anonymous = 2 - - See the section below on - security for more information about this option. - - -Default: guest ok = no - - - - - -only guestguest onlyonly guestThis parameter is a synonym for guest only. -guest onlyguest only (S) - If this parameter is yes for - a service, then only guest connections to the service are permitted. - This parameter will have no effect if - guest ok is not set for the service. - - See the section below on - security for more information about this option. - - -Default: guest only = no - - - - - -hide dot fileshide dot files (S) - This is a boolean parameter that controls whether - files starting with a dot appear as hidden files. - -Default: hide dot files = yes - - - - - -hide fileshide files (S) - This is a list of files or directories that are not - visible but are accessible. The DOS 'hidden' attribute is applied - to any files or directories that match. - - Each entry in the list must be separated by a '/', - which allows spaces to be included in the entry. '*' - and '?' can be used to specify multiple files or directories - as in DOS wildcards. - - Each entry must be a Unix path, not a DOS path and must - not include the Unix directory separator '/'. - - Note that the case sensitivity option is applicable - in hiding files. - - Setting this parameter will affect the performance of Samba, - as it will be forced to check all files and directories for a match - as they are scanned. - -Default: hide files = -# no file are hidden - - -Example: hide files = /.*/DesktopFolderDB/TrashFor%m/resource.frk/ -# -The above example is based on files that the Macintosh -SMB client (DAVE) available from -Thursby creates for internal use, and also still hides -all files beginning with a dot. - - - - -hide special fileshide special files (S) - This parameter prevents clients from seeing - special files such as sockets, devices and fifo's in directory - listings. - - -Default: hide special files = no - - - - - -hide unreadablehide unreadable (S) - This parameter prevents clients from seeing the - existance of files that cannot be read. Defaults to off. - -Default: hide unreadable = no - - - - - -hide unwriteable fileshide unwriteable files (S) - This parameter prevents clients from seeing - the existance of files that cannot be written to. Defaults to off. - Note that unwriteable directories are shown as usual. - - -Default: hide unwriteable files = no - - - - - -homedir maphomedir map (G) - Ifnis homedir - is yes, and smbd - 8 is also acting - as a Win95/98 logon server then this parameter - specifies the NIS (or YP) map from which the server for the user's - home directory should be extracted. At present, only the Sun - auto.home map format is understood. The form of the map is: - - username server:/some/file/system - - and the program will extract the servername from before - the first ':'. There should probably be a better parsing system - that copes with different map formats and also Amd (another - automounter) maps. - - A working NIS client is required on - the system for this option to work. - -Default: homedir map = - - -Example: homedir map = amd.homedir - - - - -host msdfshost msdfs (G) - If set to yes, Samba will act as a Dfs - server, and allow Dfs-aware clients to browse Dfs trees hosted - on the server. - - See also the - msdfs root share level parameter. For - more information on setting up a Dfs tree on Samba, - refer to . - - -Default: host msdfs = no - - - - - -hostname lookupshostname lookups (G) - Specifies whether samba should use (expensive) - hostname lookups or use the ip addresses instead. An example place - where hostname lookups are currently used is when checking - the hosts deny and hosts allow. - - -Default: hostname lookups = no - - -Example: hostname lookups = yes - - - - -allow hostshosts allowallow hostsThis parameter is a synonym for hosts allow. -hosts allowhosts allow (S) - A synonym for this parameter is allow - hosts. - - This parameter is a comma, space, or tab delimited - set of hosts which are permitted to access a service. - - If specified in the [global] section then it will - apply to all services, regardless of whether the individual - service has a different setting. - - You can specify the hosts by name or IP number. For - example, you could restrict access to only the hosts on a - Class C subnet with something like allow hosts = 150.203.5. - . The full syntax of the list is described in the man - page hosts_access(5). Note that this man - page may not be present on your system, so a brief description will - be given here also. - - Note that the localhost address 127.0.0.1 will always - be allowed access unless specifically denied by a - hosts deny option. - - You can also specify hosts by network/netmask pairs and - by netgroup names if your system supports netgroups. The - EXCEPT keyword can also be used to limit a - wildcard list. The following examples may provide some help: - -Example 1: allow all IPs in 150.203.*.*; except one - - hosts allow = 150.203. EXCEPT 150.203.6.66 - - Example 2: allow hosts that match the given network/netmask - - hosts allow = 150.203.15.0/255.255.255.0 - - Example 3: allow a couple of hosts - - hosts allow = lapland, arvidsjaur - - Example 4: allow only hosts in NIS netgroup "foonet", but - deny access from one particular host - - hosts allow = @foonet - - hosts deny = pirate - - Note that access still requires suitable user-level passwords. - - See testparm - 1 for a way of testing your host access - to see if it does what you expect. - - - -Default: hosts allow = -# none (i.e., all hosts permitted access) - - -Example: hosts allow = 150.203.5. myhost.mynet.edu.au - - - - -deny hostshosts denydeny hostsThis parameter is a synonym for hosts deny. -hosts denyhosts deny (S) - The opposite of hosts allow - - hosts listed here are NOT permitted access to - services unless the specific services have their own lists to override - this one. Where the lists conflict, the allow - list takes precedence. - -Default: hosts deny = -# none (i.e., no hosts specifically excluded) - - -Example: hosts deny = 150.203.4. badhost.mynet.edu.au - - - - -hosts equivhosts equiv (G) - If this global parameter is a non-null string, - it specifies the name of a file to read for the names of hosts - and users who will be allowed access without specifying a password. - - - This is not be confused with - hosts allow which is about hosts - access to services and is more useful for guest services. - hosts equiv may be useful for NT clients which will - not supply passwords to Samba. - - The use of hosts equiv - can be a major security hole. This is because you are - trusting the PC to supply the correct username. It is very easy to - get a PC to supply a false username. I recommend that the - hosts equiv option be only used if you really - know what you are doing, or perhaps on a home network where you trust - your spouse and kids. And only if you really trust - them :-). - -Default: hosts equiv = -# no host equivalences - - -Example: hosts equiv = hosts equiv = /etc/hosts.equiv - - - - -idmap backendidmap backend (G) - - The purpose of the idmap backend parameter is to allow idmap to NOT use the local idmap - tdb file to obtain SID to UID / GID mappings, but instead to obtain them from a common - LDAP backend. This way all domain members and controllers will have the same UID and GID - to SID mappings. This avoids the risk of UID / GID inconsistencies across UNIX / Linux - systems that are sharing information over protocols other than SMB/CIFS (ie: NFS). - - - - An alternate method of SID to UID / GID mapping can be achieved using the idmap_rid - plug-in. This plug-in uses the account RID to derive the UID and GID by adding the - RID to a base value specified. This utility requires that the parameter - allow trusted domains = No must be specified, as it is not compatible - with multiple domain environments. The idmap uid and idmap gid ranges must also be - specified. - - -Default: idmap backend = - - -Example: idmap backend = ldap:ldap://ldapslave.example.com - -Example: idmap backend = idmap_rid:DOMNAME=1000-100000000 - - - - -winbind gididmap gidwinbind gidThis parameter is a synonym for idmap gid. -idmap gididmap gid (G) - - The idmap gid parameter specifies the range of group ids that are allocated for - the purpose of mapping UNX groups to NT group SIDs. This range of group ids should have no - existing local or NIS groups within it as strange conflicts can occur otherwise. - - The availability of an idmap gid range is essential for correct operation of - all group mapping. - -Default: idmap gid = - - -Example: idmap gid = 10000-20000 - - - - -winbind uididmap uidwinbind uidThis parameter is a synonym for idmap uid. -idmap uididmap uid (G) - The idmap uid parameter specifies the range of user ids that are allocated for use - in mapping UNIX users to NT user SIDs. This range of ids should have no existing local - or NIS users within it as strange conflicts can occur otherwise. - -Default: idmap uid = - - -Example: idmap uid = 10000-20000 - - - - -includeinclude (G) - This allows you to include one config file - inside another. The file is included literally, as though typed - in place. - - It takes the standard substitutions, except %u - , %P and %S. - - -Default: include = - - -Example: include = /usr/local/samba/lib/admin_smb.conf - - - - -inherit aclsinherit acls (S) - This parameter can be used to ensure that if default acls - exist on parent directories, they are always honored when creating a - subdirectory. The default behavior is to use the mode specified when - creating the directory. Enabling this option sets the mode to 0777, - thus guaranteeing that default directory acls are propagated. - - -Default: inherit acls = no - - - - - -inherit ownerinherit owner (S) - The ownership of new files and directories - is normally governed by effective uid of the connected user. - This option allows the Samba administrator to specify that - the ownership for new files and directories should be controlled - by the ownership of the parent directory. - - Common scenarios where this behavior is useful is in - implementing drop-boxes where users can create and edit files but not - delete them and to ensure that newly create files in a user's - roaming profile directory are actually owner by the user. - -Default: inherit owner = no - - - - - -inherit permissionsinherit permissions (S) - The permissions on new files and directories - are normally governed by - create mask, - directory mask, - force create mode - and force - directory mode but the boolean inherit - permissions parameter overrides this. - - New directories inherit the mode of the parent directory, - including bits such as setgid. - - New files inherit their read/write bits from the parent - directory. Their execute bits continue to be determined by - map archive - , map hidden - and map system - as usual. - - Note that the setuid bit is never set via - inheritance (the code explicitly prohibits this). - - This can be particularly useful on large systems with - many users, perhaps several thousand, to allow a single [homes] - share to be used flexibly by each user. - -Default: inherit permissions = no - - - - - -interfacesinterfaces (G) - This option allows you to override the default - network interfaces list that Samba will use for browsing, name - registration and other NBT traffic. By default Samba will query - the kernel for the list of all active interfaces and use any - interfaces except 127.0.0.1 that are broadcast capable. - - The option takes a list of interface strings. Each string - can be in any of the following forms: - - - a network interface name (such as eth0). - This may include shell-like wildcards so eth* will match - any interface starting with the substring "eth" - - an IP address. In this case the netmask is - determined from the list of interfaces obtained from the - kernel - - an IP/mask pair. - - a broadcast/mask pair. - - - The "mask" parameters can either be a bit length (such - as 24 for a C class network) or a full netmask in dotted - decimal form. - - The "IP" parameters above can either be a full dotted - decimal IP address or a hostname which will be looked up via - the OS's normal hostname resolution mechanisms. - - -Default: interfaces = -# all active interfaces except 127.0.0.1 that are broadcast capable - - -Example: interfaces = - -# This would configure three network interfaces corresponding - to the eth0 device and IP addresses 192.168.2.10 and 192.168.3.10. - The netmasks of the latter two interfaces would be set to 255.255.255.0. - eth0 192.168.2.10/24 192.168.3.10/255.255.255.0 - - - - - -invalid usersinvalid users (S) - This is a list of users that should not be allowed - to login to this service. This is really a paranoid - check to absolutely ensure an improper setting does not breach - your security. - - A name starting with a '@' is interpreted as an NIS - netgroup first (if your system supports NIS), and then as a UNIX - group if the name was not found in the NIS netgroup database. - - A name starting with '+' is interpreted only - by looking in the UNIX group database. A name starting with - '&' is interpreted only by looking in the NIS netgroup database - (this requires NIS to be working on your system). The characters - '+' and '&' may be used at the start of the name in either order - so the value +&group means check the - UNIX group database, followed by the NIS netgroup database, and - the value &+group means check the NIS - netgroup database, followed by the UNIX group database (the - same as the '@' prefix). - - The current servicename is substituted for %S. - This is useful in the [homes] section. - -Default: invalid users = -# no invalid users - - -Example: invalid users = root fred admin @wheel - - - - -keepalivekeepalive (G) - The value of the parameter (an integer) represents - the number of seconds between keepalive - packets. If this parameter is zero, no keepalive packets will be - sent. Keepalive packets, if sent, allow the server to tell whether - a client is still present and responding. - - Keepalives should, in general, not be needed if the socket - being used has the SO_KEEPALIVE attribute set on it (see - socket options). -Basically you should only use this option if you strike difficulties. - -Default: keepalive = 300 - - -Example: keepalive = 600 - - - - -kernel change notifykernel change notify (G) - This parameter specifies whether Samba should ask the - kernel for change notifications in directories so that - SMB clients can refresh whenever the data on the server changes. - - - This parameter is only used when your kernel supports - change notification to user programs, using the F_NOTIFY fcntl. - - -Default: kernel change notify = yes - - - - - -kernel oplockskernel oplocks (G) - For UNIXes that support kernel based - oplocks - (currently only IRIX and the Linux 2.4 kernel), this parameter - allows the use of them to be turned on or off. - - Kernel oplocks support allows Samba oplocks - to be broken whenever a local UNIX process or NFS operation - accesses a file that smbd - 8 has oplocked. This allows complete - data consistency between SMB/CIFS, NFS and local file access (and is - a very cool feature :-). - - This parameter defaults to on, but is translated - to a no-op on systems that no not have the necessary kernel support. - You should never need to touch this parameter. - -Default: kernel oplocks = yes - - - - - -lanman authlanman auth (G) - This parameter determines whether or not smbd - 8 will attempt to - authenticate users or permit password changes - using the LANMAN password hash. If disabled, only clients which support NT - password hashes (e.g. Windows NT/2000 clients, smbclient, but not - Windows 95/98 or the MS DOS network client) will be able to - connect to the Samba host. - - The LANMAN encrypted response is easily broken, due to it's - case-insensitive nature, and the choice of algorithm. Servers - without Windows 95/98/ME or MS DOS clients are advised to disable - this option. - - Unlike the encypt - passwords option, this parameter cannot alter client - behaviour, and the LANMAN response will still be sent over the - network. See the client lanman - auth to disable this for Samba's clients (such as smbclient) - - If this option, and ntlm - auth are both disabled, then only NTLMv2 logins will be - permited. Not all clients support NTLMv2, and most will require - special configuration to use it. - -Default: lanman auth = yes - - - - - -large readwritelarge readwrite (G) - This parameter determines whether or not - smbd - 8 supports the new 64k - streaming read and write varient SMB requests introduced with - Windows 2000. Note that due to Windows 2000 client redirector bugs - this requires Samba to be running on a 64-bit capable operating - system such as IRIX, Solaris or a Linux 2.4 kernel. Can improve - performance by 10% with Windows 2000 clients. Defaults to on. Not as - tested as some other Samba code paths. - -Default: large readwrite = yes - - - - - -ldap admin dnldap admin dn (G) - The ldap admin dn - defines the Distinguished Name (DN) name used by Samba to - contact the ldap server when retreiving user account - information. The ldap admin - dn is used in conjunction with the admin dn password - stored in the private/secrets.tdb file. - See the smbpasswd - 8 man page for more - information on how to accmplish this. - -No default - - - -ldap delete dnldap delete dn (G) - This parameter specifies whether a delete - operation in the ldapsam deletes the complete entry or only the attributes - specific to Samba. - - -Default: ldap delete dn = no - - - - - -ldap filterldap filter (G) - This parameter specifies the RFC 2254 compliant LDAP search filter. - The default is to match the login name with the uid - attribute. Note that this filter should only return one entry. - - -Default: ldap filter = (uid=%u) - - -Example: ldap filter = (&(uid=%u)(objectclass=sambaSamAccount)) - - - - -ldap group suffixldap group suffix (G) - This parameters specifies the suffix that is - used for groups when these are added to the LDAP directory. - If this parameter is unset, the value of ldap suffix will be used instead. - - -Default: ldap group suffix = - - -Example: ldap group suffix = ou=Groups,dc=samba,ou=Groups - - - - -ldap idmap suffixldap idmap suffix (G) - This parameters specifies the suffix that is - used when storing idmap mappings. If this parameter - is unset, the value of ldap suffix - will be used instead. - -Default: ldap idmap suffix = - - -Example: ldap idmap suffix = ou=Idmap,dc=samba,dc=org - - - - -ldap machine suffixldap machine suffix (G) - It specifies where machines should be added to the ldap tree. - -Default: ldap machine suffix = - - - - - -ldap passwd syncldap passwd sync (G) - This option is used to define whether - or not Samba should sync the LDAP password with the NT - and LM hashes for normal accounts (NOT for - workstation, server or domain trusts) on a password - change via SAMBA. - - - The ldap passwd - sync can be set to one of three values: - - - - Yes = Try - to update the LDAP, NT and LM passwords and update the pwdLastSet time. - - - - No = Update NT and - LM passwords and update the pwdLastSet time. - - - - Only = Only update - the LDAP password and let the LDAP server do the rest. - - - -Default: ldap passwd sync = no - - - - - -ldap portldap port (G) - This parameter is only available if Samba has been - configure to include the --with-ldapsam option - at compile time. - - This option is used to control the tcp port number used to contact - the ldap server. - The default is to use the stand LDAPS port 636. - -Default: ldap port = 636 -# if ldap ssl = on - -Default: ldap port = 389 -# if ldap ssl = off - - - - - -ldap replication sleepldap replication sleep (G) - When Samba is asked to write to a read-only LDAP -replica, we are redirected to talk to the read-write master server. -This server then replicates our changes back to the 'local' server, -however the replication might take some seconds, especially over slow -links. Certain client activities, particularly domain joins, can become -confused by the 'success' that does not immediately change the LDAP -back-end's data. - This option simply causes Samba to wait a short time, to -allow the LDAP server to catch up. If you have a particularly -high-latency network, you may wish to time the LDAP replication with a -network sniffer, and increase this value accordingly. Be aware that no -checking is performed that the data has actually replicated. - The value is specified in milliseconds, the maximum -value is 5000 (5 seconds). - -Default: ldap replication sleep = 1000 - - - - - -ldapsam:trustedldapsam:trusted (G) - - -By default, Samba as a Domain Controller with an LDAP backend needs to use the -Unix-style NSS subsystem to access user and group information. Due to the way -Unix stores user information in /etc/passwd and /etc/group this inevitably -leads to inefficiencies. One important question a user needs to know is the -list of groups he is member of. The plain Unix model involves a complete -enumeration of the file /etc/group and its NSS counterparts in LDAP. In this -particular case there often optimized functions are available in Unix, but for -other queries there is no optimized function available. - -To make Samba scale well in large environments, the ldapsam:trusted=yes -option assumes that the complete user and group database that is relevant to -Samba is stored in LDAP with the standard posixAccount/posixGroup model, and -that the Samba auxiliary object classes are stored together with the the posix -data in the same LDAP object. If these assumptions are met, -ldapsam:trusted=yes can be activated and Samba can completely bypass the NSS -system to query user information. Optimized LDAP queries can speed up domain -logon and administration tasks a lot. Depending on the size of the LDAP -database a factor of 100 or more for common queries is easily achieved. - - -Default: ldapsam:trusted = no - - - - - -ldap serverldap server (G) - This parameter is only available if Samba has been - configure to include the --with-ldapsam - option at compile time. - - This parameter should contain the FQDN of the ldap directory - server which should be queried to locate user account information. - - -Default: ldap server = localhost - - - - - -ldap sslldap ssl (G) - This option is used to define whether or not Samba should - use SSL when connecting to the ldap server - This is NOT related to - Samba's previous SSL support which was enabled by specifying the - --with-ssl option to the configure - script. - - The ldap ssl can be set to one of three values: - - - Off = Never - use SSL when querying the directory. - - - - Start_tls = Use - the LDAPv3 StartTLS extended operation (RFC2830) for - communicating with the directory server. - - - - On = Use SSL - on the ldaps port when contacting the ldap server. Only available when the - backwards-compatiblity --with-ldapsam option is specified - to configure. See passdb backend - - - -Default: ldap ssl = start_tls - - - - - -ldap suffixldap suffix (G) - Specifies where user and machine accounts are added to the - tree. Can be overriden by ldap user - suffix and ldap machine - suffix. It also used as the base dn for all ldap -searches. - -Default: ldap suffix = - - - - - -ldap timeoutldap timeout (G) - When Samba connects to an ldap server that server -may be down or unreachable. To prevent Samba from hanging whilst -waiting for the connection this parameter specifies in seconds how -long Samba should wait before failing the connect. The default is -to only wait fifteen seconds for the ldap server to respond to the -connect request. - -Default: ldap timeout = 15 - - - - - -ldap user suffixldap user suffix (G) - This parameter specifies where users are added to the tree. - If this parameter is not specified, the value from ldap suffix. - - -Default: ldap user suffix = - - - - - -level2 oplockslevel2 oplocks (S) - This parameter controls whether Samba supports - level2 (read-only) oplocks on a share. - - Level2, or read-only oplocks allow Windows NT clients - that have an oplock on a file to downgrade from a read-write oplock - to a read-only oplock once a second client opens the file (instead - of releasing all oplocks on a second open, as in traditional, - exclusive oplocks). This allows all openers of the file that - support level2 oplocks to cache the file for read-ahead only (ie. - they may not cache writes or lock requests) and increases performance - for many accesses of files that are not commonly written (such as - application .EXE files). - - Once one of the clients which have a read-only oplock - writes to the file all clients are notified (no reply is needed - or waited for) and told to break their oplocks to "none" and - delete any read-ahead caches. - - It is recommended that this parameter be turned on to - speed access to shared executables. - - For more discussions on level2 oplocks see the CIFS spec. - - Currently, if kernel - oplocks are supported then level2 oplocks are - not granted (even if this parameter is set to yes). - Note also, the oplocks - parameter must be set to yes on this share in order for - this parameter to have any effect. - -Default: level2 oplocks = yes - - - - - -lm announcelm announce (G) - This parameter determines if nmbd - 8 will produce Lanman announce - broadcasts that are needed by OS/2 clients in order for them to see - the Samba server in their browse list. This parameter can have three - values, yes, no, or - auto. The default is auto. - If set to no Samba will never produce these - broadcasts. If set to yes Samba will produce - Lanman announce broadcasts at a frequency set by the parameter - lm interval. If set to auto - Samba will not send Lanman announce broadcasts by default but will - listen for them. If it hears such a broadcast on the wire it will - then start sending them at a frequency set by the parameter - lm interval. - -Default: lm announce = auto - - -Example: lm announce = yes - - - - -lm intervallm interval (G) - If Samba is set to produce Lanman announce - broadcasts needed by OS/2 clients (see the - lm announce parameter) then this - parameter defines the frequency in seconds with which they will be - made. If this is set to zero then no Lanman announcements will be - made despite the setting of the lm announce - parameter. - -Default: lm interval = 60 - - -Example: lm interval = 120 - - - - -load printersload printers (G) - A boolean variable that controls whether all - printers in the printcap will be loaded for browsing by default. - See the printers section for - more details. - -Default: load printers = yes - - - - - -local masterlocal master (G) - This option allows nmbd - 8 to try and become a local master browser - on a subnet. If set to no then - nmbd will not attempt to become a local master browser - on a subnet and will also lose in all browsing elections. By - default this value is set to yes. Setting this value to - yes doesn't mean that Samba will become the - local master browser on a subnet, just that nmbd - will participate in elections for local master browser. - - Setting this value to no will cause nmbd never to become a local -master browser. - -Default: local master = yes - - - - - -lock dirlock directorylock dirThis parameter is a synonym for lock directory. -lock directorylock directory (G) - This option specifies the directory where lock - files will be placed. The lock files are used to implement the - max connections - option. - -Default: lock directory = ${prefix}/var/locks - - -Example: lock directory = /var/run/samba/locks - - - - -lockinglocking (S) - This controls whether or not locking will be - performed by the server in response to lock requests from the - client. - - If locking = no, all lock and unlock - requests will appear to succeed and all lock queries will report - that the file in question is available for locking. - - If locking = yes, real locking will be performed - by the server. - - This option may be useful for read-only - filesystems which may not need locking (such as - CDROM drives), although setting this parameter of no - is not really recommended even in this case. - - Be careful about disabling locking either globally or in a - specific service, as lack of locking may result in data corruption. - You should never need to set this parameter. - -No default - - - -lock spin countlock spin count (G) - This parameter controls the number of times - that smbd should attempt to gain a byte range lock on the - behalf of a client request. Experiments have shown that - Windows 2k servers do not reply with a failure if the lock - could not be immediately granted, but try a few more times - in case the lock could later be acquired. This behavior - is used to support PC database formats such as MS Access - and FoxPro. - - -Default: lock spin count = 3 - - - - - -lock spin timelock spin time (G) - The time in microseconds that smbd should - pause before attempting to gain a failed lock. See - lock spin - count for more details. - -Default: lock spin time = 10 - - - - - -log filelog file (G) - This option allows you to override the name - of the Samba log file (also known as the debug file). - - This option takes the standard substitutions, allowing - you to have separate log files for each user or machine. - -No default -Example: log file = /usr/local/samba/var/log.%m - - - - -debuglevellog leveldebuglevelThis parameter is a synonym for log level. -log levellog level (G) - The value of the parameter (a astring) allows - the debug level (logging level) to be specified in the - smb.conf file. This parameter has been - extended since the 2.2.x series, now it allow to specify the debug - level for multiple debug classes. This is to give greater - flexibility in the configuration of the system. - - The default will be the log level specified on - the command line or level zero if none was specified. - - -No default -Example: log level = 3 passdb:5 auth:10 winbind:2 - - - - -logon drivelogon drive (G) - This parameter specifies the local path to - which the home directory will be connected (see - logon home) - and is only used by NT Workstations. - - Note that this option is only useful if Samba is set up as a - logon server. - -Default: logon drive = z: - - -Example: logon drive = h: - - - - -logon homelogon home (G) - This parameter specifies the home directory - location when a Win95/98 or NT Workstation logs into a Samba PDC. - It allows you to do - - C:\> - NET USE H: /HOME - - - from a command prompt, for example. - - This option takes the standard substitutions, allowing - you to have separate logon scripts for each user or machine. - - This parameter can be used with Win9X workstations to ensure - that roaming profiles are stored in a subdirectory of the user's - home directory. This is done in the following way: - - logon home = \\%N\%U\profile - - This tells Samba to return the above string, with - substitutions made when a client requests the info, generally - in a NetUserGetInfo request. Win9X clients truncate the info to - \\server\share when a user does net use /home - but use the whole string when dealing with profiles. - - Note that in prior versions of Samba, the - logon path was returned rather than - logon home. This broke net use /home but allowed profiles outside the home directory. - The current implementation is correct, and can be used for profiles if you use - the above trick. - - This option is only useful if Samba is set up as a logon - server. - -Default: logon home = \\%N\%U - - -Example: logon home = \\remote_smb_server\%U - - - - -logon pathlogon path (G) - This parameter specifies the home directory - where roaming profiles (NTuser.dat etc files for Windows NT) are - stored. Contrary to previous versions of these manual pages, it has - nothing to do with Win 9X roaming profiles. To find out how to - handle roaming profiles for Win 9X system, see the - logon home parameter. - - This option takes the standard substitutions, allowing you - to have separate logon scripts for each user or machine. It also - specifies the directory from which the "Application Data", - (desktop, start menu, - network neighborhood, programs - and other folders, and their contents, are loaded and displayed on - your Windows NT client. - - The share and the path must be readable by the user for - the preferences and directories to be loaded onto the Windows NT - client. The share must be writeable when the user logs in for the first - time, in order that the Windows NT client can create the NTuser.dat - and other directories. - - Thereafter, the directories and any of the contents can, - if required, be made read-only. It is not advisable that the - NTuser.dat file be made read-only - rename it to NTuser.man to - achieve the desired effect (a MANdatory - profile). - - Windows clients can sometimes maintain a connection to - the [homes] share, even though there is no user logged in. - Therefore, it is vital that the logon path does not include a - reference to the homes share (i.e. setting this parameter to - \%N\%U\profile_path will cause problems). - - This option takes the standard substitutions, allowing - you to have separate logon scripts for each user or machine. - - - - Do not quote the value. Setting this as \\%N\profile\%U - will break profile handling. - - - Note that this option is only useful if Samba is set up - as a logon server. - -Default: logon path = \\%N\%U\profile - - -Example: logon path = >\\PROFILESERVER\PROFILE\%U - - - - -logon scriptlogon script (G) - This parameter specifies the batch file (.bat) or - NT command file (.cmd) to be downloaded and run on a machine when - a user successfully logs in. The file must contain the DOS - style CR/LF line endings. Using a DOS-style editor to create the - file is recommended. - - The script must be a relative path to the [netlogon] - service. If the [netlogon] service specifies a - path of /usr/local/samba/netlogon, and logon script = STARTUP.BAT, then - the file that will be downloaded is: - - /usr/local/samba/netlogon/STARTUP.BAT - - The contents of the batch file are entirely your choice. A - suggested command would be to add NET TIME \\SERVER /SET - /YES, to force every machine to synchronize clocks with - the same time server. Another use would be to add NET USE - U: \\SERVER\UTILS for commonly used utilities, or - NET USE Q: \\SERVER\ISO9001_QA for example. - - Note that it is particularly important not to allow write - access to the [netlogon] share, or to grant users write permission - on the batch files in a secure environment, as this would allow - the batch files to be arbitrarily modified and security to be - breached. - - This option takes the standard substitutions, allowing you - to have separate logon scripts for each user or machine. - - This option is only useful if Samba is set up as a logon - server. - -Default: logon script = - - -Example: logon script = scripts\%U.bat - - - - -lppause commandlppause command (S) - This parameter specifies the command to be - executed on the server host in order to stop printing or spooling - a specific print job. - - This command should be a program or script which takes - a printer name and job number to pause the print job. One way - of implementing this is by using job priorities, where jobs - having a too low priority won't be sent to the printer. - - If a %p is given then the printer name - is put in its place. A %j is replaced with - the job number (an integer). On HPUX (see printing=hpux - ), if the -p%p option is added - to the lpq command, the job will show up with the correct status, i.e. - if the job priority is lower than the set fence priority it will - have the PAUSED status, whereas if the priority is equal or higher it - will have the SPOOLED or PRINTING status. - - Note that it is good practice to include the absolute path - in the lppause command as the PATH may not be available to the server. - -Default: lppause command = -# Currently no default value is given to - this string, unless the value of the printing - parameter is SYSV, in which case the default is : lp -i %p-%j -H hold or if the value of the printing parameter is SOFTQ, then the default is: qstat -s -j%j -h. - - -Example: lppause command = /usr/bin/lpalt %p-%j -p0 - - - - -lpq cache timelpq cache time (G) - This controls how long lpq info will be cached - for to prevent the lpq command being called too - often. A separate cache is kept for each variation of the - lpq command used by the system, so if you use different - lpq commands for different users then they won't - share cache information. - - The cache files are stored in /tmp/lpq.xxxx - where xxxx is a hash of the lpq command in use. - - The default is 10 seconds, meaning that the cached results - of a previous identical lpq command will be used - if the cached data is less than 10 seconds old. A large value may - be advisable if your lpq command is very slow. - -A value of 0 will disable caching completely. - -Default: lpq cache time = 10 - - -Example: lpq cache time = 30 - - - - -lpq commandlpq command (S) - This parameter specifies the command to be - executed on the server host in order to obtain lpq - -style printer status information. - - This command should be a program or script which - takes a printer name as its only parameter and outputs printer - status information. - - Currently nine styles of printer status information - are supported; BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX, CUPS, and SOFTQ. - This covers most UNIX systems. You control which type is expected - using the printing = option. - - Some clients (notably Windows for Workgroups) may not - correctly send the connection number for the printer they are - requesting status information about. To get around this, the - server reports on the first printer service connected to by the - client. This only happens if the connection number sent is invalid. - - If a %p is given then the printer name - is put in its place. Otherwise it is placed at the end of the - command. - - Note that it is good practice to include the absolute path - in the lpq command as the $PATH - may not be available to the server. When compiled with - the CUPS libraries, no lpq command is - needed because smbd will make a library call to obtain the - print queue listing. - -Default: lpq command = - - -Example: lpq command = /usr/bin/lpq -P%p - - - - -lpresume commandlpresume command (S) - This parameter specifies the command to be - executed on the server host in order to restart or continue - printing or spooling a specific print job. - - This command should be a program or script which takes - a printer name and job number to resume the print job. See - also the lppause command - parameter. - - If a %p is given then the printer name - is put in its place. A %j is replaced with - the job number (an integer). - - Note that it is good practice to include the absolute path - in the lpresume command as the PATH may not - be available to the server. - - See also the printing - parameter. - - Default: Currently no default value is given - to this string, unless the value of the printing - parameter is SYSV, in which case the default is : - - lp -i %p-%j -H resume - - or if the value of the printing parameter - is SOFTQ, then the default is: - - qstat -s -j%j -r - -Default: lpresume command = lpresume command = /usr/bin/lpalt %p-%j -p2 - - - - - -lprm commandlprm command (S) - This parameter specifies the command to be - executed on the server host in order to delete a print job. - - This command should be a program or script which takes - a printer name and job number, and deletes the print job. - - If a %p is given then the printer name - is put in its place. A %j is replaced with - the job number (an integer). - - Note that it is good practice to include the absolute - path in the lprm command as the PATH may not be - available to the server. - - -Default: lprm command = -# depends on the setting of printing - - -Example: lprm command = /usr/bin/lprm -P%p %j - -Example: lprm command = /usr/bin/cancel %p-%j - - - - -machine password timeoutmachine password timeout (G) - If a Samba server is a member of a Windows - NT Domain (see the security = domain - parameter) then periodically a running smbd - process will try and change the MACHINE ACCOUNT - PASSWORD stored in the TDB called private/secrets.tdb - . This parameter specifies how often this password - will be changed, in seconds. The default is one week (expressed in - seconds), the same as a Windows NT Domain member server. - - See also smbpasswd - 8, and the - security = domain parameter. - - -Default: machine password timeout = 604800 - - - - - -magic outputmagic output (S) - This parameter specifies the name of a file - which will contain output created by a magic script (see the - magic script - parameter below). - -If two clients use the same magic script - in the same directory the output file content - is undefined. - -Default: magic output = <magic script name>.out - - -Example: magic output = myfile.txt - - - - -magic scriptmagic script (S) - This parameter specifies the name of a file which, - if opened, will be executed by the server when the file is closed. - This allows a UNIX script to be sent to the Samba host and - executed on behalf of the connected user. - - Scripts executed in this way will be deleted upon - completion assuming that the user has the appropriate level - of privilege and the file permissions allow the deletion. - - If the script generates output, output will be sent to - the file specified by the - magic output parameter (see above). - - Note that some shells are unable to interpret scripts - containing CR/LF instead of CR as - the end-of-line marker. Magic scripts must be executable - as is on the host, which for some hosts and - some shells will require filtering at the DOS end. - - Magic scripts are EXPERIMENTAL and - should NOT be relied upon. - -Default: magic script = - - -Example: magic script = user.csh - - - - -mangled mapmangled map (S) - This is for those who want to directly map UNIX - file names which cannot be represented on Windows/DOS. The mangling - of names is not always what is needed. In particular you may have - documents with file extensions that differ between DOS and UNIX. - For example, under UNIX it is common to use .html - for HTML files, whereas under Windows/DOS .htm - is more commonly used. - - So to map html to htm - you would use: - - mangled map = (*.html *.htm) - - One very useful case is to remove the annoying ;1 - off the ends of filenames on some CDROMs (only visible - under some UNIXes). To do this use a map of (*;1 *;). - -Default: mangled map = -# no mangled map - - -Example: mangled map = (*;1 *;) - - - - -mangled namesmangled names (S) - This controls whether non-DOS names under UNIX - should be mapped to DOS-compatible names ("mangled") and made visible, - or whether non-DOS names should simply be ignored. - - See the section on NAME MANGLING for - details on how to control the mangling process. - - If mangling is used then the mangling algorithm is as follows: - - - - The first (up to) five alphanumeric characters - before the rightmost dot of the filename are preserved, forced - to upper case, and appear as the first (up to) five characters - of the mangled name. - - - - A tilde "~" is appended to the first part of the mangled - name, followed by a two-character unique sequence, based on the - original root name (i.e., the original filename minus its final - extension). The final extension is included in the hash calculation - only if it contains any upper case characters or is longer than three - characters. - - Note that the character to use may be specified using - the mangling char - option, if you don't like '~'. - - - - Files whose UNIX name begins with a dot will be - presented as DOS hidden files. The mangled name will be created as - for other filenames, but with the leading dot removed and "___" as - its extension regardless of actual original extension (that's three - underscores). - - - - The two-digit hash value consists of upper case alphanumeric characters. - - This algorithm can cause name collisions only if files - in a directory share the same first five alphanumeric characters. - The probability of such a clash is 1/1300. - - The name mangling (if enabled) allows a file to be - copied between UNIX directories from Windows/DOS while retaining - the long UNIX filename. UNIX files can be renamed to a new extension - from Windows/DOS and will retain the same basename. Mangled names - do not change between sessions. - -Default: mangled names = yes - - - - - -mangle prefixmangle prefix (G) - controls the number of prefix - characters from the original name used when generating - the mangled names. A larger value will give a weaker - hash and therefore more name collisions. The minimum - value is 1 and the maximum value is 6. - - - mangle prefix is effective only when mangling method is hash2. - - -Default: mangle prefix = 1 - - -Example: mangle prefix = 4 - - - - -mangling charmangling char (S) - This controls what character is used as - the magic character in name mangling. The - default is a '~' but this may interfere with some software. Use this option to set - it to whatever you prefer. This is effective only when mangling method is hash. - -Default: mangling char = ~ - - -Example: mangling char = ^ - - - - -mangling methodmangling method (G) - controls the algorithm used for the generating - the mangled names. Can take two different values, "hash" and - "hash2". "hash" is the algorithm that was used - used in Samba for many years and was the default in Samba 2.2.x "hash2" is - now the default and is newer and considered a better algorithm (generates less collisions) in - the names. Many Win32 applications store the mangled names and so - changing to algorithms must not be done lightly as these applications - may break unless reinstalled. - -Default: mangling method = hash2 - - -Example: mangling method = hash - - - - -map acl inheritmap acl inherit (S) - This boolean parameter controls whether smbd - 8 will attempt to map the 'inherit' and 'protected' - access control entry flags stored in Windows ACLs into an extended attribute - called user.SAMBA_PAI. This parameter only takes effect if Samba is being run - on a platform that supports extended attributes (Linux and IRIX so far) and - allows the Windows 2000 ACL editor to correctly use inheritance with the Samba - POSIX ACL mapping code. - - -Default: map acl inherit = no - - - - - -map archivemap archive (S) - This controls whether the DOS archive attribute - should be mapped to the UNIX owner execute bit. The DOS archive bit - is set when a file has been modified since its last backup. One - motivation for this option it to keep Samba/your PC from making - any file it touches from becoming executable under UNIX. This can - be quite annoying for shared source code, documents, etc... - - Note that this requires the create mask - parameter to be set such that owner execute bit is not masked out - (i.e. it must include 100). See the parameter - create mask for details. - -Default: map archive = yes - - - - - -map hiddenmap hidden (S) - This controls whether DOS style hidden files - should be mapped to the UNIX world execute bit. - - Note that this requires the create mask - to be set such that the world execute bit is not masked out (i.e. - it must include 001). See the parameter - create mask for details. - - -No default - - - -map systemmap system (S) - This controls whether DOS style system files - should be mapped to the UNIX group execute bit. - - Note that this requires the create mask - to be set such that the group execute bit is not masked out (i.e. - it must include 010). See the parameter - create mask for details. - -Default: map system = no - - - - - -map to guestmap to guest (G) - This parameter is only useful in - security modes other than security = share - - i.e. user, server, - and domain. - - This parameter can take three different values, which tell - smbd - 8 what to do with user - login requests that don't match a valid UNIX user in some way. - - The three settings are : - - - - Never - Means user login - requests with an invalid password are rejected. This is the - default. - - - - Bad User - Means user - logins with an invalid password are rejected, unless the username - does not exist, in which case it is treated as a guest login and - mapped into the - guest account. - - - - Bad Password - Means user logins - with an invalid password are treated as a guest login and mapped - into the guest account. Note that - this can cause problems as it means that any user incorrectly typing - their password will be silently logged on as "guest" - and - will not know the reason they cannot access files they think - they should - there will have been no message given to them - that they got their password wrong. Helpdesk services will - hate you if you set the map to - guest parameter this way :-). - - - - Note that this parameter is needed to set up "Guest" - share services when using security modes other than - share. This is because in these modes the name of the resource being - requested is not sent to the server until after - the server has successfully authenticated the client so the server - cannot make authentication decisions at the correct time (connection - to the share) for "Guest" shares. - - For people familiar with the older Samba releases, this - parameter maps to the old compile-time setting of the - GUEST_SESSSETUP value in local.h. - -Default: map to guest = Never - - -Example: map to guest = Bad User - - - - -max connectionsmax connections (S) - This option allows the number of simultaneous connections to a service to be limited. - If max connections is greater than 0 then connections - will be refused if this number of connections to the service are already open. A value - of zero mean an unlimited number of connections may be made. - - Record lock files are used to implement this feature. The lock files will be stored in - the directory specified by the - lock directory option. - -Default: max connections = 0 - - -Example: max connections = 10 - - - - -max disk sizemax disk size (G) - This option allows you to put an upper limit - on the apparent size of disks. If you set this option to 100 - then all shares will appear to be not larger than 100 MB in - size. - - Note that this option does not limit the amount of - data you can put on the disk. In the above case you could still - store much more than 100 MB on the disk, but if a client ever asks - for the amount of free disk space or the total disk size then the - result will be bounded by the amount specified in max - disk size. - - This option is primarily useful to work around bugs - in some pieces of software that can't handle very large disks, - particularly disks over 1GB in size. - - A max disk size of 0 means no limit. - -Default: max disk size = 0 - - -Example: max disk size = 1000 - - - - -max log sizemax log size (G) - This option (an integer in kilobytes) specifies - the max size the log file should grow to. Samba periodically checks - the size and if it is exceeded it will rename the file, adding - a .old extension. - -A size of 0 means no limit. - -Default: max log size = 5000 - -Default: max log size = 1000 - - - - - -max muxmax mux (G) - This option controls the maximum number of - outstanding simultaneous SMB operations that Samba tells the client - it will allow. You should never need to set this parameter. - -Default: max mux = 50 - - - - - -max open filesmax open files (G) - This parameter limits the maximum number of - open files that one smbd - 8 file - serving process may have open for a client at any one time. The - default for this parameter is set very high (10,000) as Samba uses - only one bit per unopened file. - - The limit of the number of open files is usually set - by the UNIX per-process file descriptor limit rather than - this parameter so you should never need to touch this parameter. - -Default: max open files = 10000 - - - - - -max print jobsmax print jobs (S) - This parameter limits the maximum number of - jobs allowable in a Samba printer queue at any given moment. - If this number is exceeded, smbd - 8 will remote "Out of Space" to the client. - - -Default: max print jobs = 1000 - - -Example: max print jobs = 5000 - - - - -protocolmax protocolprotocolThis parameter is a synonym for max protocol. -max protocolmax protocol (G) - The value of the parameter (a string) is the highest - protocol level that will be supported by the server. - - Possible values are : - - - CORE: Earliest version. No - concept of user names. - - - - COREPLUS: Slight improvements on - CORE for efficiency. - - - - LANMAN1: First - modern version of the protocol. Long filename - support. - - - - LANMAN2: Updates to Lanman1 protocol. - - - - NT1: Current up to date version of the protocol. - Used by Windows NT. Known as CIFS. - - - - Normally this option should not be set as the automatic - negotiation phase in the SMB protocol takes care of choosing - the appropriate protocol. - -Default: max protocol = NT1 - - -Example: max protocol = LANMAN1 - - - - -max reported print jobsmax reported print jobs (S) - This parameter limits the maximum number of - jobs displayed in a port monitor for Samba printer queue at any given - moment. If this number is exceeded, the excess jobs will not be shown. - A value of zero means there is no limit on the number of print - jobs reported. - -Default: max reported print jobs = 0 - - -Example: max reported print jobs = 1000 - - - - -max smbd processesmax smbd processes (G) - This parameter limits the maximum number of smbd - 8 processes concurrently running on a system and is intended - as a stopgap to prevent degrading service to clients in the event that the server has insufficient - resources to handle more than this number of connections. Remember that under normal operating - conditions, each user will have an smbd - 8 associated with him or her to handle connections to all - shares from a given host. - -Default: max smbd processes = 0 - - -Example: max smbd processes = 1000 - - - - -max stat cache sizemax stat cache size (G) - This parameter specifies the maximum amount of memory (in kilobytes) - smbd will use for the stat cache that speeds up case insensitive name mappings. - If set to zero (the default) there is no limit. Change this if your smbd processes - grow too large when servicing something like a back-up application. - -Default: max stat cache size = 0 - - - - - -max ttlmax ttl (G) - This option tells nmbd - 8 what the default 'time to live' - of NetBIOS names should be (in seconds) when nmbd is - requesting a name using either a broadcast packet or from a WINS server. You should - never need to change this parameter. The default is 3 days. - -Default: max ttl = 259200 - - - - - -max wins ttlmax wins ttl (G) - This option tells smbd - 8 when acting as a WINS server ( - wins support = yes) what the maximum - 'time to live' of NetBIOS names that nmbd - will grant will be (in seconds). You should never need to change this - parameter. The default is 6 days (518400 seconds). - -Default: max wins ttl = 518400 - - - - - -max xmitmax xmit (G) - This option controls the maximum packet size - that will be negotiated by Samba. The default is 65535, which - is the maximum. In some cases you may find you get better performance - with a smaller value. A value below 2048 is likely to cause problems. - - -Default: max xmit = 65535 - - -Example: max xmit = 8192 - - - - -message commandmessage command (G) - This specifies what command to run when the - server receives a WinPopup style message. - - This would normally be a command that would - deliver the message somehow. How this is to be done is - up to your imagination. - - An example is: - - message command = csh -c 'xedit %s;rm %s' & - - - This delivers the message using xedit, then - removes it afterwards. NOTE THAT IT IS VERY IMPORTANT - THAT THIS COMMAND RETURN IMMEDIATELY. That's why I - have the '&' on the end. If it doesn't return immediately then - your PCs may freeze when sending messages (they should recover - after 30 seconds, hopefully). - - All messages are delivered as the global guest user. - The command takes the standard substitutions, although - %u won't work (%U may be better - in this case). - - Apart from the standard substitutions, some additional - ones apply. In particular: - - - - %s = the filename containing - the message. - - - - %t = the destination that - the message was sent to (probably the server name). - - - - %f = who the message - is from. - - - - You could make this command send mail, or whatever else - takes your fancy. Please let us know of any really interesting - ideas you have. - - Here's a way of sending the messages as mail to root: - - message command = /bin/mail -s 'message from %f on - %m' root < %s; rm %s - - If you don't have a message command then the message - won't be delivered and Samba will tell the sender there was - an error. Unfortunately WfWg totally ignores the error code - and carries on regardless, saying that the message was delivered. - - - If you want to silently delete it then try: - - message command = rm %s - -Default: message command = - - -Example: message command = csh -c 'xedit %s; rm %s' & - - - - -min passwd lengthmin password lengthmin passwd lengthThis parameter is a synonym for min password length. -min password lengthmin password length (G) - This option sets the minimum length in characters of a - plaintext password that smbd will - accept when performing UNIX password changing. - -Default: min password length = 5 - - - - - -min print spacemin print space (S) - This sets the minimum amount of free disk - space that must be available before a user will be able to spool - a print job. It is specified in kilobytes. The default is 0, which - means a user can always spool a print job. - -Default: min print space = 0 - - -Example: min print space = 2000 - - - - -min protocolmin protocol (G) - The value of the parameter (a string) is the - lowest SMB protocol dialect than Samba will support. Please refer - to the max protocol - parameter for a list of valid protocol names and a brief description - of each. You may also wish to refer to the C source code in - source/smbd/negprot.c for a listing of known protocol - dialects supported by clients. - - If you are viewing this parameter as a security measure, you should - also refer to the lanman - auth parameter. Otherwise, you should never need - to change this parameter. - -Default: min protocol = CORE - - -Example: min protocol = NT1 - - - - -min wins ttlmin wins ttl (G) - This option tells nmbd - 8 - when acting as a WINS server ( - wins support = yes) what the minimum 'time to live' - of NetBIOS names that nmbd will grant will be (in - seconds). You should never need to change this parameter. The default - is 6 hours (21600 seconds). - -Default: min wins ttl = 21600 - - - - - -msdfs proxymsdfs proxy (S) - This parameter indicates that the share is a - stand-in for another CIFS share whose location is specified by - the value of the parameter. When clients attempt to connect to - this share, they are redirected to the proxied share using - the SMB-Dfs protocol. - - Only Dfs roots can act as proxy shares. Take a look at the - msdfs root - and host msdfs - options to find out how to set up a Dfs root share. - -No default -Example: msdfs proxy = \otherserver\someshare - - - - -msdfs rootmsdfs root (S) - If set to yes, Samba treats the - share as a Dfs root and allows clients to browse the - distributed file system tree rooted at the share directory. - Dfs links are specified in the share directory by symbolic - links of the form msdfs:serverA\\shareA,serverB\\shareB - and so on. For more information on setting up a Dfs tree on - Samba, refer to . - -Default: msdfs root = no - - - - - -name cache timeoutname cache timeout (G) - Specifies the number of seconds it takes before - entries in samba's hostname resolve cache time out. If - the timeout is set to 0. the caching is disabled. - - -Default: name cache timeout = 660 - - -Example: name cache timeout = 0 - - - - -name resolve ordername resolve order (G) - This option is used by the programs in the Samba - suite to determine what naming services to use and in what order - to resolve host names to IP addresses. Its main purpose to is to - control how netbios name resolution is performed. The option takes a space - separated string of name resolution options. - - The options are: "lmhosts", "host", - "wins" and "bcast". They cause names to be - resolved as follows: - - - - lmhosts : Lookup an IP - address in the Samba lmhosts file. If the line in lmhosts has - no name type attached to the NetBIOS name (see the lmhosts(5) for details) then - any name type matches for lookup. - - - - host : Do a standard host - name to IP address resolution, using the system /etc/hosts - , NIS, or DNS lookups. This method of name resolution - is operating system depended for instance on IRIX or Solaris this - may be controlled by the /etc/nsswitch.conf - file. Note that this method is used only if the NetBIOS name - type being queried is the 0x20 (server) name type or 0x1c (domain controllers). - The latter case is only useful for active directory domains and results in a DNS - query for the SRV RR entry matching _ldap._tcp.domain. - - - - wins : Query a name with - the IP address listed in the - wins server parameter. If no WINS server has - been specified this method will be ignored. - - - - bcast : Do a broadcast on - each of the known local interfaces listed in the interfaces - parameter. This is the least reliable of the name resolution - methods as it depends on the target host being on a locally - connected subnet. - - - - The example below will cause the local lmhosts file to be examined - first, followed by a broadcast attempt, followed by a normal - system hostname lookup. - - When Samba is functioning in ADS security mode (security = ads) - it is advised to use following settings for name resolve order: - - name resolve order = wins bcast - - DC lookups will still be done via DNS, but fallbacks to netbios names will - not inundate your DNS servers with needless querys for DOMAIN<0x1c> lookups. - - -Default: name resolve order = lmhosts host wins bcast - - -Example: name resolve order = lmhosts bcast host - - - - -netbios aliasesnetbios aliases (G) - This is a list of NetBIOS names that nmbd will - advertise as additional names by which the Samba server is known. This allows one machine - to appear in browse lists under multiple names. If a machine is acting as a browse server - or logon server none of these names will be advertised as either browse server or logon - servers, only the primary name of the machine will be advertised with these capabilities. - - -Default: netbios aliases = -# empty string (no additional names) - - -Example: netbios aliases = TEST TEST1 TEST2 - - - - -netbios namenetbios name (G) - This sets the NetBIOS name by which a Samba - server is known. By default it is the same as the first component - of the host's DNS name. If a machine is a browse server or - logon server this name (or the first component - of the hosts DNS name) will be the name that these services are - advertised under. - -Default: netbios name = -# machine DNS name - - -Example: netbios name = MYNAME - - - - -netbios scopenetbios scope (G) - This sets the NetBIOS scope that Samba will - operate under. This should not be set unless every machine - on your LAN also sets this value. - -Default: netbios scope = - - - - - -nis homedirnis homedir (G) - Get the home share server from a NIS map. For - UNIX systems that use an automounter, the user's home directory - will often be mounted on a workstation on demand from a remote - server. - - When the Samba logon server is not the actual home directory - server, but is mounting the home directories via NFS then two - network hops would be required to access the users home directory - if the logon server told the client to use itself as the SMB server - for home directories (one over SMB and one over NFS). This can - be very slow. - - This option allows Samba to return the home share as - being on a different server to the logon server and as - long as a Samba daemon is running on the home directory server, - it will be mounted on the Samba client directly from the directory - server. When Samba is returning the home share to the client, it - will consult the NIS map specified in - homedir map and return the server - listed there. - - Note that for this option to work there must be a working - NIS system and the Samba server with this option must also - be a logon server. - -Default: nis homedir = no - - - - - -nt acl supportnt acl support (S) - This boolean parameter controls whether smbd - 8 will attempt to map - UNIX permissions into Windows NT access control lists. - This parameter was formally a global parameter in releases - prior to 2.2.2. - -Default: nt acl support = yes - - - - - -ntlm authntlm auth (G) - This parameter determines whether or not smbd - 8 will attempt to - authenticate users using the NTLM encrypted password response. - If disabled, either the lanman password hash or an NTLMv2 response - will need to be sent by the client. - - If this option, and lanman - auth are both disabled, then only NTLMv2 logins will be - permited. Not all clients support NTLMv2, and most will require - special configuration to us it. - -Default: ntlm auth = yes - - - - - -nt pipe supportnt pipe support (G) - This boolean parameter controls whether - smbd - 8 will allow Windows NT - clients to connect to the NT SMB specific IPC$ - pipes. This is a developer debugging option and can be left - alone. - -Default: nt pipe support = yes - - - - - -nt status supportnt status support (G) - This boolean parameter controls whether smbd - 8 will negotiate NT specific status - support with Windows NT/2k/XP clients. This is a developer debugging option and should be left alone. - If this option is set to no then Samba offers - exactly the same DOS error codes that versions prior to Samba 2.2.3 - reported. - - You should not need to ever disable this parameter. - -Default: nt status support = yes - - - - - -null passwordsnull passwords (G) - Allow or disallow client access to accounts that have null passwords. - - See also smbpasswd - 5. - -Default: null passwords = no - - - - - -obey pam restrictionsobey pam restrictions (G) - When Samba 3.0 is configured to enable PAM support - (i.e. --with-pam), this parameter will control whether or not Samba - should obey PAM's account and session management directives. The - default behavior is to use PAM for clear text authentication only - and to ignore any account or session management. Note that Samba - always ignores PAM for authentication in the case of - encrypt passwords = yes. The reason - is that PAM modules cannot support the challenge/response - authentication mechanism needed in the presence of SMB password encryption. - - -Default: obey pam restrictions = no - - - - - -only useronly user (S) - This is a boolean option that controls whether - connections with usernames not in the user - list will be allowed. By default this option is disabled so that a - client can supply a username to be used by the server. Enabling - this parameter will force the server to only use the login - names from the user list and is only really - useful in share level - security. - - Note that this also means Samba won't try to deduce - usernames from the service name. This can be annoying for - the [homes] section. To get around this you could use user = - %S which means your user list - will be just the service name, which for home directories is the - name of the user. - -Default: only user = no - - - - - -oplock break wait timeoplock break wait time (G) - This is a tuning parameter added due to bugs in - both Windows 9x and WinNT. If Samba responds to a client too - quickly when that client issues an SMB that can cause an oplock - break request, then the network client can fail and not respond - to the break request. This tuning parameter (which is set in milliseconds) - is the amount of time Samba will wait before sending an oplock break - request to such (broken) clients. - - DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND - UNDERSTOOD THE SAMBA OPLOCK CODE. - -Default: oplock break wait time = 0 - - - - - -oplock contention limitoplock contention limit (S) - This is a very advanced - smbd - 8 tuning option to - improve the efficiency of the granting of oplocks under multiple - client contention for the same file. - - In brief it specifies a number, which causes smbd - 8not to grant an oplock even when requested - if the approximate number of clients contending for an oplock on the same file goes over this - limit. This causes smbd to behave in a similar - way to Windows NT. - -DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ - AND UNDERSTOOD THE SAMBA OPLOCK CODE. - - -Default: oplock contention limit = 2 - - - - - -oplocksoplocks (S) - This boolean option tells smbd whether to - issue oplocks (opportunistic locks) to file open requests on this - share. The oplock code can dramatically (approx. 30% or more) improve - the speed of access to files on Samba servers. It allows the clients - to aggressively cache files locally and you may want to disable this - option for unreliable network environments (it is turned on by - default in Windows NT Servers). For more information see the file - Speed.txt in the Samba docs/ - directory. - - Oplocks may be selectively turned off on certain files with a - share. See the - veto oplock files parameter. On some systems - oplocks are recognized by the underlying operating system. This - allows data synchronization between all access to oplocked files, - whether it be via Samba or NFS or a local UNIX process. See the - kernel oplocks parameter for details. - -Default: oplocks = yes - - - - - -os2 driver mapos2 driver map (G) - The parameter is used to define the absolute - path to a file containing a mapping of Windows NT printer driver - names to OS/2 printer driver names. The format is: - - <nt driver name> = <os2 driver name>.<device name> - - For example, a valid entry using the HP LaserJet 5 - printer driver would appear as HP LaserJet 5L = LASERJET.HP - LaserJet 5L. - - The need for the file is due to the printer driver namespace - problem described in . For more details on OS/2 clients, please - refer to . - -Default: os2 driver map = - - - - - -os levelos level (G) - This integer value controls what level Samba - advertises itself as for browse elections. The value of this - parameter determines whether nmbd - 8 - has a chance of becoming a local master browser for the - WORKGROUP in the local broadcast area. - - Note :By default, Samba will win - a local master browsing election over all Microsoft operating - systems except a Windows NT 4.0/2000 Domain Controller. This - means that a misconfigured Samba host can effectively isolate - a subnet for browsing purposes. See BROWSING.txt - in the Samba docs/ directory - for details. - -Default: os level = 20 - - -Example: os level = 65 - - - - -pam password changepam password change (G) - With the addition of better PAM support in Samba 2.2, - this parameter, it is possible to use PAM's password change control - flag for Samba. If enabled, then PAM will be used for password - changes when requested by an SMB client instead of the program listed in - passwd program. - It should be possible to enable this without changing your - passwd chat - parameter for most setups. - -Default: pam password change = no - - - - - -panic actionpanic action (G) - This is a Samba developer option that allows a - system command to be called when either smbd - 8 or smbd - 8 crashes. This is usually used to -draw attention to the fact that a problem occurred. - -Default: panic action = - - -Example: panic action = "/bin/sleep 90000" - - - - -paranoid server securityparanoid server security (G) - Some version of NT 4.x allow non-guest - users with a bad passowrd. When this option is enabled, samba will not - use a broken NT 4.x server as password server, but instead complain - to the logs and exit. - - - Disabling this option prevents Samba from making - this check, which involves deliberatly attempting a - bad logon to the remote server. - -Default: paranoid server security = yes - - - - - -passdb backendpassdb backend (G) - - This option allows the administrator to chose which backends - to retrieve and store passwords with. This allows (for example) both - smbpasswd and tdbsam to be used without a recompile. Multiple - backends can be specified, separated by spaces. The backends will be - searched in the order they are specified. New users are always added - to the first backend specified. - - This parameter is in two parts, the backend's name, and a 'location' - string that has meaning only to that particular backed. These are separated - by a : character. - - Available backends can include: - - - smbpasswd - The default smbpasswd - backend. Takes a path to the smbpasswd file as an optional argument. - - - - - tdbsam - The TDB based password storage - backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb - in the - private dir directory. - - - - ldapsam - The LDAP based passdb - backend. Takes an LDAP URL as an optional argument (defaults to - ldap://localhost) - - LDAP connections should be secured where possible. This may be done using either - Start-TLS (see ldap ssl) or by - specifying ldaps:// in - the URL argument. - - Multiple servers may also be specified in double-quotes, if your - LDAP libraries supports the LDAP URL notation. - (OpenLDAP does). - - - - - - nisplussam - - The NIS+ based passdb backend. Takes name NIS domain as - an optional argument. Only works with sun NIS+ servers. - - - - - mysql - - The MySQL based passdb backend. Takes an identifier as - argument. Read the Samba HOWTO Collection for configuration - details. - - - - - -Default: passdb backend = smbpasswd - - -Example: passdb backend = tdbsam:/etc/samba/private/passdb.tdb smbpasswd:/etc/samba/smbpasswd - -Example: passdb backend = ldapsam:ldaps://ldap.example.com - -Example: passdb backend = ldapsam:"ldap://ldap-1.example.com ldap://ldap-2.example.com" - -Example: passdb backend = mysql:my_plugin_args tdbsam - - - - -passwd chatpasswd chat (G) - This string controls the "chat" - conversation that takes places between smbd - 8 and the local password changing - program to change the user's password. The string describes a - sequence of response-receive pairs that smbd - 8 uses to determine what to send to the - passwd program - and what to expect back. If the expected output is not - received then the password is not changed. - - This chat sequence is often quite site specific, depending - on what local methods are used for password control (such as NIS - etc). - - Note that this parameter only is only used if the unix password sync - parameter is set to yes. This sequence is - then called AS ROOT when the SMB password in the - smbpasswd file is being changed, without access to the old password - cleartext. This means that root must be able to reset the user's password without - knowing the text of the previous password. In the presence of - NIS/YP, this means that the passwd program must - be executed on the NIS master. - - - - The string can contain the macro %n which is substituted - for the new password. The chat sequence can also contain the standard - macros \n, \r, \t and \s to - give line-feed, carriage-return, tab and space. The chat sequence string can also contain - a '*' which matches any sequence of characters. Double quotes can be used to collect strings with spaces - in them into a single string. - - If the send string in any part of the chat sequence is a full - stop ".", then no string is sent. Similarly, if the - expect string is a full stop then no string is expected. - - If the pam - password change parameter is set to yes, the chat pairs - may be matched in any order, and success is determined by the PAM result, - not any particular output. The \n macro is ignored for PAM conversions. - - - -Default: passwd chat = *new*password* %n\n*new*password* %n\n *changed* - - -Example: passwd chat = "*Enter OLD password*" %o\n "*Enter NEW password*" %n\n "*Reenter NEW password*" %n\n "*Password changed*" - - - - -passwd chat debugpasswd chat debug (G) - This boolean specifies if the passwd chat script - parameter is run in debug mode. In this mode the - strings passed to and received from the passwd chat are printed - in the smbd - 8 log with a - debug level - of 100. This is a dangerous option as it will allow plaintext passwords - to be seen in the smbd log. It is available to help - Samba admins debug their passwd chat scripts - when calling the passwd program and should - be turned off after this has been done. This option has no effect if the - pam password change - paramter is set. This parameter is off by default. - -Default: passwd chat debug = no - - - - - -passwd chat timeoutpasswd chat timeout (G) - This integer specifies the number of seconds smbd will wait for an initial - answer from a passwd chat script being run. Once the initial answer is received - the subsequent answers must be received in one tenth of this time. The default it - two seconds. - -Default: passwd chat timeout = 2 - - - - - -passwd programpasswd program (G) - The name of a program that can be used to set - UNIX user passwords. Any occurrences of %u - will be replaced with the user name. The user name is checked for - existence before calling the password changing program. - - Also note that many passwd programs insist in reasonable - passwords, such as a minimum length, or the inclusion - of mixed case chars and digits. This can pose a problem as some clients - (such as Windows for Workgroups) uppercase the password before sending - it. - - Note that if the unix - password sync parameter is set to yes - then this program is called AS ROOT - before the SMB password in the smbpasswd - file is changed. If this UNIX password change fails, then - smbd will fail to change the SMB password also - (this is by design). - - If the unix password sync parameter - is set this parameter MUST USE ABSOLUTE PATHS - for ALL programs called, and must be examined - for security implications. Note that by default unix - password sync is set to no. - -Default: passwd program = - - -Example: passwd program = /bin/passwd %u - - - - -password levelpassword level (G) - Some client/server combinations have difficulty - with mixed-case passwords. One offending client is Windows for - Workgroups, which for some reason forces passwords to upper - case when using the LANMAN1 protocol, but leaves them alone when - using COREPLUS! Another problem child is the Windows 95/98 - family of operating systems. These clients upper case clear - text passwords even when NT LM 0.12 selected by the protocol - negotiation request/response. - - This parameter defines the maximum number of characters - that may be upper case in passwords. - - For example, say the password given was "FRED". If - password level is set to 1, the following combinations - would be tried if "FRED" failed: - - "Fred", "fred", "fRed", "frEd","freD" - - If password level was set to 2, - the following combinations would also be tried: - - "FRed", "FrEd", "FreD", "fREd", "fReD", "frED", .. - - And so on. - - The higher value this parameter is set to the more likely - it is that a mixed case password will be matched against a single - case password. However, you should be aware that use of this - parameter reduces security and increases the time taken to - process a new connection. - - A value of zero will cause only two attempts to be - made - the password as is and the password in all-lower case. - - This parameter is used only when using plain-text passwords. It is - not at all used when encrypted passwords as in use (that is the default - since samba-3.0.0). Use this only when - encrypt passwords = No. - -Default: password level = 0 - - -Example: password level = 4 - - - - -password serverpassword server (G) - By specifying the name of another SMB server - or Active Directory domain controller with this option, - and using security = [ads|domain|server] - it is possible to get Samba to - to do all its username/password validation using a specific remote server. - - This option sets the name or IP address of the password server to use. - New syntax has been added to support defining the port to use when connecting - to the server the case of an ADS realm. To define a port other than the - default LDAP port of 389, add the port number using a colon after the - name or IP address (e.g. 192.168.1.100:389). If you do not specify a port, - Samba will use the standard LDAP port of tcp/389. Note that port numbers - have no effect on password servers for Windows NT 4.0 domains or netbios - connections. - - If parameter is a name, it is looked up using the - parameter name - resolve order and so may resolved - by any method and order described in that parameter. - - The password server must be a machine capable of using - the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in - user level security mode. - - Using a password server means your UNIX box (running - Samba) is only as secure as your password server. DO NOT - CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST. - - - Never point a Samba server at itself for password serving. - This will cause a loop and could lock up your Samba server! - - The name of the password server takes the standard - substitutions, but probably the only useful one is %m - , which means the Samba server will use the incoming - client as the password server. If you use this then you better - trust your clients, and you had better restrict them with hosts allow! - - If the security parameter is set to - domain or ads, then the list of machines in this - option must be a list of Primary or Backup Domain controllers for the - Domain or the character '*', as the Samba server is effectively - in that domain, and will use cryptographically authenticated RPC calls - to authenticate the user logging on. The advantage of using - security = domain is that if you list several hosts in the - password server option then smbd - will try each in turn till it finds one that responds. This - is useful in case your primary server goes down. - - If the password server option is set - to the character '*', then Samba will attempt to auto-locate the - Primary or Backup Domain controllers to authenticate against by - doing a query for the name WORKGROUP<1C> - and then contacting each server returned in the list of IP - addresses from the name resolution source. - - If the list of servers contains both names/IP's and the '*' - character, the list is treated as a list of preferred - domain controllers, but an auto lookup of all remaining DC's - will be added to the list as well. Samba will not attempt to optimize - this list by locating the closest DC. - - If the security parameter is - set to server, then there are different - restrictions that security = domain doesn't - suffer from: - - - - You may list several password servers in - the password server parameter, however if an - smbd makes a connection to a password server, - and then the password server fails, no more users will be able - to be authenticated from this smbd. This is a - restriction of the SMB/CIFS protocol when in security = server - mode and cannot be fixed in Samba. - - - - If you are using a Windows NT server as your - password server then you will have to ensure that your users - are able to login from the Samba server, as when in - security = server mode the network logon will appear to - come from there rather than from the users workstation. - - - -Default: password server = - - -Example: password server = NT-PDC, NT-BDC1, NT-BDC2, * - -Example: password server = windc.mydomain.com:389 192.168.1.101 * - -Example: password server = * - - - - -directorypathdirectoryThis parameter is a synonym for path. -pathpath (S) - This parameter specifies a directory to which - the user of the service is to be given access. In the case of - printable services, this is where print data will spool prior to - being submitted to the host for printing. - - For a printable service offering guest access, the service - should be readonly and the path should be world-writeable and - have the sticky bit set. This is not mandatory of course, but - you probably won't get the results you expect if you do - otherwise. - - Any occurrences of %u in the path - will be replaced with the UNIX username that the client is using - on this connection. Any occurrences of %m - will be replaced by the NetBIOS name of the machine they are - connecting from. These replacements are very useful for setting - up pseudo home directories for users. - - Note that this path will be based on - root dir if one was specified. - -Default: path = - - -Example: path = /home/fred - - - - -pid directorypid directory (G) - This option specifies the directory where pid - files will be placed. - -Default: pid directory = ${prefix}/var/locks - - -Example: pid directory = pid directory = /var/run/ - - - - -posix lockingposix locking (S) - The smbd - 8 - daemon maintains an database of file locks obtained by SMB clients. - The default behavior is to map this internal database to POSIX - locks. This means that file locks obtained by SMB clients are - consistent with those seen by POSIX compliant applications accessing - the files via a non-SMB method (e.g. NFS or local file access). - You should never need to disable this parameter. - -Default: posix locking = yes - - - - - -postexecpostexec (S) - This option specifies a command to be run - whenever the service is disconnected. It takes the usual - substitutions. The command may be run as the root on some - systems. - - An interesting example may be to unmount server - resources: - -postexec = /etc/umount /cdrom - -Default: postexec = - - -Example: postexec = echo \"%u disconnected from %S from %m (%I)\" >> /tmp/log - - - - -execpreexecexecThis parameter is a synonym for preexec. -preexecpreexec (S) - This option specifies a command to be run whenever - the service is connected to. It takes the usual substitutions. - - An interesting example is to send the users a welcome - message every time they log in. Maybe a message of the day? Here - is an example: - - preexec = csh -c 'echo \"Welcome to %S!\" | /usr/local/samba/bin/smbclient -M %m -I %I' & - - Of course, this could get annoying after a while :-) - - See also preexec close and postexec - . - -Default: preexec = - - -Example: preexec = echo \"%u connected to %S from %m (%I)\" >> /tmp/log - - - - -preexec closepreexec close (S) - This boolean option controls whether a non-zero - return code from preexec - should close the service being connected to. - -Default: preexec close = no - - - - - -prefered masterpreferred masterprefered masterThis parameter is a synonym for preferred master. -preferred masterpreferred master (G) - This boolean parameter controls if - nmbd - 8 is a preferred master - browser for its workgroup. - - If this is set to yes, on startup, nmbd - will force an election, and it will have a slight advantage in - winning the election. It is recommended that this parameter is - used in conjunction with - domain master = yes, so - that nmbd can guarantee becoming a domain master. - - Use this option with caution, because if there are several - hosts (whether Samba servers, Windows 95 or NT) that are - preferred master browsers on the same subnet, they will each - periodically and continuously attempt to become the local - master browser. This will result in unnecessary broadcast - traffic and reduced browsing capabilities. - -Default: preferred master = auto - - - - - -auto servicespreloadauto servicesThis parameter is a synonym for preload. -preloadpreload (G) - This is a list of services that you want to be - automatically added to the browse lists. This is most useful - for homes and printers services that would otherwise not be - visible. - - Note that if you just want all printers in your - printcap file loaded then the - load printers option is easier. - -Default: preload = - - -Example: preload = fred lp colorlp - - - - -preload modulespreload modules (G) - This is a list of paths to modules that should - be loaded into smbd before a client connects. This improves - the speed of smbd when reacting to new connections somewhat. - -Default: preload modules = - - -Example: preload modules = /usr/lib/samba/passdb/mysql.so - - - - -preserve casepreserve case (S) - This controls if new filenames are created - with the case that the client passes, or if they are forced to - be the default case - . - See the section on NAME MANGLING for a fuller discussion. - -Default: preserve case = yes - - - - - -print okprintableprint okThis parameter is a synonym for printable. -printableprintable (S) - If this parameter is yes, then - clients may open, write to and submit spool files on the directory - specified for the service. - - Note that a printable service will ALWAYS allow writing - to the service path (user privileges permitting) via the spooling - of print data. The read only - parameter controls only non-printing access to - the resource. - -Default: printable = no - - - - - -printcap cache timeprintcap cache time (G) - This option specifies the number of seconds before the printing - subsystem is again asked for the known printers. If the value - is greater than 60 the initial waiting time is set to 60 seconds - to allow an earlier first rescan of the printing subsystem. - - - Setting this parameter to 0 (the default) disables any - rescanning for new or removed printers after the initial startup. - - -Default: printcap cache time = 0 - - -Example: printcap cache time = 600 - - - - -printcapprintcap nameprintcapThis parameter is a synonym for printcap name. -printcap nameprintcap name (S) - This parameter may be used to override the - compiled-in default printcap name used by the server (usually - /etc/printcap). See the discussion of the [printers] section above for reasons - why you might want to do this. - - To use the CUPS printing interface set printcap name = cups - . This should be supplemented by an addtional setting - printing = cups in the [global] - section. printcap name = cups will use the - "dummy" printcap created by CUPS, as specified in your CUPS - configuration file. - - - On System V systems that use lpstat to - list available printers you can use printcap name = lpstat - to automatically obtain lists of available printers. This - is the default for systems that define SYSV at configure time in - Samba (this includes most System V based systems). If - printcap name is set to lpstat on - these systems then Samba will launch lpstat -v and - attempt to parse the output to obtain a printer list. - - A minimal printcap file would look something like this: - - -print1|My Printer 1 -print2|My Printer 2 -print3|My Printer 3 -print4|My Printer 4 -print5|My Printer 5 - - - where the '|' separates aliases of a printer. The fact - that the second alias has a space in it gives a hint to Samba - that it's a comment. - - Under AIX the default printcap - name is /etc/qconfig. Samba will assume the - file is in AIX qconfig format if the string - qconfig appears in the printcap filename. - -Default: printcap name = /etc/printcap - - -Example: printcap name = /etc/myprintcap - - - - -print commandprint command (S) - After a print job has finished spooling to - a service, this command will be used via a system() - call to process the spool file. Typically the command specified will - submit the spool file to the host's printing subsystem, but there - is no requirement that this be the case. The server will not remove - the spool file, so whatever command you specify should remove the - spool file when it has been processed, otherwise you will need to - manually remove old spool files. - - The print command is simply a text string. It will be used - verbatim after macro substitutions have been made: - - %s, %f - the path to the spool - file name - - %p - the appropriate printer - name - - %J - the job - name as transmitted by the client. - - %c - The number of printed pages - of the spooled job (if known). - - %z - the size of the spooled - print job (in bytes) - - The print command MUST contain at least - one occurrence of %s or %f - - the %p is optional. At the time - a job is submitted, if no printer name is supplied the %p - will be silently removed from the printer command. - - If specified in the [global] section, the print command given - will be used for any printable service that does not have its own - print command specified. - - If there is neither a specified print command for a - printable service nor a global print command, spool files will - be created but not processed and (most importantly) not removed. - - Note that printing may fail on some UNIXes from the - nobody account. If this happens then create - an alternative guest account that can print and set the - guest account - in the [global] section. - - You can form quite complex print commands by realizing - that they are just passed to a shell. For example the following - will log a print job, print the file, then remove it. Note that - ';' is the usual separator for command in shell scripts. - - print command = echo Printing %s >> - /tmp/print.log; lpr -P %p %s; rm %s - - You may have to vary this command considerably depending - on how you normally print files on your system. The default for - the parameter varies depending on the setting of the - printing parameter. - - Default: For printing = BSD, AIX, QNX, LPRNG - or PLP : - print command = lpr -r -P%p %s - - For printing = SYSV or HPUX : - print command = lp -c -d%p %s; rm %s - - For printing = SOFTQ : - print command = lp -d%p -s %s; rm %s - - For printing = CUPS : If SAMBA is compiled against - libcups, then printcap = cups - uses the CUPS API to - submit jobs, etc. Otherwise it maps to the System V - commands with the -oraw option for printing, i.e. it - uses lp -c -d%p -oraw; rm %s. - With printing = cups, - and if SAMBA is compiled against libcups, any manually - set print command will be ignored. - -No default -Example: print command = /usr/local/samba/bin/myprintscript %p %s - - - - -printer adminprinter admin (S) - - This lists users who can do anything to printers - via the remote administration interfaces offered - by MS-RPC (usually using a NT workstation). - This parameter can be set per-share or globally. - Note: The root user always has admin rights. Use - caution with use in the global stanza as this can - cause side effects. - - -Default: printer admin = - - -Example: printer admin = admin, @staff - - - - -printerprinter nameprinterThis parameter is a synonym for printer name. -printer nameprinter name (S) - This parameter specifies the name of the printer - to which print jobs spooled through a printable service will be sent. - - If specified in the [global] section, the printer - name given will be used for any printable service that does - not have its own printer name specified. - -Default: printer name = -# none (but may be lp on many systems) - - -Example: printer name = laserwriter - - - - -printingprinting (S) - This parameters controls how printer status information is - interpreted on your system. It also affects the default values for - the print command, lpq command, lppause command , lpresume command, and lprm command if specified in the - [global] section. - - Currently nine printing styles are supported. They are - BSD, AIX, - LPRNG, PLP, - SYSV, HPUX, - QNX, SOFTQ, - and CUPS. - - To see what the defaults are for the other print - commands when using the various options use the testparm - 1 program. - - This option can be set on a per printer basis. Please be - aware however, that you must place any of the various printing - commands (e.g. print command, lpq command, etc...) after defining - the value for the printing option since it will - reset the printing commands to default values. - - See also the discussion in the - [printers] section. - -No default - - - -private dirprivate dir (G) - This parameters defines the directory - smbd will use for storing such files as smbpasswd - and secrets.tdb. - - -Default: private dir = ${prefix}/private - - - - - -profile aclsprofile acls (S) - - This boolean parameter was added to fix the problems that people have been - having with storing user profiles on Samba shares from Windows 2000 or - Windows XP clients. New versions of Windows 2000 or Windows XP service - packs do security ACL checking on the owner and ability to write of the - profile directory stored on a local workstation when copied from a Samba - share. - - -When not in domain mode with winbindd then the security info copied - onto the local workstation has no meaning to the logged in user (SID) on - that workstation so the profile storing fails. Adding this parameter - onto a share used for profile storage changes two things about the - returned Windows ACL. Firstly it changes the owner and group owner - of all reported files and directories to be BUILTIN\\Administrators, - BUILTIN\\Users respectively (SIDs S-1-5-32-544, S-1-5-32-545). Secondly - it adds an ACE entry of "Full Control" to the SID BUILTIN\\Users to - every returned ACL. This will allow any Windows 2000 or XP workstation - user to access the profile. - - Note that if you have multiple users logging - on to a workstation then in order to prevent them from being able to access - each others profiles you must remove the "Bypass traverse checking" advanced - user right. This will prevent access to other users profile directories as - the top level profile directory (named after the user) is created by the - workstation profile code and has an ACL restricting entry to the directory - tree to the owning user. - - -Default: profile acls = no - - - - - -queuepause commandqueuepause command (S) - This parameter specifies the command to be - executed on the server host in order to pause the printer queue. - - This command should be a program or script which takes - a printer name as its only parameter and stops the printer queue, - such that no longer jobs are submitted to the printer. - - This command is not supported by Windows for Workgroups, - but can be issued from the Printers window under Windows 95 - and NT. - - If a %p is given then the printer name - is put in its place. Otherwise it is placed at the end of the command. - - - Note that it is good practice to include the absolute - path in the command as the PATH may not be available to the - server. - -No default -Example: queuepause command = disable %p - - - - -queueresume commandqueueresume command (S) - This parameter specifies the command to be - executed on the server host in order to resume the printer queue. It - is the command to undo the behavior that is caused by the - previous parameter ( - queuepause command). - - This command should be a program or script which takes - a printer name as its only parameter and resumes the printer queue, - such that queued jobs are resubmitted to the printer. - - This command is not supported by Windows for Workgroups, - but can be issued from the Printers window under Windows 95 - and NT. - - If a %p is given then the printer name - is put in its place. Otherwise it is placed at the end of the - command. - - Note that it is good practice to include the absolute - path in the command as the PATH may not be available to the - server. - -Default: queueresume command = - - -Example: queueresume command = enable %p - - - - -read bmpxread bmpx (G) - This boolean parameter controls whether - smbd - 8 will support the "Read - Block Multiplex" SMB. This is now rarely used and defaults to - no. You should never need to set this - parameter. - -Default: read bmpx = no - - - - - -read listread list (S) - This is a list of users that are given read-only - access to a service. If the connecting user is in this list then - they will not be given write access, no matter what the - read only - option is set to. The list can include group names using the - syntax described in the - invalid users parameter. - - This parameter will not work with the - security = share in - Samba 3.0. This is by design. - -Default: read list = - - -Example: read list = mary, @students - - - - -read onlyread only (S) - An inverted synonym is - writeable. - - If this parameter is yes, then users - of a service may not create or modify files in the service's - directory. - - Note that a printable service (printable = yes) - will ALWAYS allow writing to the directory - (user privileges permitting), but only via spooling operations. - -Default: read only = yes - - - - - -read rawread raw (G) - This parameter controls whether or not the server - will support the raw read SMB requests when transferring data - to clients. - - If enabled, raw reads allow reads of 65535 bytes in - one packet. This typically provides a major performance benefit. - - - However, some clients either negotiate the allowable - block size incorrectly or are incapable of supporting larger block - sizes, and for these clients you may need to disable raw reads. - -In general this parameter should be viewed as a system tuning - tool and left severely alone. - -Default: read raw = yes - - - - - -realmrealm (G) - This option specifies the kerberos realm to use. The realm is - used as the ADS equivalent of the NT4 domain. It - is usually set to the DNS name of the kerberos server. - - -Default: realm = - - -Example: realm = mysambabox.mycompany.com - - - - -remote announceremote announce (G) - This option allows you to setup nmbd - 8to periodically announce itself - to arbitrary IP addresses with an arbitrary workgroup name. - - This is useful if you want your Samba server to appear - in a remote workgroup for which the normal browse propagation - rules don't work. The remote workgroup can be anywhere that you - can send IP packets to. - - For example: - - remote announce = 192.168.2.255/SERVERS - 192.168.4.255/STAFF - - the above line would cause nmbd to announce itself - to the two given IP addresses using the given workgroup names. - If you leave out the workgroup name then the one given in - the workgroup - parameter is used instead. - - The IP addresses you choose would normally be the broadcast - addresses of the remote networks, but can also be the IP addresses - of known browse masters if your network config is that stable. - -See . - -Default: remote announce = - - - - - -remote browse syncremote browse sync (G) - This option allows you to setup nmbd - 8 to periodically request - synchronization of browse lists with the master browser of a Samba - server that is on a remote segment. This option will allow you to - gain browse lists for multiple workgroups across routed networks. This - is done in a manner that does not work with any non-Samba servers. - - This is useful if you want your Samba server and all local - clients to appear in a remote workgroup for which the normal browse - propagation rules don't work. The remote workgroup can be anywhere - that you can send IP packets to. - - For example: - - remote browse sync = 192.168.2.255 192.168.4.255 - - the above line would cause nmbd to request - the master browser on the specified subnets or addresses to - synchronize their browse lists with the local server. - - The IP addresses you choose would normally be the broadcast - addresses of the remote networks, but can also be the IP addresses - of known browse masters if your network config is that stable. If - a machine IP address is given Samba makes NO attempt to validate - that the remote machine is available, is listening, nor that it - is in fact the browse master on its segment. - -Default: remote browse sync = - - - - - -restrict anonymousrestrict anonymous (G) - The setting of this parameter determines whether user and - group list information is returned for an anonymous connection. - and mirrors the effects of the - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous registry key in Windows - 2000 and Windows NT. When set to 0, user and group list - information is returned to anyone who asks. When set - to 1, only an authenticated user can retrive user and - group list information. For the value 2, supported by - Windows 2000/XP and Samba, no anonymous connections are allowed at - all. This can break third party and Microsoft - applications which expect to be allowed to perform - operations anonymously. - - - The security advantage of using restrict anonymous = 1 is dubious, - as user and group list information can be obtained using other - means. - - - - - The security advantage of using restrict anonymous = 2 is removed - by setting guest - ok = yes on any share. - - - -Default: restrict anonymous = 0 - - - - - -rootroot directoryrootThis parameter is a synonym for root directory. -root dirroot directoryroot dirThis parameter is a synonym for root directory. -root directoryroot directory (G) - The server will chroot() (i.e. - Change its root directory) to this directory on startup. This is - not strictly necessary for secure operation. Even without it the - server will deny access to files not in one of the service entries. - It may also check for, and deny access to, soft links to other - parts of the filesystem, or attempts to use ".." in file names - to access other directories (depending on the setting of the - wide links - parameter). - - - Adding a root directory entry other - than "/" adds an extra level of security, but at a price. It - absolutely ensures that no access is given to files not in the - sub-tree specified in the root directory - option, including some files needed for - complete operation of the server. To maintain full operability - of the server you will need to mirror some system files - into the root directory tree. In particular - you will need to mirror /etc/passwd (or a - subset of it), and any binaries or configuration files needed for - printing (if required). The set of files that must be mirrored is - operating system dependent. - -Default: root directory = / - - -Example: root directory = /homes/smb - - - - -root postexecroot postexec (S) - This is the same as the postexec - parameter except that the command is run as root. This - is useful for unmounting filesystems - (such as CDROMs) after a connection is closed. - -Default: root postexec = - - - - - -root preexecroot preexec (S) - This is the same as the preexec - parameter except that the command is run as root. This - is useful for mounting filesystems (such as CDROMs) when a - connection is opened. - -Default: root preexec = - - - - - -root preexec closeroot preexec close (S) - This is the same as the preexec close - parameter except that the command is run as root. - -Default: root preexec close = no - - - - - -securitysecurity (G) - This option affects how clients respond to - Samba and is one of the most important settings in the - smb.conf file. - - The option sets the "security mode bit" in replies to - protocol negotiations with smbd - 8 to turn share level security on or off. Clients decide - based on this bit whether (and how) to transfer user and password - information to the server. - - - The default is security = user, as this is - the most common setting needed when talking to Windows 98 and - Windows NT. - - The alternatives are security = share, - security = server or security = domain - . - - In versions of Samba prior to 2.0.0, the default was - security = share mainly because that was - the only option at one stage. - - There is a bug in WfWg that has relevance to this - setting. When in user or server level security a WfWg client - will totally ignore the password you type in the "connect - drive" dialog box. This makes it very difficult (if not impossible) - to connect to a Samba service as anyone except the user that - you are logged into WfWg as. - - If your PCs use usernames that are the same as their - usernames on the UNIX machine then you will want to use - security = user. If you mostly use usernames - that don't exist on the UNIX box then use security = - share. - - You should also use security = share if you - want to mainly setup shares without a password (guest shares). This - is commonly used for a shared printer server. It is more difficult - to setup guest shares with security = user, see - the map to guest - parameter for details. - - It is possible to use smbd in a - hybrid mode where it is offers both user and share - level security under different - NetBIOS aliases. - - The different settings will now be explained. - - - SECURITY = SHARE - - When clients connect to a share level security server they - need not log onto the server with a valid username and password before - attempting to connect to a shared resource (although modern clients - such as Windows 95/98 and Windows NT will send a logon request with - a username but no password when talking to a security = share - server). Instead, the clients send authentication information - (passwords) on a per-share basis, at the time they attempt to connect - to that share. - - Note that smbd ALWAYS - uses a valid UNIX user to act on behalf of the client, even in - security = share level security. - - As clients are not required to send a username to the server - in share level security, smbd uses several - techniques to determine the correct UNIX user to use on behalf - of the client. - - A list of possible UNIX usernames to match with the given - client password is constructed using the following methods : - - - - If the guest - only parameter is set, then all the other - stages are missed and only the - guest account username is checked. - - - - - Is a username is sent with the share connection - request, then this username (after mapping - see - username map), - is added as a potential username. - - - - - If the client did a previous logon - request (the SessionSetup SMB call) then the - username sent in this SMB will be added as a potential username. - - - - - The name of the service the client requested is - added as a potential username. - - - - - The NetBIOS name of the client is added to - the list as a potential username. - - - - - Any users on the - user list are added as potential usernames. - - - - - If the guest only parameter is - not set, then this list is then tried with the supplied password. - The first user for whom the password matches will be used as the - UNIX user. - - If the guest only parameter is - set, or no username can be determined then if the share is marked - as available to the guest account, then this - guest user will be used, otherwise access is denied. - - Note that it can be very confusing - in share-level security as to which UNIX username will eventually - be used in granting access. - - See also the section - NOTE ABOUT USERNAME/PASSWORD VALIDATION. - - SECURITY = USER - - This is the default security setting in Samba 3.0. - With user-level security a client must first "log-on" with a - valid username and password (which can be mapped using the - username map - parameter). Encrypted passwords (see the - encrypted passwords parameter) can also - be used in this security mode. Parameters such as - user and - guest only if set are then applied and - may change the UNIX user to use on this connection, but only after - the user has been successfully authenticated. - - Note that the name of the resource being - requested is not sent to the server until after - the server has successfully authenticated the client. This is why - guest shares don't work in user level security without allowing - the server to automatically map unknown users into the - guest account. - See the map to guest - parameter for details on doing this. - - See also the section - NOTE ABOUT USERNAME/PASSWORD VALIDATION. - - SECURITY = DOMAIN - - This mode will only work correctly if net - 8 has been used to add this - machine into a Windows NT Domain. It expects the - encrypted passwords - parameter to be set to yes. In this - mode Samba will try to validate the username/password by passing - it to a Windows NT Primary or Backup Domain Controller, in exactly - the same way that a Windows NT Server would do. - - Note that a valid UNIX user must still - exist as well as the account on the Domain Controller to allow - Samba to have a valid UNIX account to map file access to. - - Note that from the client's point - of view security = domain is the same - as security = user. It only - affects how the server deals with the authentication, - it does not in any way affect what the client sees. - - Note that the name of the resource being - requested is not sent to the server until after - the server has successfully authenticated the client. This is why - guest shares don't work in user level security without allowing - the server to automatically map unknown users into the - guest account. - See the map to guest - parameter for details on doing this. - - See also the section - NOTE ABOUT USERNAME/PASSWORD VALIDATION. - - See also the password - server parameter and the - encrypted passwords - parameter. - - SECURITY = SERVER - - In this mode Samba will try to validate the username/password - by passing it to another SMB server, such as an NT box. If this - fails it will revert to security = - user. It expects the - encrypted passwords parameter - to be set to yes, unless the remote server - does not support them. However note that if encrypted passwords have been - negotiated then Samba cannot revert back to checking the UNIX password file, - it must have a valid smbpasswd file to check - users against. See the chapter about the User Database in the Samba HOWTO Collection for details on how to set this up. - - This mode of operation has - significant pitfalls, due to the fact that is activly initiates a - man-in-the-middle attack on the remote SMB server. In particular, - this mode of operation can cause significant resource consuption on - the PDC, as it must maintain an active connection for the duration - of the user's session. Furthermore, if this connection is lost, - there is no way to reestablish it, and futher authenticaions to the - Samba server may fail. (From a single client, till it disconnects). - - - From the client's point of - view security = server is the - same as security = user. It - only affects how the server deals with the authentication, it does - not in any way affect what the client sees. - - Note that the name of the resource being - requested is not sent to the server until after - the server has successfully authenticated the client. This is why - guest shares don't work in user level security without allowing - the server to automatically map unknown users into the - guest account. - See the map to guest - parameter for details on doing this. - - See also the section - NOTE ABOUT USERNAME/PASSWORD VALIDATION. - - See also the password - server parameter and the - encrypted passwords parameter. - - SECURITY = ADS - - In this mode, Samba will act as a domain member in an ADS realm. To operate - in this mode, the machine running Samba will need to have Kerberos installed - and configured and Samba will need to be joined to the ADS realm using the - net utility. - - Note that this mode does NOT make Samba operate as a Active Directory Domain - Controller. - - Read the chapter about Domain Membership in the HOWTO for details. - -Default: security = USER - - -Example: security = DOMAIN - - - - -security masksecurity mask (S) - This parameter controls what UNIX permission - bits can be modified when a Windows NT client is manipulating - the UNIX permission on a file using the native NT security - dialog box. - - This parameter is applied as a mask (AND'ed with) to - the changed permission bits, thus preventing any bits not in - this mask from being modified. Essentially, zero bits in this - mask may be treated as a set of bits the user is not allowed - to change. - - If not set explicitly this parameter is 0777, allowing - a user to modify all the user/group/world permissions on a file. - - - Note that users who can access the - Samba server through other means can easily bypass this - restriction, so it is primarily useful for standalone - "appliance" systems. Administrators of most normal systems will - probably want to leave it set to 0777. - -Default: security mask = 0777 - - -Example: security mask = 0770 - - - - -server schannelserver schannel (G) - This controls whether the server offers or even - demands the use of the netlogon schannel. - server schannel = no does not - offer the schannel, server schannel = - auto offers the schannel but does not - enforce it, and server schannel = - yes denies access if the client is not - able to speak netlogon schannel. This is only the case - for Windows NT4 before SP4. - - Please note that with this set to - no you will have to apply the - WindowsXP requireSignOrSeal-Registry patch found in - the docs/Registry subdirectory. - -Default: server schannel = auto - - -Example: server schannel = yes - - - - -server signingserver signing (G) - - This controls whether the server offers or requires - the client it talks to to use SMB signing. Possible values - are auto, mandatory - and disabled. - - - When set to auto, SMB signing is offered, but not enforced. - When set to mandatory, SMB signing is required and if set - to disabled, SMB signing is not offered either. - -Default: server signing = Disabled - - - - - -server stringserver string (G) - This controls what string will show up in the printer comment box in print - manager and next to the IPC connection in net view. It - can be any string that you wish to show to your users. - - It also sets what will appear in browse lists next - to the machine name. - - A %v will be replaced with the Samba - version number. - - A %h will be replaced with the - hostname. - -Default: server string = Samba %v - - -Example: server string = University of GNUs Samba Server - - - - -set directoryset directory (S) - If set directory = no, then - users of the service may not use the setdir command to change - directory. - - The setdir command is only implemented - in the Digital Pathworks client. See the Pathworks documentation - for details. - -Default: set directory = no - - - - - -set primary group scriptset primary group script (G) - - Thanks to the Posix subsystem in NT a Windows User has a - primary group in addition to the auxiliary groups. This script - sets the primary group in the unix userdatase when an - administrator sets the primary group from the windows user - manager or when fetching a SAM with net rpc - vampire. %u will be replaced - with the user whose primary group is to be set. - %g will be replaced with the group to - set. - -Default: set primary group script = - - -Example: set primary group script = /usr/sbin/usermod -g '%g' '%u' - - - - -set quota commandset quota command (G) - The set quota command should only be used - whenever there is no operating system API available from the OS that - samba can use. - - This option is only available if Samba was configured with the argument --with-sys-quotas or - on linux when ./configure --with-quotas was used and a working quota api - was found in the system. Most packages are configured with these options already. - - This parameter should specify the path to a script that - can set quota for the specified arguments. - - The specified script should take the following arguments: - - - 1 - quota type - - 1 - user quotas - 2 - user default quotas (uid = -1) - 3 - group quotas - 4 - group default quotas (gid = -1) - - - 2 - id (uid for user, gid for group, -1 if N/A) - 3 - quota state (0 = disable, 1 = enable, 2 = enable and enforce) - 4 - block softlimit - 5 - block hardlimit - 6 - inode softlimit - 7 - inode hardlimit - 8(optional) - block size, defaults to 1024 - - - The script should output at least one line of data on success. And nothing on failure. - -Default: set quota command = - - -Example: set quota command = /usr/local/sbin/set_quota - - - - -share modesshare modes (S) - This enables or disables the honoring of - the share modes during a file open. These - modes are used by clients to gain exclusive read or write access - to a file. - - These open modes are not directly supported by UNIX, so - they are simulated using shared memory, or lock files if your - UNIX doesn't support shared memory (almost all do). - - The share modes that are enabled by this option are - DENY_DOS, DENY_ALL, - DENY_READ, DENY_WRITE, - DENY_NONE and DENY_FCB. - - - This option gives full share compatibility and enabled - by default. - - You should NEVER turn this parameter - off as many Windows applications will break if you do so. - -Default: share modes = yes - - - - - -short preserve caseshort preserve case (S) - This boolean parameter controls if new files - which conform to 8.3 syntax, that is all in upper case and of - suitable length, are created upper case, or if they are forced - to be the default case - . This option can be use with preserve case = yes - to permit long filenames to retain their case, while short - names are lowered. - - See the section on NAME MANGLING. - -Default: short preserve case = yes - - - - - -show add printer wizardshow add printer wizard (G) - With the introduction of MS-RPC based printing support - for Windows NT/2000 client in Samba 2.2, a "Printers..." folder will - appear on Samba hosts in the share listing. Normally this folder will - contain an icon for the MS Add Printer Wizard (APW). However, it is - possible to disable this feature regardless of the level of privilege - of the connected user. - - Under normal circumstances, the Windows NT/2000 client will - open a handle on the printer server with OpenPrinterEx() asking for - Administrator privileges. If the user does not have administrative - access on the print server (i.e is not root or a member of the - printer admin group), the OpenPrinterEx() - call fails and the client makes another open call with a request for - a lower privilege level. This should succeed, however the APW - icon will not be displayed. - - Disabling the show add printer wizard - parameter will always cause the OpenPrinterEx() on the server - to fail. Thus the APW icon will never be displayed. - -This does not prevent the same user from having - administrative privilege on an individual printer. - -Default: show add printer wizard = yes - - - - - -shutdown scriptshutdown script (G) - This a full path name to a script called by - smbd - 8 that should - start a shutdown procedure. - - If the connected user posseses the SeRemoteShutdownPrivilege, - right, this command will be run as user. - - The %z %t %r %f variables are expanded as follows: - - - - %z will be substituted with the - shutdown message sent to the server. - - - - %t will be substituted with the - number of seconds to wait before effectively starting the - shutdown procedure. - - - - %r will be substituted with the - switch -r. It means reboot after shutdown - for NT. - - - - %f will be substituted with the - switch -f. It means force the shutdown - even if applications do not respond for NT. - - - - Shutdown script example: - -#!/bin/bash - -$time=0 -let "time/60" -let "time++" - -/sbin/shutdown $3 $4 +$time $1 & - -Shutdown does not return so we need to launch it in background. - - -Default: shutdown script = - - -Example: shutdown script = /usr/local/samba/sbin/shutdown %m %t %r %f - - - - -smb passwd filesmb passwd file (G) - This option sets the path to the encrypted smbpasswd file. By - default the path to the smbpasswd file is compiled into Samba. - -Default: smb passwd file = ${prefix}/private/smbpasswd - - -Example: smb passwd file = /etc/samba/smbpasswd - - - - -smb portssmb ports (G) - Specifies which ports the server should listen on for SMB traffic. - -Default: smb ports = 445 139 - - - - - -socket addresssocket address (G) - This option allows you to control what - address Samba will listen for connections on. This is used to - support multiple virtual interfaces on the one server, each - with a different configuration. - - By default Samba will accept connections on any - address. - -Default: socket address = - - -Example: socket address = 192.168.2.20 - - - - -socket optionssocket options (G) - This option allows you to set socket options - to be used when talking with the client. - - Socket options are controls on the networking layer - of the operating systems which allow the connection to be - tuned. - - This option will typically be used to tune your Samba server - for optimal performance for your local network. There is no way - that Samba can know what the optimal parameters are for your net, - so you must experiment and choose them yourself. We strongly - suggest you read the appropriate documentation for your operating - system first (perhaps man - setsockopt will help). - - You may find that on some systems Samba will say - "Unknown socket option" when you supply an option. This means you - either incorrectly typed it or you need to add an include file - to includes.h for your OS. If the latter is the case please - send the patch to - samba-technical@samba.org. - - Any of the supported socket options may be combined - in any way you like, as long as your OS allows it. - - This is the list of socket options currently settable - using this option: - - - SO_KEEPALIVE - SO_REUSEADDR - SO_BROADCAST - TCP_NODELAY - IPTOS_LOWDELAY - IPTOS_THROUGHPUT - SO_SNDBUF * - SO_RCVBUF * - SO_SNDLOWAT * - SO_RCVLOWAT * - - - Those marked with a '*' take an integer - argument. The others can optionally take a 1 or 0 argument to enable - or disable the option, by default they will be enabled if you - don't specify 1 or 0. - - To specify an argument use the syntax SOME_OPTION = VALUE - for example SO_SNDBUF = 8192. Note that you must - not have any spaces before or after the = sign. - - If you are on a local network then a sensible option - might be: - - socket options = IPTOS_LOWDELAY - - If you have a local network then you could try: - - socket options = IPTOS_LOWDELAY TCP_NODELAY - - If you are on a wide area network then perhaps try - setting IPTOS_THROUGHPUT. - - Note that several of the options may cause your Samba - server to fail completely. Use these options with caution! - -Default: socket options = TCP_NODELAY - - -Example: socket options = IPTOS_LOWDELAY - - - - -stat cachestat cache (G) - This parameter determines if smbd - 8 will use a cache in order to - speed up case insensitive name mappings. You should never need - to change this parameter. - -Default: stat cache = yes - - - - - -store dos attributesstore dos attributes (S) - If this parameter is set Samba no longer attempts to - map DOS attributes like SYSTEM, HIDDEN, ARCHIVE or READ-ONLY - to UNIX permission bits (such as the map hidden. Instead, DOS attributes will be stored onto an extended - attribute in the UNIX filesystem, associated with the file or directory. - For this to operate correctly, the parameters map hidden, map system, map archive must be set to off. - This parameter writes the DOS attributes as a string into the - extended attribute named "user.DOSATTRIB". This extended attribute - is explicitly hidden from smbd clients requesting an EA list. - On Linux the filesystem must have been mounted with the mount - option user_xattr in order for extended attributes to work, also - extended attributes must be compiled into the Linux kernel. - - -Default: store dos attributes = no - - - - - -strict allocatestrict allocate (S) - This is a boolean that controls the handling of - disk space allocation in the server. When this is set to yes - the server will change from UNIX behaviour of not committing real - disk storage blocks when a file is extended to the Windows behaviour - of actually forcing the disk system to allocate real storage blocks - when a file is created or extended to be a given size. In UNIX - terminology this means that Samba will stop creating sparse files. - This can be slow on some systems. - - When strict allocate is no the server does sparse - disk block allocation when a file is extended. - - Setting this to yes can help Samba return - out of quota messages on systems that are restricting the disk quota - of users. - -Default: strict allocate = no - - - - - -strict lockingstrict locking (S) - This is a boolean that controls the handling of - file locking in the server. When this is set to yes, - the server will check every read and write access for file locks, and - deny access if locks exist. This can be slow on some systems. - - When strict locking is disabled, the server performs file - lock checks only when the client explicitly asks for them. - - Well-behaved clients always ask for lock checks when it - is important. So in the vast majority of cases, strict - locking = no is acceptable. - -Default: strict locking = yes - - - - - -strict syncstrict sync (S) - Many Windows applications (including the Windows 98 explorer - shell) seem to confuse flushing buffer contents to disk with doing - a sync to disk. Under UNIX, a sync call forces the process to be - suspended until the kernel has ensured that all outstanding data in - kernel disk buffers has been safely stored onto stable storage. - This is very slow and should only be done rarely. Setting this - parameter to no (the default) means that - smbd - 8 ignores the Windows - applications requests for a sync call. There is only a possibility - of losing data if the operating system itself that Samba is running - on crashes, so there is little danger in this default setting. In - addition, this fixes many performance problems that people have - reported with the new Windows98 explorer shell file copies. - -Default: strict sync = no - - - - - -sync alwayssync always (S) - This is a boolean parameter that controls - whether writes will always be written to stable storage before - the write call returns. If this is no then the server will be - guided by the client's request in each write call (clients can - set a bit indicating that a particular write should be synchronous). - If this is yes then every write will be followed by a fsync() - call to ensure the data is written to disk. Note that - the strict sync parameter must be set to - yes in order for this parameter to have - any affect. - -Default: sync always = no - - - - - -syslogsyslog (G) - This parameter maps how Samba debug messages - are logged onto the system syslog logging levels. Samba debug - level zero maps onto syslog LOG_ERR, debug - level one maps onto LOG_WARNING, debug level - two maps onto LOG_NOTICE, debug level three - maps onto LOG_INFO. All higher levels are mapped to - LOG_DEBUG. - - This parameter sets the threshold for sending messages - to syslog. Only messages with debug level less than this value - will be sent to syslog. - -Default: syslog = 1 - - - - - -syslog onlysyslog only (G) - If this parameter is set then Samba debug - messages are logged into the system syslog only, and not to - the debug log files. - -Default: syslog only = no - - - - - -template homedirtemplate homedir (G) - When filling out the user information for a Windows NT - user, the winbindd - 8 daemon uses this - parameter to fill in the home directory for that user. If the - string %D is present it - is substituted with the user's Windows NT domain name. If the - string %U is present it - is substituted with the user's Windows NT user name. - -Default: template homedir = /home/%D/%U - - - - - -template primary grouptemplate primary group (G) - This option defines the default primary group for - each user created by winbindd - 8's local account management - functions (similar to the 'add user script'). - - -Default: template primary group = nobody - - - - - -template shelltemplate shell (G) - When filling out the user information for a Windows NT - user, the winbindd - 8 daemon uses this - parameter to fill in the login shell for that user. - -No default - - - -time offsettime offset (G) - This parameter is a setting in minutes to add - to the normal GMT to local time conversion. This is useful if - you are serving a lot of PCs that have incorrect daylight - saving time handling. - -Default: time offset = 0 - - -Example: time offset = 60 - - - - -time servertime server (G) - This parameter determines if nmbd - 8 advertises itself as a time server to Windows -clients. - -Default: time server = no - - - - - -unix charsetunix charset (G) - Specifies the charset the unix machine - Samba runs on uses. Samba needs to know this in order to be able to - convert text to the charsets other SMB clients use. - - - This is also the charset Samba will use when specifying arguments - to scripts that it invokes. - - -Default: unix charset = UTF8 - - -Example: unix charset = ASCII - - - - -unix extensionsunix extensions (G) - This boolean parameter controls whether Samba - implments the CIFS UNIX extensions, as defined by HP. - These extensions enable Samba to better serve UNIX CIFS clients - by supporting features such as symbolic links, hard links, etc... - These extensions require a similarly enabled client, and are of - no current use to Windows clients. - -Default: unix extensions = yes - - - - - -unix password syncunix password sync (G) - This boolean parameter controls whether Samba - attempts to synchronize the UNIX password with the SMB password - when the encrypted SMB password in the smbpasswd file is changed. - If this is set to yes the program specified in the passwd - programparameter is called AS ROOT - - to allow the new UNIX password to be set without access to the - old UNIX password (as the SMB password change code has no - access to the old password cleartext, only the new). - -Default: unix password sync = no - - - - - -update encryptedupdate encrypted (G) - - This boolean parameter allows a user logging on with - a plaintext password to have their encrypted (hashed) password in - the smbpasswd file to be updated automatically as they log - on. This option allows a site to migrate from plaintext - password authentication (users authenticate with plaintext - password over the wire, and are checked against a UNIX account - database) to encrypted password authentication (the SMB - challenge/response authentication mechanism) without forcing all - users to re-enter their passwords via smbpasswd at the time the - change is made. This is a convenience option to allow the change - over to encrypted passwords to be made over a longer period. - Once all users have encrypted representations of their passwords - in the smbpasswd file this parameter should be set to - no. - - In order for this parameter to work correctly the - encrypt passwords parameter must - be set to no when this parameter is set to yes. - - Note that even when this parameter is set a user - authenticating to smbd must still enter a valid - password in order to connect correctly, and to update their hashed - (smbpasswd) passwords. - -Default: update encrypted = no - - - - - -use client driveruse client driver (S) - This parameter applies only to Windows NT/2000 - clients. It has no effect on Windows 95/98/ME clients. When - serving a printer to Windows NT/2000 clients without first installing - a valid printer driver on the Samba host, the client will be required - to install a local printer driver. From this point on, the client - will treat the print as a local printer and not a network printer - connection. This is much the same behavior that will occur - when disable spoolss = yes. - - - The differentiating factor is that under normal - circumstances, the NT/2000 client will attempt to open the network - printer using MS-RPC. The problem is that because the client - considers the printer to be local, it will attempt to issue the - OpenPrinterEx() call requesting access rights associated with the - logged on user. If the user possesses local administator rights but - not root privilegde on the Samba host (often the case), the - OpenPrinterEx() call will fail. The result is that the client will - now display an "Access Denied; Unable to connect" message - in the printer queue window (even though jobs may successfully be - printed). - - If this parameter is enabled for a printer, then any attempt - to open the printer with the PRINTER_ACCESS_ADMINISTER right is mapped - to PRINTER_ACCESS_USE instead. Thus allowing the OpenPrinterEx() - call to succeed. This parameter MUST not be able enabled - on a print share which has valid print driver installed on the Samba - server. - -Default: use client driver = no - - - - - -use kerberos keytabuse kerberos keytab (G) - -Specifies whether Samba should attempt to maintain service principals in the systems -keytab file for host/FQDN and cifs/FQDN. - - -When you are using the heimdal Kerberos libraries, you must also -specify the following in /etc/krb5.conf: - - -[libdefaults] - default_keytab_name = FILE:/etc/krb5.keytab - - -Default: use kerberos keytab = False - - - - - -use mmapuse mmap (G) - This global parameter determines if the tdb internals of Samba can - depend on mmap working correctly on the running system. Samba requires a coherent - mmap/read-write system memory cache. Currently only HPUX does not have such a - coherent cache, and so this parameter is set to no by - default on HPUX. On all other systems this parameter should be left alone. This - parameter is provided to help the Samba developers track down problems with - the tdb internal code. - - -Default: use mmap = yes - - - - - -userusernameuserThis parameter is a synonym for username. -usersusernameusersThis parameter is a synonym for username. -usernameusername (S) - Multiple users may be specified in a comma-delimited - list, in which case the supplied password will be tested against - each username in turn (left to right). - - The username line is needed only when - the PC is unable to supply its own username. This is the case - for the COREPLUS protocol or where your users have different WfWg - usernames to UNIX usernames. In both these cases you may also be - better using the \\server\share%user syntax instead. - - The username line is not a great - solution in many cases as it means Samba will try to validate - the supplied password against each of the usernames in the - username line in turn. This is slow and - a bad idea for lots of users in case of duplicate passwords. - You may get timeouts or security breaches using this parameter - unwisely. - - Samba relies on the underlying UNIX security. This - parameter does not restrict who can login, it just offers hints - to the Samba server as to what usernames might correspond to the - supplied password. Users can login as whoever they please and - they will be able to do no more damage than if they started a - telnet session. The daemon runs as the user that they log in as, - so they cannot do anything that user cannot do. - - To restrict a service to a particular set of users you - can use the valid users - parameter. - - If any of the usernames begin with a '@' then the name - will be looked up first in the NIS netgroups list (if Samba - is compiled with netgroup support), followed by a lookup in - the UNIX groups database and will expand to a list of all users - in the group of that name. - - If any of the usernames begin with a '+' then the name - will be looked up only in the UNIX groups database and will - expand to a list of all users in the group of that name. - - If any of the usernames begin with a '&' then the name - will be looked up only in the NIS netgroups database (if Samba - is compiled with netgroup support) and will expand to a list - of all users in the netgroup group of that name. - - Note that searching though a groups database can take - quite some time, and some clients may time out during the - search. - - See the section NOTE ABOUT - USERNAME/PASSWORD VALIDATION for more information on how -this parameter determines access to the services. - -Default: username = -# The guest account if a guest service, - else <empty string>. - - -Example: username = fred, mary, jack, jane, @users, @pcgroup - - - - -username levelusername level (G) - This option helps Samba to try and 'guess' at - the real UNIX username, as many DOS clients send an all-uppercase - username. By default Samba tries all lowercase, followed by the - username with the first letter capitalized, and fails if the - username is not found on the UNIX machine. - - If this parameter is set to non-zero the behavior changes. - This parameter is a number that specifies the number of uppercase - combinations to try while trying to determine the UNIX user name. The - higher the number the more combinations will be tried, but the slower - the discovery of usernames will be. Use this parameter when you have - strange usernames on your UNIX machine, such as AstrangeUser - . - - This parameter is needed only on UNIX systems that have case - sensitive usernames. - -Default: username level = 0 - - -Example: username level = 5 - - - - -username mapusername map (G) - This option allows you to specify a file containing - a mapping of usernames from the clients to the server. This can be - used for several purposes. The most common is to map usernames - that users use on DOS or Windows machines to those that the UNIX - box uses. The other is to map multiple users to a single username - so that they can more easily share files. - - The map file is parsed line by line. Each line should - contain a single UNIX username on the left then a '=' followed - by a list of usernames on the right. The list of usernames on the - right may contain names of the form @group in which case they - will match any UNIX username in that group. The special client - name '*' is a wildcard and matches any name. Each line of the - map file may be up to 1023 characters long. - - The file is processed on each line by taking the - supplied username and comparing it with each username on the right - hand side of the '=' signs. If the supplied name matches any of - the names on the right hand side then it is replaced with the name - on the left. Processing then continues with the next line. - - If any line begins with a '#' or a ';' then it is ignored - - If any line begins with an '!' then the processing - will stop after that line if a mapping was done by the line. - Otherwise mapping continues with every line being processed. - Using '!' is most useful when you have a wildcard mapping line - later in the file. - - For example to map from the name admin - or administrator to the UNIX name - root you would use: - - root = admin administrator - - Or to map anyone in the UNIX group system - to the UNIX name sys you would use: - - sys = @system - - You can have as many mappings as you like in a username map file. - - - If your system supports the NIS NETGROUP option then - the netgroup database is checked before the /etc/group - database for matching groups. - - You can map Windows usernames that have spaces in them - by using double quotes around the name. For example: - - tridge = "Andrew Tridgell" - - would map the windows username "Andrew Tridgell" to the - unix username "tridge". - - The following example would map mary and fred to the - unix user sys, and map the rest to guest. Note the use of the - '!' to tell Samba to stop processing if it gets a match on - that line. - - -!sys = mary fred -guest = * - - - Note that the remapping is applied to all occurrences - of usernames. Thus if you connect to \\server\fred and - fred is remapped to mary then you - will actually be connecting to \\server\mary and will need to - supply a password suitable for mary not - fred. The only exception to this is the - username passed to the - password server (if you have one). The password - server will receive whatever username the client supplies without - modification. - - Also note that no reverse mapping is done. The main effect - this has is with printing. Users who have been mapped may have - trouble deleting print jobs as PrintManager under WfWg will think - they don't own the print job. - - - Samba versions prior to 3.0.8 would only support reading the fully qualified - username (e.g.: DOMAIN\user) from the username map when performing a - kerberos login from a client. However, when looking up a map - entry for a user authenticated by NTLM[SSP], only the login name would be - used for matches. This resulted in inconsistent behavior sometimes - even on the same server. - - - - The following functionality is obeyed in version 3.0.8 and later: - - - - When performing local authentication, the username map is - applied to the login name before attempting to authenticate - the connection. - - - - When relying upon a external domain controller for validating - authentication requests, smbd will apply the username map - to the fully qualified username (i.e. DOMAIN\user) only - after the user has been successfully authenticated. - - -Default: username map = -# no username map - - -Example: username map = /usr/local/samba/lib/users.map - - - - -use sendfileuse sendfile (S) - If this parameter is yes, and the sendfile() system call is supported by the underlying operating system, then some SMB read calls (mainly ReadAndX - and ReadRaw) will use the more efficient sendfile system call for files that - are exclusively oplocked. This may make more efficient use of the system CPU's - and cause Samba to be faster. Samba automatically turns this off for clients - that use protocol levels lower than NT LM 0.12 and when it detects a client is - Windows 9x (using sendfile from Linux will cause these clients to fail). - - -Default: use sendfile = yes - - - - - -use spnegouse spnego (G) - This variable controls controls whether samba will try - to use Simple and Protected NEGOciation (as specified by rfc2478) with - WindowsXP and Windows2000 clients to agree upon an authentication mechanism. - - - - Unless further issues are discovered with our SPNEGO - implementation, there is no reason this should ever be - disabled. - -Default: use spnego = yes - - - - - -utmputmp (G) - This boolean parameter is only available if - Samba has been configured and compiled with the option - --with-utmp. If set to yes then Samba will attempt - to add utmp or utmpx records (depending on the UNIX system) whenever a - connection is made to a Samba server. Sites may use this to record the - user connecting to a Samba share. - - Due to the requirements of the utmp record, we - are required to create a unique identifier for the - incoming user. Enabling this option creates an n^2 - algorithm to find this number. This may impede - performance on large installations. - -Default: utmp = no - - - - - -utmp directoryutmp directory (G) - This parameter is only available if Samba has - been configured and compiled with the option - --with-utmp. It specifies a directory pathname that is - used to store the utmp or utmpx files (depending on the UNIX system) that - record user connections to a Samba server. By default this is - not set, meaning the system will use whatever utmp file the - native system is set to use (usually - /var/run/utmp on Linux). - -Default: utmp directory = -# Determined automatically - - -Example: utmp directory = /var/run/utmp - - - - --valid-valid (S) - This parameter indicates whether a share is - valid and thus can be used. When this parameter is set to false, - the share will be in no way visible nor accessible. - - - - This option should not be - used by regular users but might be of help to developers. - Samba uses this option internally to mark shares as deleted. - - -Default: -valid = yes - - - - - -valid usersvalid users (S) - This is a list of users that should be allowed - to login to this service. Names starting with '@', '+' and '&' - are interpreted using the same rules as described in the - invalid users parameter. - - If this is empty (the default) then any user can login. - If a username is in both this list and the invalid - users list then access is denied for that user. - - The current servicename is substituted for %S - . This is useful in the [homes] section. - -Default: valid users = -# No valid users list (anyone can login) - - -Example: valid users = greg, @pcusers - - - - -veto filesveto files (S) - This is a list of files and directories that - are neither visible nor accessible. Each entry in the list must - be separated by a '/', which allows spaces to be included - in the entry. '*' and '?' can be used to specify multiple files - or directories as in DOS wildcards. - - Each entry must be a unix path, not a DOS path and - must not include the unix directory - separator '/'. - - Note that the case sensitive option - is applicable in vetoing files. - - One feature of the veto files parameter that it - is important to be aware of is Samba's behaviour when - trying to delete a directory. If a directory that is - to be deleted contains nothing but veto files this - deletion will fail unless you also set - the delete veto files parameter to - yes. - - Setting this parameter will affect the performance - of Samba, as it will be forced to check all files and directories - for a match as they are scanned. - -Default: veto files = -# No files or directories are vetoed. - - -Example: veto files = -; Veto any files containing the word Security, -; any ending in .tmp, and any directory containing the -; word root. -veto files = /*Security*/*.tmp/*root*/ - -; Veto the Apple specific files that a NetAtalk server -; creates. -veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ - - - - - -veto oplock filesveto oplock files (S) - This parameter is only valid when the - oplocks - parameter is turned on for a share. It allows the Samba administrator - to selectively turn off the granting of oplocks on selected files that - match a wildcarded list, similar to the wildcarded list used in the - veto files - parameter. - - - You might want to do this on files that you know will - be heavily contended for by clients. A good example of this - is in the NetBench SMB benchmark program, which causes heavy - client contention for files ending in .SEM. - To cause Samba not to grant oplocks on these files you would use - the line (either in the [global] section or in the section for - the particular NetBench share : - -Default: veto oplock files = -# No files are vetoed for oplock grants - - -Example: veto oplock files = /.*SEM/ - - - - -vfs objectvfs objectsvfs objectThis parameter is a synonym for vfs objects. -vfs objectsvfs objects (S) - This parameter specifies the backend names which - are used for Samba VFS I/O operations. By default, normal - disk I/O operations are used but these can be overloaded - with one or more VFS objects. - -Default: vfs objects = - - -Example: vfs objects = extd_audit recycle - - - - -volumevolume (S) - This allows you to override the volume label - returned for a share. Useful for CDROMs with installation programs - that insist on a particular volume label. - -Default: volume = -# the name of the share - - - - - -wide linkswide links (S) - This parameter controls whether or not links - in the UNIX file system may be followed by the server. Links - that point to areas within the directory tree exported by the - server are always allowed; this parameter controls access only - to areas that are outside the directory tree being exported. - - Note that setting this parameter can have a negative - effect on your server performance due to the extra system calls - that Samba has to do in order to perform the link checks. - -Default: wide links = yes - - - - - -winbind cache timewinbind cache time (G) - This parameter specifies the number of - seconds the winbindd - 8 daemon will cache - user and group information before querying a Windows NT server - again. - This does not apply to authentication requests, - these are always evaluated in real time. - -Default: winbind cache time = 300 - - - - - -winbind enable local accountswinbind enable local accounts (G) - This parameter controls whether or not winbindd - will act as a stand in replacement for the various account - management hooks in smb.conf (e.g. 'add user script'). - If enabled, winbindd will support the creation of local - users and groups as another source of UNIX account information - available via getpwnam() or getgrgid(), etc... - - -Default: winbind enable local accounts = no - - - - - -winbind enum groupswinbind enum groups (G) - On large installations using winbindd - 8 it may be necessary to suppress - the enumeration of groups through the setgrent(), - getgrent() and - endgrent() group of system calls. If - the winbind enum groups parameter is - no, calls to the getgrent() system - call will not return any data. - -Turning off group enumeration may cause some programs to behave oddly. - -Default: winbind enum groups = yes - - - - - -winbind enum userswinbind enum users (G) - On large installations using winbindd - 8 it may be - necessary to suppress the enumeration of users through the setpwent(), - getpwent() and - endpwent() group of system calls. If - the winbind enum users parameter is - no, calls to the getpwent system call - will not return any data. - -Turning off user - enumeration may cause some programs to behave oddly. For - example, the finger program relies on having access to the - full user list when searching for matching - usernames. - -Default: winbind enum users = yes - - - - - -winbind nested groupswinbind nested groups (G) - If set to yes, this parameter activates the support for nested - groups. Nested groups are also called local groups or - aliases. They work like their counterparts in Windows: Nested - groups are defined locally on any machine (they are shared - between DC's through their SAM) and can contain users and - global groups from any trusted SAM. To be able to use nested - groups, you need to run nss_winbind. - Please note that per 3.0.3 this is a new feature, so - handle with care. - -Default: winbind nested groups = no - - - - - -winbind separatorwinbind separator (G) - This parameter allows an admin to define the character - used when listing a username of the form of DOMAIN - \user. This parameter - is only applicable when using the pam_winbind.so - and nss_winbind.so modules for UNIX services. - - - Please note that setting this parameter to + causes problems - with group membership at least on glibc systems, as the character + - is used as a special character for NIS in /etc/group. - -Default: winbind separator = '\' - - -Example: winbind separator = + - - - - -winbind trusted domains onlywinbind trusted domains only (G) - This parameter is designed to allow Samba servers that - are members of a Samba controlled domain to use UNIX accounts - distributed via NIS, rsync, or LDAP as the uid's for winbindd users - in the hosts primary domain. Therefore, the user DOMAIN\user1 would - be mapped to the account user1 in /etc/passwd instead of allocating - a new uid for him or her. - - -Default: winbind trusted domains only = no - - - - - -winbind use default domainwinbind use default domain (G) - This parameter specifies whether the - winbindd - 8 daemon should operate on users - without domain component in their username. Users without a domain - component are treated as is part of the winbindd server's own - domain. While this does not benifit Windows users, it makes SSH, FTP and - e-mail function in a way much closer to the way they - would in a native unix system. - -Default: winbind use default domain = no - - -Example: winbind use default domain = yes - - - - -wins hookwins hook (G) - When Samba is running as a WINS server this - allows you to call an external program for all changes to the - WINS database. The primary use for this option is to allow the - dynamic update of external name resolution databases such as - dynamic DNS. - - The wins hook parameter specifies the name of a script - or executable that will be called as follows: - - wins_hook operation name nametype ttl IP_list - - - - The first argument is the operation and is - one of "add", "delete", or - "refresh". In most cases the operation - can be ignored as the rest of the parameters - provide sufficient information. Note that - "refresh" may sometimes be called when - the name has not previously been added, in that - case it should be treated as an add. - - - - The second argument is the NetBIOS name. If the - name is not a legal name then the wins hook is not called. - Legal names contain only letters, digits, hyphens, underscores - and periods. - - - - The third argument is the NetBIOS name - type as a 2 digit hexadecimal number. - - - - The fourth argument is the TTL (time to live) - for the name in seconds. - - - - The fifth and subsequent arguments are the IP - addresses currently registered for that name. If this list is - empty then the name should be deleted. - - - - An example script that calls the BIND dynamic DNS update - program nsupdate is provided in the examples - directory of the Samba source code. - -No default - - - -wins proxywins proxy (G) - This is a boolean that controls if nmbd - 8 will respond to broadcast name - queries on behalf of other hosts. You may need to set this - to yes for some older clients. - -Default: wins proxy = no - - - - - -wins serverwins server (G) - This specifies the IP address (or DNS name: IP - address for preference) of the WINS server that nmbd - 8 should register with. If you have a WINS server on - your network then you should set this to the WINS server's IP. - - You should point this at your WINS server if you have a - multi-subnetted network. - - If you want to work in multiple namespaces, you can - give every wins server a 'tag'. For each tag, only one - (working) server will be queried for a name. The tag should be - separated from the ip address by a colon. - - - You need to set up Samba to point - to a WINS server if you have multiple subnets and wish cross-subnet - browsing to work correctly. - See the . - -Default: wins server = - - -Example: wins server = mary:192.9.200.1 fred:192.168.3.199 mary:192.168.2.61 - -# For this example when querying a certain name, 192.19.200.1 will - be asked first and if that doesn't respond 192.168.2.61. If either - of those doesn't know the name 192.168.3.199 will be queried. - -Example: wins server = 192.9.200.1 192.168.2.61 - - - - -wins supportwins support (G) - This boolean controls if the nmbd - 8 process in Samba will act as a WINS server. You should - not set this to yes unless you have a multi-subnetted network and - you wish a particular nmbd to be your WINS server. - Note that you should NEVER set this to yes - on more than one machine in your network. - - -Default: wins support = no - - - - - -workgroupworkgroup (G) - This controls what workgroup your server will - appear to be in when queried by clients. Note that this parameter - also controls the Domain name used with - the security = domain - setting. - -Default: workgroup = WORKGROUP - - -Example: workgroup = MYGROUP - - - - -writablewriteablewritableThis parameter is a synonym for writeable. -writeablewriteable (S) - Inverted synonym for - read only. - -No default - - - -write cache sizewrite cache size (S) - If this integer parameter is set to non-zero value, - Samba will create an in-memory cache for each oplocked file - (it does not do this for - non-oplocked files). All writes that the client does not request - to be flushed directly to disk will be stored in this cache if possible. - The cache is flushed onto disk when a write comes in whose offset - would not fit into the cache or when the file is closed by the client. - Reads for the file are also served from this cache if the data is stored - within it. - - This cache allows Samba to batch client writes into a more - efficient write size for RAID disks (i.e. writes may be tuned to - be the RAID stripe size) and can improve performance on systems - where the disk subsystem is a bottleneck but there is free - memory for userspace programs. - - The integer parameter specifies the size of this cache - (per oplocked file) in bytes. - -Default: write cache size = 0 - - -Example: write cache size = 262144 -# for a 256k cache size per file - - - - -write listwrite list (S) - This is a list of users that are given read-write - access to a service. If the connecting user is in this list then - they will be given write access, no matter what the - read only - option is set to. The list can include group names using the - @group syntax. - - Note that if a user is in both the read list and the - write list then they will be given write access. - - This parameter will not work with the - security = share in - Samba 3.0. This is by design. - - -Default: write list = - - -Example: write list = admin, root, @staff - - - - -write rawwrite raw (G) - This parameter controls whether or not the server - will support raw write SMB's when transferring data from clients. - You should never need to change this parameter. - -Default: write raw = yes - - - - - -wtmp directorywtmp directory (G) - This parameter is only available if Samba has - been configured and compiled with the option - --with-utmp. It specifies a directory pathname that is - used to store the wtmp or wtmpx files (depending on the UNIX system) that - record user connections to a Samba server. The difference with - the utmp directory is the fact that user info is kept after a user - has logged out. - - - By default this is - not set, meaning the system will use whatever utmp file the - native system is set to use (usually - /var/run/wtmp on Linux). - -Default: wtmp directory = - - -Example: wtmp directory = /var/log/wtmp - - - - + + + + smb.conf + 5 + + + + + smb.conf + The configuration file for the Samba suite + + + + SYNOPSIS + + The smb.conf file is a configuration + file for the Samba suite. smb.conf contains + runtime configuration information for the Samba programs. The smb.conf file + is designed to be configured and administered by the swat + 8 program. The complete + description of the file format and possible parameters held within + are here for reference purposes. + + + FILE FORMAT + + The file consists of sections and parameters. A section + begins with the name of the section in square brackets and continues + until the next section begins. Sections contain parameters of the + form + + name = value + + + The file is line-based - that is, each newline-terminated + line represents either a comment, a section name or a parameter. + + Section and parameter names are not case sensitive. + + Only the first equals sign in a parameter is significant. + Whitespace before or after the first equals sign is discarded. + Leading, trailing and internal whitespace in section and parameter + names is irrelevant. Leading and trailing whitespace in a parameter + value is discarded. Internal whitespace within a parameter value + is retained verbatim. + + Any line beginning with a semicolon (;) or a hash (#) + character is ignored, as are lines containing only whitespace. + + Any line ending in a \ is continued + on the next line in the customary UNIX fashion. + + The values following the equals sign in parameters are all + either a string (no quotes needed) or a boolean, which may be given + as yes/no, 0/1 or true/false. Case is not significant in boolean + values, but is preserved in string values. Some items such as + create modes are numeric. + + + + SECTION DESCRIPTIONS + + Each section in the configuration file (except for the + [global] section) describes a shared resource (known + as a share). The section name is the name of the + shared resource and the parameters within the section define + the shares attributes. + + There are three special sections, [global], + [homes] and [printers], which are + described under special sections. The + following notes apply to ordinary section descriptions. + + A share consists of a directory to which access is being + given plus a description of the access rights which are granted + to the user of the service. Some housekeeping options are + also specifiable. + + Sections are either file share services (used by the + client as an extension of their native file systems) or + printable services (used by the client to access print services + on the host running the server). + + Sections may be designated guest services, + in which case no password is required to access them. A specified + UNIX guest account is used to define access + privileges in this case. + + Sections other than guest services will require a password + to access them. The client provides the username. As older clients + only provide passwords and not usernames, you may specify a list + of usernames to check against the password using the user = + option in the share definition. For modern clients such as + Windows 95/98/ME/NT/2000, this should not be necessary. + + The access rights granted by the server are + masked by the access rights granted to the specified or guest + UNIX user by the host system. The server does not grant more + access than the host system grants. + + The following sample section defines a file space share. + The user has write access to the path /home/bar. + The share is accessed via the share name foo: + + + + /home/bar + read only = no + + + The following sample section defines a printable share. + The share is read-only, but printable. That is, the only write + access permitted is via calls to open, write to and close a + spool file. The guest ok parameter means + access will be permitted as the default guest user (specified + elsewhere): + + + + /usr/spool/public + yes + yes + yes + + + + + SPECIAL SECTIONS + + + The [global] section + + Parameters in this section apply to the server + as a whole, or are defaults for sections that do not + specifically define certain items. See the notes + under PARAMETERS for more information. + + + + The [homes] section + + If a section called [homes] is included in the + configuration file, services connecting clients to their + home directories can be created on the fly by the server. + + When the connection request is made, the existing + sections are scanned. If a match is found, it is used. If no + match is found, the requested section name is treated as a + username and looked up in the local password file. If the + name exists and the correct password has been given, a share is + created by cloning the [homes] section. + + Some modifications are then made to the newly + created share: + + + The share name is changed from homes to + the located username. + + If no path was given, the path is set to + the user's home directory. + + + If you decide to use a path = line + in your [homes] section, you may find it useful + to use the %S macro. For example : + + path = /data/pchome/%S + + is useful if you have different home directories + for your PCs than for UNIX access. + + This is a fast and simple way to give a large number + of clients access to their home directories with a minimum + of fuss. + + A similar process occurs if the requested section + name is homes, except that the share name is not + changed to that of the requesting user. This method of using + the [homes] section works well if different users share + a client PC. + + The [homes] section can specify all the parameters + a normal service section can specify, though some make more sense + than others. The following is a typical and suitable [homes] + section: + + + + no + + + An important point is that if guest access is specified + in the [homes] section, all home directories will be + visible to all clients without a password. + In the very unlikely event that this is actually desirable, it + is wise to also specify read only access. + + The browseable flag for + auto home directories will be inherited from the global browseable + flag, not the [homes] browseable flag. This is useful as + it means setting browseable = no in + the [homes] section will hide the [homes] share but make + any auto home directories visible. + + + + The [printers] section + + This section works like [homes], + but for printers. + + If a [printers] section occurs in the + configuration file, users are able to connect to any printer + specified in the local host's printcap file. + + When a connection request is made, the existing sections + are scanned. If a match is found, it is used. If no match is found, + but a [homes] section exists, it is used as described + above. Otherwise, the requested section name is treated as a + printer name and the appropriate printcap file is scanned to see + if the requested section name is a valid printer share name. If + a match is found, a new printer share is created by cloning + the [printers] section. + + A few modifications are then made to the newly created + share: + + + The share name is set to the located printer + name + + If no printer name was given, the printer name + is set to the located printer name + + If the share does not permit guest access and + no username was given, the username is set to the located + printer name. + + + The [printers] service MUST be + printable - if you specify otherwise, the server will refuse + to load the configuration file. + + Typically the path specified is that of a + world-writeable spool directory with the sticky bit set on + it. A typical [printers] entry looks like + this: + + + + /usr/spool/public + yes + yes + + + All aliases given for a printer in the printcap file + are legitimate printer names as far as the server is concerned. + If your printing subsystem doesn't work like that, you will have + to set up a pseudo-printcap. This is a file consisting of one or + more lines like this: + + +alias|alias|alias|alias... + + + Each alias should be an acceptable printer name for + your printing subsystem. In the [global] section, specify + the new file as your printcap. The server will only recognize + names found in your pseudo-printcap, which of course can contain + whatever aliases you like. The same technique could be used + simply to limit access to a subset of your local printers. + + An alias, by the way, is defined as any component of the + first entry of a printcap record. Records are separated by newlines, + components (if there are more than one) are separated by vertical + bar symbols (|). + + On SYSV systems which use lpstat to determine what + printers are defined on the system you may be able to use + printcap name = lpstat to automatically obtain a list + of printers. See the printcap name option + for more details. + + + + + PARAMETERS + + Parameters define the specific attributes of sections. + + Some parameters are specific to the [global] section + (e.g., security). Some parameters are usable + in all sections (e.g., create mode). All others + are permissible only in normal sections. For the purposes of the + following descriptions the [homes] and [printers] + sections will be considered normal. The letter G + in parentheses indicates that a parameter is specific to the + [global] section. The letter S + indicates that a parameter can be specified in a service specific + section. All S parameters can also be specified in + the [global] section - in which case they will define + the default behavior for all services. + + Parameters are arranged here in alphabetical order - this may + not create best bedfellows, but at least you can find them! Where + there are synonyms, the preferred synonym is described, others refer + to the preferred synonym. + + + + VARIABLE SUBSTITUTIONS + + Many of the strings that are settable in the config file + can take substitutions. For example the option path = + /tmp/%u is interpreted as path = + /tmp/john if the user connected with the username john. + + These substitutions are mostly noted in the descriptions below, + but there are some general substitutions which apply whenever they + might be relevant. These are: + + + + %U + session username (the username that the client + wanted, not necessarily the same as the one they got). + + + + %G + primary group name of %U. + + + + %h + the Internet hostname that Samba is running + on. + + + + %m + the NetBIOS name of the client machine + (very useful). + + + + %L + the NetBIOS name of the server. This allows you + to change your config based on what the client calls you. Your + server can have a dual personality. + + This parameter is not available when Samba listens + on port 445, as clients no longer send this information. + + + + + + %M + the Internet name of the client machine. + + + + + %R + the selected protocol level after + protocol negotiation. It can be one of CORE, COREPLUS, + LANMAN1, LANMAN2 or NT1. + + + + %d + the process id of the current server + process. + + + + %a + the architecture of the remote + machine. It currently recognizes Samba (Samba), + the Linux CIFS file system (CIFSFS), OS/2, (OS2), + Windows for Workgroups (WfWg), Windows 9x/ME + (Win95), Windows NT (WinNT), + Windows 2000 (Win2K), Windows XP (WinXP), + and Windows 2003 (Win2K3). Anything else will be known as + UNKNOWN. + + + + + %I + the IP address of the client machine. + + + + + %i + the local IP address to which a client connected. + + + + + %T + the current date and time. + + + + %D + name of the domain or workgroup of the current user. + + + + %$(envvar) + the value of the environment variable + envar. + + + + The following substitutes apply only to some configuration options (only those + that are used when a connection has been established): + + + + %S + the name of the current service, if any. + + + + + %P + the root directory of the current service, + if any. + + + + %u + username of the current service, if any. + + + + + %g + primary group name of %u. + + + + %H + the home directory of the user given + by %u. + + + + %N + the name of your NIS home directory server. + This is obtained from your NIS auto.map entry. If you have + not compiled Samba with the --with-automount + option, this value will be the same as %L. + + + + + %p + the path of the service's home directory, + obtained from your NIS auto.map entry. The NIS auto.map entry + is split up as %N:%p. + + + + There are some quite creative things that can be done + with these substitutions and other smb.conf options. + + + + NAME MANGLING + + Samba supports name mangling so that DOS and + Windows clients can use files that don't conform to the 8.3 format. + It can also be set to adjust the case of 8.3 format filenames. + + There are several options that control the way mangling is + performed, and they are grouped here rather than listed separately. + For the defaults look at the output of the testparm program. + + All of these options can be set separately for each service + (or globally, of course). + + The options are: + + + + + case sensitive = yes/no/auto + controls whether filenames are case sensitive. If + they aren't, Samba must do a filename search and match on passed + names. The default setting of auto allows clients that support case + sensitive filenames (Linux CIFSVFS and smbclient 3.0.5 and above currently) + to tell the Samba server on a per-packet basis that they wish to access + the file system in a case-sensitive manner (to support UNIX case sensitive + semantics). No Windows or DOS system supports case-sensitive filename so + setting this option to auto is that same as setting it to no for them. + Default auto. + + + + default case = upper/lower + controls what the default case is for new + filenames. Default lower. + + + + preserve case = yes/no + controls whether new files are created with the + case that the client passes, or if they are forced to be the + default case. Default yes. + + + + + short preserve case = yes/no + controls if new files which conform to 8.3 syntax, + that is all in upper case and of suitable length, are created + upper case, or if they are forced to be the default + case. This option can be used with preserve case = yes + to permit long filenames to retain their case, while short names + are lowercased. Default yes. + + + + By default, Samba 3.0 has the same semantics as a Windows + NT server, in that it is case insensitive but case preserving. + + + + + NOTE ABOUT USERNAME/PASSWORD VALIDATION + + There are a number of ways in which a user can connect + to a service. The server uses the following steps in determining + if it will allow a connection to a specified service. If all the + steps fail, the connection request is rejected. However, if one of the + steps succeeds, the following steps are not checked. + + If the service is marked guest only = yes and the + server is running with share-level security (security = share, + steps 1 to 5 are skipped. + + + + If the client has passed a username/password + pair and that username/password pair is validated by the UNIX + system's password programs, the connection is made as that + username. This includes the + \\server\service%username method of passing + a username. + + If the client has previously registered a username + with the system and now supplies a correct password for that + username, the connection is allowed. + + The client's NetBIOS name and any previously + used usernames are checked against the supplied password. If + they match, the connection is allowed as the corresponding + user. + + If the client has previously validated a + username/password pair with the server and the client has passed + the validation token, that username is used. + + If a user = field is given in the + smb.conf file for the service and the client + has supplied a password, and that password matches (according to + the UNIX system's password checking) with one of the usernames + from the user = field, the connection is made as + the username in the user = line. If one + of the usernames in the user = list begins with a + @, that name expands to a list of names in + the group of the same name. + + If the service is a guest service, a + connection is made as the username given in the guest + account = for the service, irrespective of the + supplied password. + + + + + + EXPLANATION OF EACH PARAMETER + + + + + + + WARNINGS + + Although the configuration file permits service names + to contain spaces, your client software may not. Spaces will + be ignored in comparisons anyway, so it shouldn't be a + problem - but be aware of the possibility. + + On a similar note, many clients - especially DOS clients - + limit service names to eight characters. smbd + 8 has no such limitation, but attempts to connect from such + clients will fail if they truncate the service names. For this reason + you should probably keep your service names down to eight characters + in length. + + Use of the [homes] and [printers] special sections make life + for an administrator easy, but the various combinations of default + attributes can be tricky. Take extreme care when designing these + sections. In particular, ensure that the permissions on spool + directories are correct. + + + + VERSION + + This man page is correct for version 3.0 of the Samba suite. + + + + SEE ALSO + + samba + 7, smbpasswd + 8, swat + 8, smbd + 8, nmbd + 8, smbclient + 1, nmblookup + 1, testparm + 1, testprns + 1. + + + + AUTHOR + + The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed. + + The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 + for Samba 3.0 was done by Alexander Bokovoy. + + + -- 2.11.4.GIT