1 .\" This manpage has been automatically generated by docbook2man-spec
2 .\" from a DocBook document. docbook2man-spec can be found at:
3 .\" <http://shell.ipoline.com/~elmert/hacks/docbook2X/>
4 .\" Please send any bug reports, improvements, comments, patches,
5 .\" etc. to Steve Cheng <steve@ggi-project.org>.
6 .TH "SMB.CONF" "5" "01 June 2001" "" ""
8 smb.conf \- The configuration file for the Samba suite
11 The \fIsmb.conf\fR file is a configuration
12 file for the Samba suite. \fIsmb.conf\fR contains
13 runtime configuration information for the Samba programs. The
14 \fIsmb.conf\fR file is designed to be configured and
15 administered by the \fBswat(8)\fR
16 program. The complete description of the file format and
17 possible parameters held within are here for reference purposes.
20 The file consists of sections and parameters. A section
21 begins with the name of the section in square brackets and continues
22 until the next section begins. Sections contain parameters of the
27 The file is line-based - that is, each newline-terminated
28 line represents either a comment, a section name or a parameter.
30 Section and parameter names are not case sensitive.
32 Only the first equals sign in a parameter is significant.
33 Whitespace before or after the first equals sign is discarded.
34 Leading, trailing and internal whitespace in section and parameter
35 names is irrelevant. Leading and trailing whitespace in a parameter
36 value is discarded. Internal whitespace within a parameter value
39 Any line beginning with a semicolon (';') or a hash ('#')
40 character is ignored, as are lines containing only whitespace.
42 Any line ending in a '\\' is continued
43 on the next line in the customary UNIX fashion.
45 The values following the equals sign in parameters are all
46 either a string (no quotes needed) or a boolean, which may be given
47 as yes/no, 0/1 or true/false. Case is not significant in boolean
48 values, but is preserved in string values. Some items such as
49 create modes are numeric.
50 .SH "SECTION DESCRIPTIONS"
52 Each section in the configuration file (except for the
53 [global] section) describes a shared resource (known
54 as a "share"). The section name is the name of the
55 shared resource and the parameters within the section define
56 the shares attributes.
58 There are three special sections, [global],
59 [homes] and [printers], which are
60 described under \fBspecial sections\fR. The
61 following notes apply to ordinary section descriptions.
63 A share consists of a directory to which access is being
64 given plus a description of the access rights which are granted
65 to the user of the service. Some housekeeping options are
68 Sections are either file share services (used by the
69 client as an extension of their native file systems) or
70 printable services (used by the client to access print services
71 on the host running the server).
73 Sections may be designated \fBguest\fR services,
74 in which case no password is required to access them. A specified
75 UNIX \fBguest account\fR is used to define access
76 privileges in this case.
78 Sections other than guest services will require a password
79 to access them. The client provides the username. As older clients
80 only provide passwords and not usernames, you may specify a list
81 of usernames to check against the password using the "user="
82 option in the share definition. For modern clients such as
83 Windows 95/98/ME/NT/2000, this should not be necessary.
85 Note that the access rights granted by the server are
86 masked by the access rights granted to the specified or guest
87 UNIX user by the host system. The server does not grant more
88 access than the host system grants.
90 The following sample section defines a file space share.
91 The user has write access to the path \fI/home/bar\fR.
92 The share is accessed via the share name "foo":
103 The following sample section defines a printable share.
104 The share is readonly, but printable. That is, the only write
105 access permitted is via calls to open, write to and close a
106 spool file. The \fBguest ok\fR parameter means
107 access will be permitted as the default guest user (specified
112 path = /usr/spool/public
120 .SH "SPECIAL SECTIONS"
121 .SS "THE GLOBAL SECTION"
123 parameters in this section apply to the server
124 as a whole, or are defaults for sections which do not
125 specifically define certain items. See the notes
126 under PARAMETERS for more information.
127 .SS "THE HOMES SECTION"
129 If a section called homes is included in the
130 configuration file, services connecting clients to their
131 home directories can be created on the fly by the server.
133 When the connection request is made, the existing
134 sections are scanned. If a match is found, it is used. If no
135 match is found, the requested section name is treated as a
136 user name and looked up in the local password file. If the
137 name exists and the correct password has been given, a share is
138 created by cloning the [homes] section.
140 Some modifications are then made to the newly
144 The share name is changed from homes to
145 the located username.
148 If no path was given, the path is set to
149 the user's home directory.
151 If you decide to use a \fBpath=\fR line
152 in your [homes] section then you may find it useful
153 to use the %S macro. For example :
156 \fBpath=/data/pchome/%S\fR
159 would be useful if you have different home directories
160 for your PCs than for UNIX access.
163 This is a fast and simple way to give a large number
164 of clients access to their home directories with a minimum
168 A similar process occurs if the requested section
169 name is "homes", except that the share name is not
170 changed to that of the requesting user. This method of using
171 the [homes] section works well if different users share
175 The [homes] section can specify all the parameters
176 a normal service section can specify, though some make more sense
177 than others. The following is a typical and suitable [homes]
189 An important point is that if guest access is specified
190 in the [homes] section, all home directories will be
191 visible to all clients \fBwithout a password\fR.
192 In the very unlikely event that this is actually desirable, it
193 would be wise to also specify \fBread only
197 Note that the \fBbrowseable\fR flag for
198 auto home directories will be inherited from the global browseable
199 flag, not the [homes] browseable flag. This is useful as
200 it means setting browseable=no in the [homes] section
201 will hide the [homes] share but make any auto home
204 .SS "THE PRINTERS SECTION"
206 This section works like [homes],
209 If a [printers] section occurs in the
210 configuration file, users are able to connect to any printer
211 specified in the local host's printcap file.
213 When a connection request is made, the existing sections
214 are scanned. If a match is found, it is used. If no match is found,
215 but a [homes] section exists, it is used as described
216 above. Otherwise, the requested section name is treated as a
217 printer name and the appropriate printcap file is scanned to see
218 if the requested section name is a valid printer share name. If
219 a match is found, a new printer share is created by cloning
220 the [printers] section.
222 A few modifications are then made to the newly created
226 The share name is set to the located printer
230 If no printer name was given, the printer name
231 is set to the located printer name
234 If the share does not permit guest access and
235 no username was given, the username is set to the located
238 Note that the [printers] service MUST be
239 printable - if you specify otherwise, the server will refuse
240 to load the configuration file.
243 Typically the path specified would be that of a
244 world-writeable spool directory with the sticky bit set on
245 it. A typical [printers] entry would look like
251 path = /usr/spool/public
258 All aliases given for a printer in the printcap file
259 are legitimate printer names as far as the server is concerned.
260 If your printing subsystem doesn't work like that, you will have
261 to set up a pseudo-printcap. This is a file consisting of one or
262 more lines like this:
266 alias|alias|alias|alias...
272 Each alias should be an acceptable printer name for
273 your printing subsystem. In the [global] section, specify
274 the new file as your printcap. The server will then only recognize
275 names found in your pseudo-printcap, which of course can contain
276 whatever aliases you like. The same technique could be used
277 simply to limit access to a subset of your local printers.
280 An alias, by the way, is defined as any component of the
281 first entry of a printcap record. Records are separated by newlines,
282 components (if there are more than one) are separated by vertical
286 NOTE: On SYSV systems which use lpstat to determine what
287 printers are defined on the system you may be able to use
288 "printcap name = lpstat" to automatically obtain a list
289 of printers. See the "printcap name" option
294 parameters define the specific attributes of sections.
296 Some parameters are specific to the [global] section
297 (e.g., \fBsecurity\fR). Some parameters are usable
298 in all sections (e.g., \fBcreate mode\fR). All others
299 are permissible only in normal sections. For the purposes of the
300 following descriptions the [homes] and [printers]
301 sections will be considered normal. The letter \fBG\fR
302 in parentheses indicates that a parameter is specific to the
303 [global] section. The letter \fBS\fR
304 indicates that a parameter can be specified in a service specific
305 section. Note that all \fBS\fR parameters can also be specified in
306 the [global] section - in which case they will define
307 the default behavior for all services.
309 parameters are arranged here in alphabetical order - this may
310 not create best bedfellows, but at least you can find them! Where
311 there are synonyms, the preferred synonym is described, others refer
312 to the preferred synonym.
313 .SH "VARIABLE SUBSTITUTIONS"
315 Many of the strings that are settable in the config file
316 can take substitutions. For example the option "path =
317 /tmp/%u" would be interpreted as "path =
318 /tmp/john" if the user connected with the username john.
320 These substitutions are mostly noted in the descriptions below,
321 but there are some general substitutions which apply whenever they
322 might be relevant. These are:
325 the name of the current service, if any.
328 the root directory of the current service,
332 user name of the current service, if any.
335 primary group name of %u.
338 session user name (the user name that the client
339 wanted, not necessarily the same as the one they got).
342 primary group name of %U.
345 the home directory of the user given
352 the Internet hostname that Samba is running
356 the NetBIOS name of the client machine
360 the NetBIOS name of the server. This allows you
361 to change your config based on what the client calls you. Your
362 server can have a "dual personality".
365 the Internet name of the client machine.
368 the name of your NIS home directory server.
369 This is obtained from your NIS auto.map entry. If you have
370 not compiled Samba with the \fB--with-automount\fR
371 option then this value will be the same as %.
374 the path of the service's home directory,
375 obtained from your NIS auto.map entry. The NIS auto.map entry
376 is split up as "%N:%p".
379 the selected protocol level after
380 protocol negotiation. It can be one of CORE, COREPLUS,
381 LANMAN1, LANMAN2 or NT1.
384 The process id of the current server
388 the architecture of the remote
389 machine. Only some are recognized, and those may not be
390 100% reliable. It currently recognizes Samba, WfWg,
391 WinNT and Win95. Anything else will be known as
392 "UNKNOWN". If it gets it wrong then sending a level
393 3 log to samba@samba.org
394 <URL:mailto:samba@samba.org> should allow it to be fixed.
397 The IP address of the client machine.
400 the current date and time.
402 \fB%$(\fIenvvar\fB)\fR
403 The value of the environment variable
406 There are some quite creative things that can be done
407 with these substitutions and other smb.conf options.
411 Samba supports "name mangling" so that DOS and
412 Windows clients can use files that don't conform to the 8.3 format.
413 It can also be set to adjust the case of 8.3 format filenames.
415 There are several options that control the way mangling is
416 performed, and they are grouped here rather than listed separately.
417 For the defaults look at the output of the testparm program.
419 All of these options can be set separately for each service
420 (or globally, of course).
424 \fBmangle case= yes/no\fR
425 controls if names that have characters that
426 aren't of the "default" case are mangled. For example,
427 if this is yes then a name like "Mail" would be mangled.
430 \fBcase sensitive = yes/no\fR
431 controls whether filenames are case sensitive. If
432 they aren't then Samba must do a filename search and match on passed
433 names. Default \fBno\fR.
435 \fBdefault case = upper/lower\fR
436 controls what the default case is for new
437 filenames. Default \fBlower\fR.
439 \fBpreserve case = yes/no\fR
440 controls if new files are created with the
441 case that the client passes, or if they are forced to be the
442 "default" case. Default \fByes\fR.
444 \fBshort preserve case = yes/no\fR
445 controls if new files which conform to 8.3 syntax,
446 that is all in upper case and of suitable length, are created
447 upper case, or if they are forced to be the "default"
448 case. This option can be use with "preserve case = yes"
449 to permit long filenames to retain their case, while short names
450 are lowered. Default \fByes\fR.
452 By default, Samba 2.2 has the same semantics as a Windows
453 NT server, in that it is case insensitive but case preserving.
455 .SH "NOTE ABOUT USERNAME/PASSWORD VALIDATION"
457 There are a number of ways in which a user can connect
458 to a service. The server uses the following steps in determining
459 if it will allow a connection to a specified service. If all the
460 steps fail, then the connection request is rejected. However, if one of the
461 steps succeeds, then the following steps are not checked.
463 If the service is marked "guest only = yes" then
464 steps 1 to 5 are skipped.
466 If the client has passed a username/password
467 pair and that username/password pair is validated by the UNIX
468 system's password programs then the connection is made as that
469 username. Note that this includes the
470 \\\\server\\service%\fIusername\fR method of passing
473 If the client has previously registered a username
474 with the system and now supplies a correct password for that
475 username then the connection is allowed.
477 The client's netbios name and any previously
478 used user names are checked against the supplied password, if
479 they match then the connection is allowed as the corresponding
482 If the client has previously validated a
483 username/password pair with the server and the client has passed
484 the validation token then that username is used.
486 If a "user = " field is given in the
487 \fIsmb.conf\fR file for the service and the client
488 has supplied a password, and that password matches (according to
489 the UNIX system's password checking) with one of the usernames
490 from the "user=" field then the connection is made as
491 the username in the "user=" line. If one
492 of the username in the "user=" list begins with a
493 \&'@' then that name expands to a list of names in
494 the group of the same name.
496 If the service is a guest service then a
497 connection is made as the username given in the "guest
498 account =" for the service, irrespective of the
500 .SH "COMPLETE LIST OF GLOBAL PARAMETERS"
502 Here is a list of all global parameters. See the section of
503 each parameter for details. Note that some are synonyms.
506 \fIadd printer command\fR
509 \fIadd share command\fR
512 \fIadd user script\fR
515 \fIallow trusted domains\fR
521 \fIannounce version\fR
527 \fIbind interfaces only\fR
533 \fIchange notify timeout\fR
536 \fIchange share command\fR
542 \fIclient code page\fR
545 \fIcode page directory\fR
557 \fIdebug hires timestamp\fR
563 \fIdebug timestamp\fR
575 \fIdefault service\fR
578 \fIdelete printer command\fR
581 \fIdelete share command\fR
584 \fIdelete user script\fR
593 \fIdomain admin group\fR
596 \fIdomain guest group\fR
605 \fIencrypt passwords\fR
608 \fIenhanced browsing\fR
611 \fIenumports command\fR
617 \fIhide local users\fR
680 \fImachine password timeout\fR
704 \fImax smbd processes\fR
716 \fImessage command\fR
719 \fImin passwd length\fR
722 \fImin password length\fR
731 \fIname resolve order\fR
734 \fInetbios aliases\fR
749 \fInt pipe support\fR
758 \fIobey pam restrictions\fR
761 \fIoplock break wait time\fR
770 \fIpam password change\fR
779 \fIpasswd chat debug\fR
788 \fIpassword server\fR
791 \fIprefered master\fR
794 \fIpreferred master\fR
806 \fIprinter driver file\fR
821 \fIremote announce\fR
824 \fIremote browse sync\fR
827 \fIrestrict anonymous\fR
845 \fIshow add printer wizard\fR
848 \fIsmb passwd file\fR
857 \fIsource environment\fR
866 \fIssl CA certFile\fR
872 \fIssl client cert\fR
878 \fIssl compatibility\fR
884 \fIssl hosts resign\fR
887 \fIssl require clientcert\fR
890 \fIssl require servercert\fR
893 \fIssl server cert\fR
905 \fIstat cache size\fR
917 \fItemplate homedir\fR
932 \fItotal print jobs\fR
935 \fIunix password sync\fR
938 \fIupdate encrypted\fR
956 \fIwinbind cache time\fR
962 \fIwinbind separator\fR
984 .SH "COMPLETE LIST OF SERVICE PARAMETERS"
986 Here is a list of all service parameters. See the section on
987 each parameter for details. Note that some are synonyms.
1008 \fIcase sensitive\fR
1029 \fIdelete readonly\fR
1032 \fIdelete veto files\fR
1041 \fIdirectory mask\fR
1044 \fIdirectory mode\fR
1047 \fIdirectory security mask\fR
1056 \fIdos filetime resolution\fR
1065 \fIfake directory create times\fR
1071 \fIfollow symlinks\fR
1074 \fIforce create mode\fR
1077 \fIforce directory mode\fR
1080 \fIforce directory security mode\fR
1086 \fIforce security mode\fR
1107 \fIhide dot files\fR
1122 \fIinherit permissions\fR
1128 \fIlevel2 oplocks\fR
1134 \fIlppause command\fR
1140 \fIlpresume command\fR
1173 \fImax connections\fR
1176 \fImax print jobs\fR
1179 \fImin print space\fR
1191 \fIoplock contention limit\fR
1233 \fIprinter driver\fR
1236 \fIprinter driver location\fR
1248 \fIqueuepause command\fR
1251 \fIqueueresume command\fR
1266 \fIroot preexec close\fR
1278 \fIshort preserve case\fR
1284 \fIstrict locking\fR
1311 \fIveto oplock files\fR
1329 \fIwrite cache size\fR
1339 .SH "EXPLANATION OF EACH PARAMETER"
1341 \fBadd printer command (G)\fR
1342 With the introduction of MS-RPC based printing
1343 support for Windows NT/2000 clients in Samba 2.2, The MS Add
1344 Printer Wizard (APW) icon is now also available in the
1345 "Printers..." folder displayed a share listing. The APW
1346 allows for printers to be add remotely to a Samba or Windows
1347 NT/2000 print server.
1349 For a Samba host this means that the printer must be
1350 physically added to underlying printing system. The \fIadd
1351 printer command\fR defines a script to be run which
1352 will perform the necessary operations for adding the printer
1353 to the print system and to add the appropriate service definition
1354 to the \fIsmb.conf\fR file in order that it can be
1355 shared by \fBsmbd(8)\fR
1358 The \fIadd printer command\fR is
1359 automatically invoked with the following parameter (in
1379 \fIWindows 9x driver location\fR
1382 All parameters are filled in from the PRINTER_INFO_2 structure sent
1383 by the Windows NT/2000 client with one exception. The "Windows 9x
1384 driver location" parameter is included for backwards compatibility
1385 only. The remaining fields in the structure are generated from answers
1386 to the APW questions.
1389 Once the \fIadd printer command\fR has
1390 been executed, \fBsmbd\fR will reparse the \fI smb.conf\fR to determine if the share defined by the APW
1391 exists. If the sharename is still invalid, then \fBsmbd
1392 \fRwill return an ACCESS_DENIED error to the client.
1395 See also \fI delete printer command\fR, \fIprinting\fR,
1403 Example: \fBaddprinter command = /usr/bin/addprinter
1406 \fBadd share command (G)\fR
1407 Samba 2.2.0 introduced the ability to dynamically
1408 add and delete shares via the Windows NT 4.0 Server Manager. The
1409 \fIadd share command\fR is used to define an
1410 external program or script which will add a new service definition
1411 to \fIsmb.conf\fR. In order to successfully
1412 execute the \fIadd share command\fR, \fBsmbd\fR
1413 requires that the administrator be connected using a root account (i.e.
1416 When executed, \fBsmbd\fR will automatically invoke the
1417 \fIadd share command\fR with four parameters.
1421 \fIconfigFile\fR - the location
1422 of the global \fIsmb.conf\fR file.
1425 \fIshareName\fR - the name of the new
1429 \fIpathName\fR - path to an **existing**
1433 \fIcomment\fR - comment string to associate
1437 This parameter is only used for add file shares. To add printer shares,
1438 see the \fIadd printer
1442 See also \fIchange share
1443 command\fR, \fIdelete share
1450 Example: \fBadd share command = /usr/local/bin/addshare\fR
1453 \fBadd user script (G)\fR
1454 This is the full pathname to a script that will
1455 be run \fBAS ROOT\fR by smbd(8)
1456 under special circumstances described below.
1458 Normally, a Samba server requires that UNIX users are
1459 created for all users accessing files on this server. For sites
1460 that use Windows NT account databases as their primary user database
1461 creating these users and keeping the user list in sync with the
1462 Windows NT PDC is an onerous task. This option allows smbdto create the required UNIX users
1463 \fBON DEMAND\fR when a user accesses the Samba server.
1465 In order to use this option, smbdmust be set to \fIsecurity=server\fR or \fI security=domain\fR and \fIadd user script\fR
1466 must be set to a full pathname for a script that will create a UNIX
1467 user given one argument of \fI%u\fR, which expands into
1468 the UNIX user name to create.
1470 When the Windows user attempts to access the Samba server,
1471 at login (session setup in the SMB protocol) time, smbdcontacts the \fIpassword server\fR and
1472 attempts to authenticate the given user with the given password. If the
1473 authentication succeeds then \fBsmbd\fR
1474 attempts to find a UNIX user in the UNIX password database to map the
1475 Windows user into. If this lookup fails, and \fIadd user script
1476 \fRis set then \fBsmbd\fR will
1477 call the specified script \fBAS ROOT\fR, expanding
1478 any \fI%u\fR argument to be the user name to create.
1480 If this script successfully creates the user then \fBsmbd
1481 \fRwill continue on as though the UNIX user
1482 already existed. In this way, UNIX users are dynamically created to
1483 match existing Windows NT accounts.
1485 See also \fI security\fR, \fIpassword server\fR,
1489 Default: \fBadd user script = <empty string>
1491 Example: \fBadd user script = /usr/local/samba/bin/add_user
1494 \fBadmin users (S)\fR
1495 This is a list of users who will be granted
1496 administrative privileges on the share. This means that they
1497 will do all file operations as the super-user (root).
1499 You should use this option very carefully, as any user in
1500 this list will be able to do anything they like on the share,
1501 irrespective of file permissions.
1503 Default: \fBno admin users\fR
1505 Example: \fBadmin users = jason\fR
1507 \fBallow hosts (S)\fR
1508 Synonym for \fIhosts allow\fR.
1510 \fBallow trusted domains (G)\fR
1511 This option only takes effect when the \fIsecurity\fR option is set to
1513 If it is set to no, then attempts to connect to a resource from
1514 a domain or workgroup other than the one which smbd is running
1515 in will fail, even if that domain is trusted by the remote server
1516 doing the authentication.
1518 This is useful if you only want your Samba server to
1519 serve resources to users in the domain it is a member of. As
1520 an example, suppose that there are two domains DOMA and DOMB. DOMB
1521 is trusted by DOMA, which contains the Samba server. Under normal
1522 circumstances, a user with an account in DOMB can then access the
1523 resources of a UNIX account with the same account name on the
1524 Samba server even if they do not have an account in DOMA. This
1525 can make implementing a security boundary difficult.
1527 Default: \fBallow trusted domains = yes\fR
1529 \fBannounce as (G)\fR
1530 This specifies what type of server
1531 \fBnmbd\fRwill announce itself as, to a network neighborhood browse
1532 list. By default this is set to Windows NT. The valid options
1533 are : "NT Server" (which can also be written as "NT"),
1534 "NT Workstation", "Win95" or "WfW" meaning Windows NT Server,
1535 Windows NT Workstation, Windows 95 and Windows for Workgroups
1536 respectively. Do not change this parameter unless you have a
1537 specific need to stop Samba appearing as an NT server as this
1538 may prevent Samba servers from participating as browser servers
1541 Default: \fBannounce as = NT Server\fR
1543 Example: \fBannounce as = Win95\fR
1545 \fBannouce version (G)\fR
1546 This specifies the major and minor version numbers
1547 that nmbd will use when announcing itself as a server. The default
1548 is 4.2. Do not change this parameter unless you have a specific
1549 need to set a Samba server to be a downlevel server.
1551 Default: \fBannounce version = 4.2\fR
1553 Example: \fBannounce version = 2.0\fR
1555 \fBauto services (G)\fR
1556 This is a synonym for the \fIpreload\fR.
1559 This parameter lets you "turn off" a service. If
1560 \fIavailable = no\fR, then \fBALL\fR
1561 attempts to connect to the service will fail. Such failures are
1564 Default: \fBavailable = yes\fR
1566 \fBbind interfaces only (G)\fR
1567 This global parameter allows the Samba admin
1568 to limit what interfaces on a machine will serve smb requests. If
1569 affects file service smbd(8)and
1570 name service nmbd(8)in slightly
1573 For name service it causes \fBnmbd\fR to bind
1574 to ports 137 and 138 on the interfaces listed in the interfaces parameter. \fBnmbd
1575 \fRalso binds to the "all addresses" interface (0.0.0.0)
1576 on ports 137 and 138 for the purposes of reading broadcast messages.
1577 If this option is not set then \fBnmbd\fR will service
1578 name requests on all of these sockets. If \fIbind interfaces
1579 only\fR is set then \fBnmbd\fR will check the
1580 source address of any packets coming in on the broadcast sockets
1581 and discard any that don't match the broadcast addresses of the
1582 interfaces in the \fIinterfaces\fR parameter list.
1583 As unicast packets are received on the other sockets it allows
1584 \fBnmbd\fR to refuse to serve names to machines that
1585 send packets that arrive through any interfaces not listed in the
1586 \fIinterfaces\fR list. IP Source address spoofing
1587 does defeat this simple check, however so it must not be used
1588 seriously as a security feature for \fBnmbd\fR.
1590 For file service it causes smbd(8)to bind only to the interface list given in the interfaces parameter. This restricts the networks that
1591 \fBsmbd\fR will serve to packets coming in those
1592 interfaces. Note that you should not use this parameter for machines
1593 that are serving PPP or other intermittent or non-broadcast network
1594 interfaces as it will not cope with non-permanent interfaces.
1596 If \fIbind interfaces only\fR is set then
1597 unless the network address \fB127.0.0.1\fR is added
1598 to the \fIinterfaces\fR parameter list \fBsmbpasswd(8)\fRand \fBswat(8)\fRmay
1599 not work as expected due to the reasons covered below.
1601 To change a users SMB password, the \fBsmbpasswd\fR
1602 by default connects to the \fBlocalhost - 127.0.0.1\fR
1603 address as an SMB client to issue the password change request. If
1604 \fIbind interfaces only\fR is set then unless the
1605 network address \fB127.0.0.1\fR is added to the
1606 \fIinterfaces\fR parameter list then \fB smbpasswd\fR will fail to connect in it's default mode.
1607 \fBsmbpasswd\fR can be forced to use the primary IP interface
1608 of the local host by using its \fI-r remote machine\fR
1609 parameter, with \fIremote machine\fR set
1610 to the IP name of the primary interface of the local host.
1612 The \fBswat\fR status page tries to connect with
1613 \fBsmbd\fR and \fBnmbd\fR at the address
1614 \fB127.0.0.1\fR to determine if they are running.
1615 Not adding \fB127.0.0.1\fR will cause \fB smbd\fR and \fBnmbd\fR to always show
1616 "not running" even if they really are. This can prevent \fB swat\fR from starting/stopping/restarting \fBsmbd\fR
1619 Default: \fBbind interfaces only = no\fR
1621 \fBblocking locks (S)\fR
1622 This parameter controls the behavior of smbd(8)when given a request by a client
1623 to obtain a byte range lock on a region of an open file, and the
1624 request has a time limit associated with it.
1626 If this parameter is set and the lock range requested
1627 cannot be immediately satisfied, Samba 2.2 will internally
1628 queue the lock request, and periodically attempt to obtain
1629 the lock until the timeout period expires.
1631 If this parameter is set to False, then
1632 Samba 2.2 will behave as previous versions of Samba would and
1633 will fail the lock request immediately if the lock range
1636 Default: \fBblocking locks = yes\fR
1639 See the \fI browseable\fR.
1641 \fBbrowse list (G)\fR
1642 This controls whether \fBsmbd(8)\fRwill serve a browse list to
1643 a client doing a \fBNetServerEnum\fR call. Normally
1644 set to true. You should never need to change
1647 Default: \fBbrowse list = yes\fR
1649 \fBbrowseable (S)\fR
1650 This controls whether this share is seen in
1651 the list of available shares in a net view and in the browse list.
1653 Default: \fBbrowseable = yes\fR
1655 \fBcase sensitive (S)\fR
1656 See the discussion in the section NAME MANGLING.
1658 Default: \fBcase sensitive = no\fR
1660 \fBcasesignames (S)\fR
1664 \fBchange notify timeout (G)\fR
1665 This SMB allows a client to tell a server to
1666 "watch" a particular directory for any changes and only reply to
1667 the SMB request when a change has occurred. Such constant scanning of
1668 a directory is expensive under UNIX, hence an \fBsmbd(8)\fRdaemon only performs such a scan
1669 on each requested directory once every \fIchange notify
1672 Default: \fBchange notify timeout = 60\fR
1674 Example: \fBchange notify timeout = 300\fR
1676 Would change the scan time to every 5 minutes.
1678 \fBchange share command (G)\fR
1679 Samba 2.2.0 introduced the ability to dynamically
1680 add and delete shares via the Windows NT 4.0 Server Manager. The
1681 \fIchange share command\fR is used to define an
1682 external program or script which will modify an existing service definition
1683 in \fIsmb.conf\fR. In order to successfully
1684 execute the \fIchange share command\fR, \fBsmbd\fR
1685 requires that the administrator be connected using a root account (i.e.
1688 When executed, \fBsmbd\fR will automatically invoke the
1689 \fIchange share command\fR with four parameters.
1693 \fIconfigFile\fR - the location
1694 of the global \fIsmb.conf\fR file.
1697 \fIshareName\fR - the name of the new
1701 \fIpathName\fR - path to an **existing**
1705 \fIcomment\fR - comment string to associate
1709 This parameter is only used modify existing file shares definitions. To modify
1710 printer shares, use the "Printers..." folder as seen when browsing the Samba host.
1713 See also \fIadd share
1714 command\fR, \fIdelete
1721 Example: \fBchange share command = /usr/local/bin/addshare\fR
1724 \fBcharacter set (G)\fR
1725 This allows a smbd to map incoming filenames
1726 from a DOS Code page (see the client
1727 code page parameter) to several built in UNIX character sets.
1728 The built in code page translations are:
1732 ISO8859-1 : Western European
1733 UNIX character set. The parameter \fIclient code page\fR
1734 \fBMUST\fR be set to code page 850 if the
1735 \fIcharacter set\fR parameter is set to
1736 ISO8859-1 in order for the conversion to the
1737 UNIX character set to be done correctly.
1740 ISO8859-2 : Eastern European
1741 UNIX character set. The parameter \fIclient code page
1742 \fR\fBMUST\fR be set to code page 852 if
1743 the \fI character set\fR parameter is set
1744 to ISO8859-2 in order for the conversion
1745 to the UNIX character set to be done correctly.
1748 ISO8859-5 : Russian Cyrillic
1749 UNIX character set. The parameter \fIclient code page
1750 \fR\fBMUST\fR be set to code page
1751 866 if the \fIcharacter set \fR parameter is
1752 set to ISO8859-5 in order for the conversion
1753 to the UNIX character set to be done correctly.
1756 ISO8859-7 : Greek UNIX
1757 character set. The parameter \fIclient code page
1758 \fR\fBMUST\fR be set to code page
1759 737 if the \fIcharacter set\fR parameter is
1760 set to ISO8859-7 in order for the conversion
1761 to the UNIX character set to be done correctly.
1764 KOI8-R : Alternate mapping
1765 for Russian Cyrillic UNIX character set. The parameter
1766 \fIclient code page\fR \fBMUST\fR
1767 be set to code page 866 if the \fIcharacter set\fR
1768 parameter is set to KOI8-R in order for the
1769 conversion to the UNIX character set to be done correctly.
1772 \fBBUG\fR. These MSDOS code page to UNIX character
1773 set mappings should be dynamic, like the loading of MS DOS code pages,
1777 Normally this parameter is not set, meaning no filename
1778 translation is done.
1781 Default: \fBcharacter set = <empty string>\fR
1784 Example: \fBcharacter set = ISO8859-1\fR
1787 \fBclient code page (G)\fR
1788 This parameter specifies the DOS code page
1789 that the clients accessing Samba are using. To determine what code
1790 page a Windows or DOS client is using, open a DOS command prompt
1791 and type the command \fBchcp\fR. This will output
1792 the code page. The default for USA MS-DOS, Windows 95, and
1793 Windows NT releases is code page 437. The default for western
1794 European releases of the above operating systems is code page 850.
1796 This parameter tells smbd(8)which of the \fIcodepage.XXX
1797 \fRfiles to dynamically load on startup. These files,
1798 described more fully in the manual page \fBmake_smbcodepage(1)\fR, tell \fB smbd\fR how to map lower to upper case characters to provide
1799 the case insensitivity of filenames that Windows clients expect.
1801 Samba currently ships with the following code page files :
1805 Code Page 437 - MS-DOS Latin US
1808 Code Page 737 - Windows '95 Greek
1811 Code Page 850 - MS-DOS Latin 1
1814 Code Page 852 - MS-DOS Latin 2
1817 Code Page 861 - MS-DOS Icelandic
1820 Code Page 866 - MS-DOS Cyrillic
1823 Code Page 932 - MS-DOS Japanese SJIS
1826 Code Page 936 - MS-DOS Simplified Chinese
1829 Code Page 949 - MS-DOS Korean Hangul
1832 Code Page 950 - MS-DOS Traditional Chinese
1835 Thus this parameter may have any of the values 437, 737, 850, 852,
1836 861, 932, 936, 949, or 950. If you don't find the codepage you need,
1837 read the comments in one of the other codepage files and the
1838 \fBmake_smbcodepage(1)\fR man page and write one. Please
1839 remember to donate it back to the Samba user community.
1842 This parameter co-operates with the \fIvalid
1843 chars\fR parameter in determining what characters are
1844 valid in filenames and how capitalization is done. If you set both
1845 this parameter and the \fIvalid chars\fR parameter
1846 the \fIclient code page\fR parameter
1847 \fBMUST\fR be set before the \fIvalid
1848 chars\fR parameter in the \fIsmb.conf\fR
1849 file. The \fIvalid chars\fR string will then
1850 augment the character settings in the \fIclient code page\fR
1854 If not set, \fIclient code page\fR defaults
1859 chars\fR, \fIcode page directory\fR
1862 Default: \fBclient code page = 850\fR
1865 Example: \fBclient code page = 936\fR
1868 \fBcode page directory (G)\fR
1869 Define the location of the various client code page
1875 Default: \fBcode page directory = ${prefix}/lib/codepages
1877 Example: \fBcode page directory = /usr/share/samba/codepages
1879 \fBcodingsystem (G)\fR
1880 This parameter is used to determine how incoming
1881 Shift-JIS Japanese characters are mapped from the incoming \fIclient code page\fR
1882 used by the client, into file names in the UNIX filesystem.
1883 Only useful if \fIclient code page\fR is set to
1884 932 (Japanese Shift-JIS). The options are :
1888 SJIS - Shift-JIS. Does no
1889 conversion of the incoming filename.
1892 JIS8, J8BB, J8BH, J8@B,
1893 J8@J, J8@H - Convert from incoming Shift-JIS to eight
1894 bit JIS code with different shift-in, shift out codes.
1897 JIS7, J7BB, J7BH, J7@B, J7@J,
1898 J7@H - Convert from incoming Shift-JIS to seven bit
1899 JIS code with different shift-in, shift out codes.
1902 JUNET, JUBB, JUBH, JU@B, JU@J, JU@H
1903 - Convert from incoming Shift-JIS to JUNET code with different shift-in,
1907 EUC - Convert an incoming
1908 Shift-JIS character to EUC code.
1911 HEX - Convert an incoming
1912 Shift-JIS character to a 3 byte hex representation, i.e.
1916 CAP - Convert an incoming
1917 Shift-JIS character to the 3 byte hex representation used by
1918 the Columbia AppleTalk Program (CAP), i.e. :AB.
1919 This is used for compatibility between Samba and CAP.
1922 Default: \fBcoding system = <empty value>\fR
1926 This is a text field that is seen next to a share
1927 when a client does a queries the server, either via the network
1928 neighborhood or via \fBnet view\fR to list what shares
1931 If you want to set the string that is displayed next to the
1932 machine name then see the \fI server string\fR parameter.
1934 Default: \fBNo comment string\fR
1936 Example: \fBcomment = Fred's Files\fR
1938 \fBconfig file (G)\fR
1939 This allows you to override the config file
1940 to use, instead of the default (usually \fIsmb.conf\fR).
1941 There is a chicken and egg problem here as this option is set
1944 For this reason, if the name of the config file has changed
1945 when the parameters are loaded then it will reload them from
1946 the new config file.
1948 This option takes the usual substitutions, which can
1951 If the config file doesn't exist then it won't be loaded
1952 (allowing you to special case the config files of just a few
1955 Example: \fBconfig file = /usr/local/samba/lib/smb.conf.%m
1958 This parameter allows you to "clone" service
1959 entries. The specified service is simply duplicated under the
1960 current service's name. Any parameters specified in the current
1961 section will override those in the section being copied.
1963 This feature lets you set up a 'template' service and
1964 create similar services easily. Note that the service being
1965 copied must occur earlier in the configuration file than the
1966 service doing the copying.
1968 Default: \fBno value\fR
1970 Example: \fBcopy = otherservice\fR
1972 \fBcreate mask (S)\fR
1973 A synonym for this parameter is
1977 When a file is created, the necessary permissions are
1978 calculated according to the mapping from DOS modes to UNIX
1979 permissions, and the resulting UNIX mode is then bit-wise 'AND'ed
1980 with this parameter. This parameter may be thought of as a bit-wise
1981 MASK for the UNIX modes of a file. Any bit \fBnot\fR
1982 set here will be removed from the modes set on a file when it is
1985 The default value of this parameter removes the
1986 \&'group' and 'other' write and execute bits from the UNIX modes.
1988 Following this Samba will bit-wise 'OR' the UNIX mode created
1989 from this parameter with the value of the \fIforce create mode\fR
1990 parameter which is set to 000 by default.
1992 This parameter does not affect directory modes. See the
1993 parameter \fIdirectory mode
1996 See also the \fIforce
1997 create mode\fR parameter for forcing particular mode
1998 bits to be set on created files. See also the \fIdirectory mode"\fR parameter for masking
1999 mode bits on created directories. See also the \fIinherit permissions\fR parameter.
2001 Note that this parameter does not apply to permissions
2002 set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
2003 a mask on access control lists also, they need to set the \fIsecurity mask\fR.
2005 Default: \fBcreate mask = 0744\fR
2007 Example: \fBcreate mask = 0775\fR
2009 \fBcreate mode (S)\fR
2010 This is a synonym for \fI create mask\fR.
2013 The value of the parameter (a decimal integer)
2014 represents the number of minutes of inactivity before a connection
2015 is considered dead, and it is disconnected. The deadtime only takes
2016 effect if the number of open files is zero.
2018 This is useful to stop a server's resources being
2019 exhausted by a large number of inactive connections.
2021 Most clients have an auto-reconnect feature when a
2022 connection is broken so in most cases this parameter should be
2023 transparent to users.
2025 Using this parameter with a timeout of a few minutes
2026 is recommended for most systems.
2028 A deadtime of zero indicates that no auto-disconnection
2029 should be performed.
2031 Default: \fBdeadtime = 0\fR
2033 Example: \fBdeadtime = 15\fR
2035 \fBdebug hires timestamp (G)\fR
2036 Sometimes the timestamps in the log messages
2037 are needed with a resolution of higher that seconds, this
2038 boolean parameter adds microsecond resolution to the timestamp
2039 message header when turned on.
2041 Note that the parameter \fI debug timestamp\fR must be on for this to have an
2044 Default: \fBdebug hires timestamp = no\fR
2047 When using only one log file for more then one
2048 forked smbd-process there may be hard to follow which process
2049 outputs which message. This boolean parameter is adds the process-id
2050 to the timestamp message headers in the logfile when turned on.
2052 Note that the parameter \fI debug timestamp\fR must be on for this to have an
2055 Default: \fBdebug pid = no\fR
2057 \fBdebug timestamp (G)\fR
2058 Samba 2.2 debug log messages are timestamped
2059 by default. If you are running at a high \fIdebug level\fR these timestamps
2060 can be distracting. This boolean parameter allows timestamping
2063 Default: \fBdebug timestamp = yes\fR
2066 Samba is sometimes run as root and sometime
2067 run as the connected user, this boolean parameter inserts the
2068 current euid, egid, uid and gid to the timestamp message headers
2069 in the log file if turned on.
2071 Note that the parameter \fI debug timestamp\fR must be on for this to have an
2074 Default: \fBdebug uid = no\fR
2076 \fBdebuglevel (G)\fR
2077 Synonym for \fI log level\fR.
2080 A synonym for \fI default service\fR.
2082 \fBdefault case (S)\fR
2083 See the section on NAME MANGLING. Also note the \fIshort preserve case"\fR parameter.
2085 Default: \fBdefault case = lower\fR
2087 \fBdefault service (G)\fR
2088 This parameter specifies the name of a service
2089 which will be connected to if the service actually requested cannot
2090 be found. Note that the square brackets are \fBNOT\fR
2091 given in the parameter value (see example below).
2093 There is no default value for this parameter. If this
2094 parameter is not given, attempting to connect to a nonexistent
2095 service results in an error.
2097 Typically the default service would be a \fIguest ok\fR, \fIread-only\fR service.
2099 Also note that the apparent service name will be changed
2100 to equal that of the requested service, this is very useful as it
2101 allows you to use macros like \fI%S\fR to make
2104 Note also that any "_" characters in the name of the service
2105 used in the default service will get mapped to a "/". This allows for
2113 default service = pub
2121 \fBdelete printer command (G)\fR
2122 With the introduction of MS-RPC based printer
2123 support for Windows NT/2000 clients in Samba 2.2, it is now
2124 possible to delete printer at run time by issuing the
2125 DeletePrinter() RPC call.
2127 For a Samba host this means that the printer must be
2128 physically deleted from underlying printing system. The \fI deleteprinter command\fR defines a script to be run which
2129 will perform the necessary operations for removing the printer
2130 from the print system and from \fIsmb.conf\fR.
2132 The \fIdelete printer command\fR is
2133 automatically called with only one parameter: \fI "printer name"\fR.
2135 Once the \fIdelete printer command\fR has
2136 been executed, \fBsmbd\fR will reparse the \fI smb.conf\fR to associated printer no longer exists.
2137 If the sharename is still valid, then \fBsmbd
2138 \fRwill return an ACCESS_DENIED error to the client.
2140 See also \fI add printer command\fR, \fIprinting\fR,
2146 Example: \fBdeleteprinter command = /usr/bin/removeprinter
2148 \fBdelete readonly (S)\fR
2149 This parameter allows readonly files to be deleted.
2150 This is not normal DOS semantics, but is allowed by UNIX.
2152 This option may be useful for running applications such
2153 as rcs, where UNIX file ownership prevents changing file
2154 permissions, and DOS semantics prevent deletion of a read only file.
2156 Default: \fBdelete readonly = no\fR
2158 \fBdelete share command (G)\fR
2159 Samba 2.2.0 introduced the ability to dynamically
2160 add and delete shares via the Windows NT 4.0 Server Manager. The
2161 \fIdelete share command\fR is used to define an
2162 external program or script which will remove an existing service
2163 definition from \fIsmb.conf\fR. In order to successfully
2164 execute the \fIdelete share command\fR, \fBsmbd\fR
2165 requires that the administrator be connected using a root account (i.e.
2168 When executed, \fBsmbd\fR will automatically invoke the
2169 \fIdelete share command\fR with two parameters.
2173 \fIconfigFile\fR - the location
2174 of the global \fIsmb.conf\fR file.
2177 \fIshareName\fR - the name of
2178 the existing service.
2181 This parameter is only used to remove file shares. To delete printer shares,
2182 see the \fIdelete printer
2186 See also \fIdelete share
2187 command\fR, \fIchange
2194 Example: \fBdelete share command = /usr/local/bin/delshare\fR
2197 \fBdelete user script (G)\fR
2198 This is the full pathname to a script that will
2199 be run \fBAS ROOT\fR by \fBsmbd(8)\fRunder special circumstances
2202 Normally, a Samba server requires that UNIX users are
2203 created for all users accessing files on this server. For sites
2204 that use Windows NT account databases as their primary user database
2205 creating these users and keeping the user list in sync with the
2206 Windows NT PDC is an onerous task. This option allows \fB smbd\fR to delete the required UNIX users \fBON
2207 DEMAND\fR when a user accesses the Samba server and the
2208 Windows NT user no longer exists.
2210 In order to use this option, \fBsmbd\fR must be
2211 set to \fIsecurity=domain\fR and \fIdelete
2212 user script\fR must be set to a full pathname for a script
2213 that will delete a UNIX user given one argument of \fI%u
2214 \fR, which expands into the UNIX user name to delete.
2215 \fBNOTE\fR that this is different to the \fIadd user script\fR
2216 which will work with the \fIsecurity=server\fR option
2217 as well as \fIsecurity=domain\fR. The reason for this
2218 is only when Samba is a domain member does it get the information
2219 on an attempted user logon that a user no longer exists. In the
2220 \fIsecurity=server\fR mode a missing user
2221 is treated the same as an invalid password logon attempt. Deleting
2222 the user in this circumstance would not be a good idea.
2224 When the Windows user attempts to access the Samba server,
2225 at \fBlogin\fR (session setup in the SMB protocol)
2226 time, \fBsmbd\fR contacts the \fIpassword server\fR and attempts to authenticate
2227 the given user with the given password. If the authentication fails
2228 with the specific Domain error code meaning that the user no longer
2229 exists then \fBsmbd\fR attempts to find a UNIX user in
2230 the UNIX password database that matches the Windows user account. If
2231 this lookup succeeds, and \fIdelete user script\fR is
2232 set then \fBsmbd\fR will all the specified script
2233 \fBAS ROOT\fR, expanding any \fI%u\fR
2234 argument to be the user name to delete.
2236 This script should delete the given UNIX username. In this way,
2237 UNIX users are dynamically deleted to match existing Windows NT
2240 See also security=domain,
2241 \fIpassword server\fR
2242 , \fIadd user script\fR
2245 Default: \fBdelete user script = <empty string>
2247 Example: \fBdelete user script = /usr/local/samba/bin/del_user
2250 \fBdelete veto files (S)\fR
2251 This option is used when Samba is attempting to
2252 delete a directory that contains one or more vetoed directories
2253 (see the \fIveto files\fR
2254 option). If this option is set to False (the default) then if a vetoed
2255 directory contains any non-vetoed files or directories then the
2256 directory delete will fail. This is usually what you want.
2258 If this option is set to True, then Samba
2259 will attempt to recursively delete any files and directories within
2260 the vetoed directory. This can be useful for integration with file
2261 serving systems such as NetAtalk which create meta-files within
2262 directories you might normally veto DOS/Windows users from seeing
2263 (e.g. \fI.AppleDouble\fR)
2265 Setting \fBdelete veto files = yes\fR allows these
2266 directories to be transparently deleted when the parent directory
2267 is deleted (so long as the user has permissions to do so).
2269 See also the \fIveto
2272 Default: \fBdelete veto files = no\fR
2274 \fBdeny hosts (S)\fR
2275 Synonym for \fIhosts
2278 \fBdfree command (G)\fR
2279 The \fIdfree command\fR setting should
2280 only be used on systems where a problem occurs with the internal
2281 disk space calculations. This has been known to happen with Ultrix,
2282 but may occur with other operating systems. The symptom that was
2283 seen was an error of "Abort Retry Ignore" at the end of each
2286 This setting allows the replacement of the internal routines to
2287 calculate the total disk space and amount available with an external
2288 routine. The example below gives a possible script that might fulfill
2291 The external program will be passed a single parameter indicating
2292 a directory in the filesystem being queried. This will typically consist
2293 of the string \fI./\fR. The script should return two
2294 integers in ASCII. The first should be the total disk space in blocks,
2295 and the second should be the number of available blocks. An optional
2296 third return value can give the block size in bytes. The default
2297 blocksize is 1024 bytes.
2299 Note: Your script should \fBNOT\fR be setuid or
2300 setgid and should be owned by (and writeable only by) root!
2302 Default: \fBBy default internal routines for
2303 determining the disk capacity and remaining space will be used.
2305 Example: \fBdfree command = /usr/local/samba/bin/dfree
2307 Where the script dfree (which must be made executable) could be:
2313 df $1 | tail -1 | awk '{print $2" "$4}'
2318 or perhaps (on Sys V based systems):
2324 /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}'
2329 Note that you may have to replace the command names
2330 with full path names on some systems.
2336 \fBdirectory mask (S)\fR
2337 This parameter is the octal modes which are
2338 used when converting DOS modes to UNIX modes when creating UNIX
2341 When a directory is created, the necessary permissions are
2342 calculated according to the mapping from DOS modes to UNIX permissions,
2343 and the resulting UNIX mode is then bit-wise 'AND'ed with this
2344 parameter. This parameter may be thought of as a bit-wise MASK for
2345 the UNIX modes of a directory. Any bit \fBnot\fR set
2346 here will be removed from the modes set on a directory when it is
2349 The default value of this parameter removes the 'group'
2350 and 'other' write bits from the UNIX mode, allowing only the
2351 user who owns the directory to modify it.
2353 Following this Samba will bit-wise 'OR' the UNIX mode
2354 created from this parameter with the value of the \fIforce directory mode
2355 \fRparameter. This parameter is set to 000 by
2356 default (i.e. no extra mode bits are added).
2358 Note that this parameter does not apply to permissions
2359 set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
2360 a mask on access control lists also, they need to set the \fIdirectory security mask\fR.
2363 directory mode\fR parameter to cause particular mode
2364 bits to always be set on created directories.
2366 See also the \fIcreate mode
2367 \fRparameter for masking mode bits on created files,
2368 and the \fIdirectory
2369 security mask\fR parameter.
2371 Also refer to the \fI inherit permissions\fR parameter.
2373 Default: \fBdirectory mask = 0755\fR
2375 Example: \fBdirectory mask = 0775\fR
2377 \fBdirectory mode (S)\fR
2378 Synonym for \fI directory mask\fR
2380 \fBdirectory security mask (S)\fR
2381 This parameter controls what UNIX permission bits
2382 can be modified when a Windows NT client is manipulating the UNIX
2383 permission on a directory using the native NT security dialog
2386 This parameter is applied as a mask (AND'ed with) to
2387 the changed permission bits, thus preventing any bits not in
2388 this mask from being modified. Essentially, zero bits in this
2389 mask may be treated as a set of bits the user is not allowed
2392 If not set explicitly this parameter is set to 0777
2393 meaning a user is allowed to modify all the user/group/world
2394 permissions on a directory.
2396 \fBNote\fR that users who can access the
2397 Samba server through other means can easily bypass this restriction,
2398 so it is primarily useful for standalone "appliance" systems.
2399 Administrators of most normal systems will probably want to leave
2400 it as the default of 0777.
2402 See also the \fI force directory security mode\fR, \fIsecurity mask\fR,
2403 \fIforce security mode
2406 Default: \fBdirectory security mask = 0777\fR
2408 Example: \fBdirectory security mask = 0700\fR
2411 Specifies that nmbd(8)when acting as a WINS server and finding that a NetBIOS name has not
2412 been registered, should treat the NetBIOS name word-for-word as a DNS
2413 name and do a lookup with the DNS server for that name on behalf of
2414 the name-querying client.
2416 Note that the maximum length for a NetBIOS name is 15
2417 characters, so the DNS name (or DNS alias) can likewise only be
2418 15 characters, maximum.
2420 \fBnmbd\fR spawns a second copy of itself to do the
2421 DNS name lookup requests, as doing a name lookup is a blocking
2424 See also the parameter \fI wins support\fR.
2426 Default: \fBdns proxy = yes\fR
2428 \fBdomain admin group (G)\fR
2429 This parameter is intended as a temporary solution
2430 to enable users to be a member of the "Domain Admins" group when
2431 a Samba host is acting as a PDC. A complete solution will be provided
2432 by a system for mapping Windows NT/2000 groups onto UNIX groups.
2433 Please note that this parameter has a somewhat confusing name. It
2434 accepts a list of usernames and of group names in standard
2435 \fIsmb.conf\fR notation.
2438 guest group\fR, \fIdomain
2441 Default: \fBno domain administrators\fR
2443 Example: \fBdomain admin group = root @wheel\fR
2445 \fBdomain guest group (G)\fR
2446 This parameter is intended as a temporary solution
2447 to enable users to be a member of the "Domain Guests" group when
2448 a Samba host is acting as a PDC. A complete solution will be provided
2449 by a system for mapping Windows NT/2000 groups onto UNIX groups.
2450 Please note that this parameter has a somewhat confusing name. It
2451 accepts a list of usernames and of group names in standard
2452 \fIsmb.conf\fR notation.
2455 admin group\fR, \fIdomain
2458 Default: \fBno domain guests\fR
2460 Example: \fBdomain guest group = nobody @guest\fR
2462 \fBdomain logons (G)\fR
2463 If set to true, the Samba server will serve
2464 Windows 95/98 Domain logons for the \fIworkgroup\fR it is in. Samba 2.2 also
2465 has limited capability to act as a domain controller for Windows
2466 NT 4 Domains. For more details on setting up this feature see
2467 the file DOMAINS.txt in the Samba documentation directory \fIdocs/
2468 \fRshipped with the source code.
2470 Default: \fBdomain logons = no\fR
2472 \fBdomain master (G)\fR
2473 Tell \fB nmbd(8)\fRto enable WAN-wide browse list
2474 collation. Setting this option causes \fBnmbd\fR to
2475 claim a special domain specific NetBIOS name that identifies
2476 it as a domain master browser for its given \fIworkgroup\fR. Local master browsers
2477 in the same \fIworkgroup\fR on broadcast-isolated
2478 subnets will give this \fBnmbd\fR their local browse lists,
2479 and then ask \fBsmbd(8)\fRfor a complete copy of the browse list for the whole wide area
2480 network. Browser clients will then contact their local master browser,
2481 and will receive the domain-wide browse list, instead of just the list
2482 for their broadcast-isolated subnet.
2484 Note that Windows NT Primary Domain Controllers expect to be
2485 able to claim this \fIworkgroup\fR specific special
2486 NetBIOS name that identifies them as domain master browsers for
2487 that \fIworkgroup\fR by default (i.e. there is no
2488 way to prevent a Windows NT PDC from attempting to do this). This
2489 means that if this parameter is set and \fBnmbd\fR claims
2490 the special name for a \fIworkgroup\fR before a Windows
2491 NT PDC is able to do so then cross subnet browsing will behave
2492 strangely and may fail.
2494 If \fBdomain logons = yes\fR
2495 , then the default behavior is to enable the \fIdomain
2496 master\fR parameter. If \fIdomain logons\fR is
2497 not enabled (the default setting), then neither will \fIdomain
2498 master\fR be enabled by default.
2500 Default: \fBdomain master = auto\fR
2502 \fBdont descend (S)\fR
2503 There are certain directories on some systems
2504 (e.g., the \fI/proc\fR tree under Linux) that are either not
2505 of interest to clients or are infinitely deep (recursive). This
2506 parameter allows you to specify a comma-delimited list of directories
2507 that the server should always show as empty.
2509 Note that Samba can be very fussy about the exact format
2510 of the "dont descend" entries. For example you may need \fI ./proc\fR instead of just \fI/proc\fR.
2511 Experimentation is the best policy :-)
2513 Default: \fBnone (i.e., all directories are OK
2516 Example: \fBdont descend = /proc,/dev\fR
2518 \fBdos filemode (S)\fR
2519 The default behavior in Samba is to provide
2520 UNIX-like behavor where only the owner of a file/directory is
2521 able to change the permissions on it. However, this behavior
2522 is often confusing to DOS/Windows users. Enabling this parameter
2523 allows a user who has write access to the file (by whatever
2524 means) to modify the permissions on it. Note that a user
2525 belonging to the group owning the file will not be allowed to
2526 change permissions if the group is only granted read access.
2527 Ownership of the file/directory is not changed, only the permissions
2530 Default: \fBdos filemode = no\fR
2532 \fBdos filetime resolution (S)\fR
2533 Under the DOS and Windows FAT filesystem, the finest
2534 granularity on time resolution is two seconds. Setting this parameter
2535 for a share causes Samba to round the reported time down to the
2536 nearest two second boundary when a query call that requires one second
2537 resolution is made to \fBsmbd(8)\fR
2540 This option is mainly used as a compatibility option for Visual
2541 C++ when used against Samba shares. If oplocks are enabled on a
2542 share, Visual C++ uses two different time reading calls to check if a
2543 file has changed since it was last read. One of these calls uses a
2544 one-second granularity, the other uses a two second granularity. As
2545 the two second call rounds any odd second down, then if the file has a
2546 timestamp of an odd number of seconds then the two timestamps will not
2547 match and Visual C++ will keep reporting the file has changed. Setting
2548 this option causes the two timestamps to match, and Visual C++ is
2551 Default: \fBdos filetime resolution = no\fR
2553 \fBdos filetimes (S)\fR
2554 Under DOS and Windows, if a user can write to a
2555 file they can change the timestamp on it. Under POSIX semantics,
2556 only the owner of the file or root may change the timestamp. By
2557 default, Samba runs with POSIX semantics and refuses to change the
2558 timestamp on a file if the user \fBsmbd\fR is acting
2559 on behalf of is not the file owner. Setting this option to True allows DOS semantics and smbd will change the file
2560 timestamp as DOS requires.
2562 Default: \fBdos filetimes = no\fR
2564 \fBencrypt passwords (G)\fR
2565 This boolean controls whether encrypted passwords
2566 will be negotiated with the client. Note that Windows NT 4.0 SP3 and
2567 above and also Windows 98 will by default expect encrypted passwords
2568 unless a registry entry is changed. To use encrypted passwords in
2569 Samba see the file ENCRYPTION.txt in the Samba documentation
2570 directory \fIdocs/\fR shipped with the source code.
2572 In order for encrypted passwords to work correctly
2573 \fBsmbd(8)\fRmust either
2574 have access to a local \fIsmbpasswd(5)
2575 \fRprogram for information on how to set up
2576 and maintain this file), or set the security=[serve|domain] parameter which
2577 causes \fBsmbd\fR to authenticate against another
2580 Default: \fBencrypt passwords = no\fR
2582 \fBenhanced browsing (G)\fR
2583 This option enables a couple of enhancements to
2584 cross-subnet browse propogation that have been added in Samba
2585 but which are not standard in Microsoft implementations.
2586 \fBThese enhancements are currently only available in
2587 the HEAD Samba CVS tree (not Samba 2.2.x).\fR
2589 The first enhancement to browse propogation consists of a regular
2590 wildcard query to a Samba WINS server for all Domain Master Browsers,
2591 followed by a browse synchronisation with each of the returned
2592 DMBs. The second enhancement consists of a regular randomised browse
2593 synchronisation with all currently known DMBs.
2595 You may wish to disable this option if you have a problem with empty
2596 workgroups not disappearing from browse lists. Due to the restrictions
2597 of the browse protocols these enhancements can cause a empty workgroup
2598 to stay around forever which can be annoying.
2600 In general you should leave this option enabled as it makes
2601 cross-subnet browse propogation much more reliable.
2603 Default: \fBenhanced browsing = yes\fR
2605 \fBenumports command (G)\fR
2606 The concept of a "port" is fairly foreign
2607 to UNIX hosts. Under Windows NT/2000 print servers, a port
2608 is associated with a port monitor and generally takes the form of
2609 a local port (i.e. LPT1:, COM1:, FILE:) or a remote port
2610 (i.e. LPD Port Monitor, etc...). By default, Samba has only one
2611 port defined--"Samba Printer Port". Under
2612 Windows NT/2000, all printers must have a valid port name.
2613 If you wish to have a list of ports displayed (\fBsmbd
2614 \fRdoes not use a port name for anything) other than
2615 the default "Samba Printer Port", you
2616 can define \fIenumports command\fR to point to
2617 a program which should generate a list of ports, one per line,
2618 to standard output. This listing will then be used in response
2619 to the level 1 and 2 EnumPorts() RPC.
2621 Default: \fBno enumports command\fR
2623 Example: \fBenumports command = /usr/bin/listports
2626 This is a synonym for \fIpreexec\fR.
2628 \fBfake directory create times (S)\fR
2629 NTFS and Windows VFAT file systems keep a create
2630 time for all files and directories. This is not the same as the
2631 ctime - status change time - that Unix keeps, so Samba by default
2632 reports the earliest of the various times Unix does keep. Setting
2633 this parameter for a share causes Samba to always report midnight
2634 1-1-1980 as the create time for directories.
2636 This option is mainly used as a compatibility option for
2637 Visual C++ when used against Samba shares. Visual C++ generated
2638 makefiles have the object directory as a dependency for each object
2639 file, and a make rule to create the directory. Also, when NMAKE
2640 compares timestamps it uses the creation time when examining a
2641 directory. Thus the object directory will be created if it does not
2642 exist, but once it does exist it will always have an earlier
2643 timestamp than the object files it contains.
2645 However, Unix time semantics mean that the create time
2646 reported by Samba will be updated whenever a file is created or
2647 or deleted in the directory. NMAKE finds all object files in
2648 the object directory. The timestamp of the last one built is then
2649 compared to the timestamp of the object dircetory. If the
2650 directory's timestamp if newer, then all object files
2651 will be rebuilt. Enabling this option
2652 ensures directories always predate their contents and an NMAKE build
2653 will proceed as expected.
2655 Default: \fBfake directory create times = no\fR
2657 \fBfake oplocks (S)\fR
2658 Oplocks are the way that SMB clients get permission
2659 from a server to locally cache file operations. If a server grants
2660 an oplock (opportunistic lock) then the client is free to assume
2661 that it is the only one accessing the file and it will aggressively
2662 cache file data. With some oplock types the client may even cache
2663 file open/close operations. This can give enormous performance benefits.
2665 When you set \fBfake oplocks = yes\fR, \fBsmbd(8)\fRwill
2666 always grant oplock requests no matter how many clients are using
2669 It is generally much better to use the real \fIoplocks\fR support rather
2670 than this parameter.
2672 If you enable this option on all read-only shares or
2673 shares that you know will only be accessed from one client at a
2674 time such as physically read-only media like CDROMs, you will see
2675 a big performance improvement on many operations. If you enable
2676 this option on shares where multiple clients may be accessing the
2677 files read-write at the same time you can get data corruption. Use
2678 this option carefully!
2680 Default: \fBfake oplocks = no\fR
2682 \fBfollow symlinks (S)\fR
2683 This parameter allows the Samba administrator
2684 to stop \fBsmbd(8)\fRfrom following symbolic links in a particular share. Setting this
2685 parameter to no prevents any file or directory
2686 that is a symbolic link from being followed (the user will get an
2687 error). This option is very useful to stop users from adding a
2688 symbolic link to \fI/etc/passwd\fR in their home
2689 directory for instance. However it will slow filename lookups
2692 This option is enabled (i.e. \fBsmbd\fR will
2693 follow symbolic links) by default.
2695 Default: \fBfollow symlinks = yes\fR
2697 \fBforce create mode (S)\fR
2698 This parameter specifies a set of UNIX mode bit
2699 permissions that will \fBalways\fR be set on a
2700 file created by Samba. This is done by bitwise 'OR'ing these bits onto
2701 the mode bits of a file that is being created or having its
2702 permissions changed. The default for this parameter is (in octal)
2703 000. The modes in this parameter are bitwise 'OR'ed onto the file
2704 mode after the mask set in the \fIcreate mask\fR
2705 parameter is applied.
2707 Note that by default this parameter does not apply to permissions
2708 set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
2709 this mask on access control lists also, they need to set the \fIrestrict acl with
2712 See also the parameter \fIcreate
2713 mask\fR for details on masking mode bits on files.
2715 See also the \fIinherit
2716 permissions\fR parameter.
2718 Default: \fBforce create mode = 000\fR
2720 Example: \fBforce create mode = 0755\fR
2722 would force all created files to have read and execute
2723 permissions set for 'group' and 'other' as well as the
2724 read/write/execute bits set for the 'user'.
2726 \fBforce directory mode (S)\fR
2727 This parameter specifies a set of UNIX mode bit
2728 permissions that will \fBalways\fR be set on a directory
2729 created by Samba. This is done by bitwise 'OR'ing these bits onto the
2730 mode bits of a directory that is being created. The default for this
2731 parameter is (in octal) 0000 which will not add any extra permission
2732 bits to a created directory. This operation is done after the mode
2733 mask in the parameter \fIdirectory mask\fR is
2736 Note that by default this parameter does not apply to permissions
2737 set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
2738 this mask on access control lists also, they need to set the \fIrestrict acl with
2741 See also the parameter \fI directory mask\fR for details on masking mode bits
2742 on created directories.
2744 See also the \fI inherit permissions\fR parameter.
2746 Default: \fBforce directory mode = 000\fR
2748 Example: \fBforce directory mode = 0755\fR
2750 would force all created directories to have read and execute
2751 permissions set for 'group' and 'other' as well as the
2752 read/write/execute bits set for the 'user'.
2754 \fBforce directory security mode (S)\fR
2755 This parameter controls what UNIX permission bits
2756 can be modified when a Windows NT client is manipulating the UNIX
2757 permission on a directory using the native NT security dialog box.
2759 This parameter is applied as a mask (OR'ed with) to the
2760 changed permission bits, thus forcing any bits in this mask that
2761 the user may have modified to be on. Essentially, one bits in this
2762 mask may be treated as a set of bits that, when modifying security
2763 on a directory, the user has always set to be 'on'.
2765 If not set explicitly this parameter is 000, which
2766 allows a user to modify all the user/group/world permissions on a
2767 directory without restrictions.
2769 \fBNote\fR that users who can access the
2770 Samba server through other means can easily bypass this restriction,
2771 so it is primarily useful for standalone "appliance" systems.
2772 Administrators of most normal systems will probably want to leave
2775 See also the \fI directory security mask\fR, \fIsecurity mask\fR,
2776 \fIforce security mode
2779 Default: \fBforce directory security mode = 0\fR
2781 Example: \fBforce directory security mode = 700\fR
2783 \fBforce group (S)\fR
2784 This specifies a UNIX group name that will be
2785 assigned as the default primary group for all users connecting
2786 to this service. This is useful for sharing files by ensuring
2787 that all access to files on service will use the named group for
2788 their permissions checking. Thus, by assigning permissions for this
2789 group to the files and directories within this service the Samba
2790 administrator can restrict or allow sharing of these files.
2792 In Samba 2.0.5 and above this parameter has extended
2793 functionality in the following way. If the group name listed here
2794 has a '+' character prepended to it then the current user accessing
2795 the share only has the primary group default assigned to this group
2796 if they are already assigned as a member of that group. This allows
2797 an administrator to decide that only users who are already in a
2798 particular group will create files with group ownership set to that
2799 group. This gives a finer granularity of ownership assignment. For
2800 example, the setting \fIforce group = +sys\fR means
2801 that only users who are already in group sys will have their default
2802 primary group assigned to sys when accessing this Samba share. All
2803 other users will retain their ordinary primary group.
2805 If the \fIforce user
2806 \fRparameter is also set the group specified in
2807 \fIforce group\fR will override the primary group
2808 set in \fIforce user\fR.
2813 Default: \fBno forced group\fR
2815 Example: \fBforce group = agroup\fR
2817 \fBforce security mode (S)\fR
2818 This parameter controls what UNIX permission
2819 bits can be modified when a Windows NT client is manipulating
2820 the UNIX permission on a file using the native NT security dialog
2823 This parameter is applied as a mask (OR'ed with) to the
2824 changed permission bits, thus forcing any bits in this mask that
2825 the user may have modified to be on. Essentially, one bits in this
2826 mask may be treated as a set of bits that, when modifying security
2827 on a file, the user has always set to be 'on'.
2829 If not set explicitly this parameter is set to 0,
2830 and allows a user to modify all the user/group/world permissions on a file,
2831 with no restrictions.
2833 \fBNote\fR that users who can access
2834 the Samba server through other means can easily bypass this restriction,
2835 so it is primarily useful for standalone "appliance" systems.
2836 Administrators of most normal systems will probably want to leave
2839 See also the \fI force directory security mode\fR,
2840 \fIdirectory security
2841 mask\fR, \fI security mask\fR parameters.
2843 Default: \fBforce security mode = 0\fR
2845 Example: \fBforce security mode = 700\fR
2847 \fBforce user (S)\fR
2848 This specifies a UNIX user name that will be
2849 assigned as the default user for all users connecting to this service.
2850 This is useful for sharing files. You should also use it carefully
2851 as using it incorrectly can cause security problems.
2853 This user name only gets used once a connection is established.
2854 Thus clients still need to connect as a valid user and supply a
2855 valid password. Once connected, all file operations will be performed
2856 as the "forced user", no matter what username the client connected
2857 as. This can be very useful.
2859 In Samba 2.0.5 and above this parameter also causes the
2860 primary group of the forced user to be used as the primary group
2861 for all file activity. Prior to 2.0.5 the primary group was left
2862 as the primary group of the connecting user (this was a bug).
2864 See also \fIforce group
2866 Default: \fBno forced user\fR
2868 Example: \fBforce user = auser\fR
2871 This parameter allows the administrator to
2872 configure the string that specifies the type of filesystem a share
2873 is using that is reported by \fBsmbd(8)
2874 \fRwhen a client queries the filesystem type
2875 for a share. The default type is NTFS for
2876 compatibility with Windows NT but this can be changed to other
2877 strings such as Samba or FAT
2880 Default: \fBfstype = NTFS\fR
2882 Example: \fBfstype = Samba\fR
2884 \fBgetwd cache (G)\fR
2885 This is a tuning option. When this is enabled a
2886 caching algorithm will be used to reduce the time taken for getwd()
2887 calls. This can have a significant impact on performance, especially
2888 when the \fIwide links\fR
2889 parameter is set to False.
2891 Default: \fBgetwd cache = yes\fR
2894 Synonym for \fIforce
2897 \fBguest account (S)\fR
2898 This is a username which will be used for access
2899 to services which are specified as \fI guest ok\fR (see below). Whatever privileges this
2900 user has will be available to any client connecting to the guest service.
2901 Typically this user will exist in the password file, but will not
2902 have a valid login. The user account "ftp" is often a good choice
2903 for this parameter. If a username is specified in a given service,
2904 the specified username overrides this one.
2906 One some systems the default guest account "nobody" may not
2907 be able to print. Use another account in this case. You should test
2908 this by trying to log in as your guest user (perhaps by using the
2909 \fBsu -\fR command) and trying to print using the
2910 system print command such as \fBlpr(1)\fR or \fB lp(1)\fR.
2912 Default: \fBspecified at compile time, usually
2915 Example: \fBguest account = ftp\fR
2918 If this parameter is yes for
2919 a service, then no password is required to connect to the service.
2920 Privileges will be those of the \fI guest account\fR.
2922 See the section below on \fI security\fR for more information about this option.
2924 Default: \fBguest ok = no\fR
2926 \fBguest only (S)\fR
2927 If this parameter is yes for
2928 a service, then only guest connections to the service are permitted.
2929 This parameter will have no effect if \fIguest ok\fR is not set for the service.
2931 See the section below on \fI security\fR for more information about this option.
2933 Default: \fBguest only = no\fR
2935 \fBhide dot files (S)\fR
2936 This is a boolean parameter that controls whether
2937 files starting with a dot appear as hidden files.
2939 Default: \fBhide dot files = yes\fR
2942 This is a list of files or directories that are not
2943 visible but are accessible. The DOS 'hidden' attribute is applied
2944 to any files or directories that match.
2946 Each entry in the list must be separated by a '/',
2947 which allows spaces to be included in the entry. '*'
2948 and '?' can be used to specify multiple files or directories
2949 as in DOS wildcards.
2951 Each entry must be a Unix path, not a DOS path and must
2952 not include the Unix directory separator '/'.
2954 Note that the case sensitivity option is applicable
2957 Setting this parameter will affect the performance of Samba,
2958 as it will be forced to check all files and directories for a match
2959 as they are scanned.
2962 dot files\fR, \fI veto files\fR and \fIcase sensitive\fR.
2964 Default: \fBno file are hidden\fR
2966 Example: \fBhide files =
2967 /.*/DesktopFolderDB/TrashFor%m/resource.frk/\fR
2969 The above example is based on files that the Macintosh
2970 SMB client (DAVE) available from
2971 Thursby <URL:http://www.thursby.com> creates for internal use, and also still hides
2972 all files beginning with a dot.
2974 \fBhide local users(G)\fR
2975 This parameter toggles the hiding of local UNIX
2976 users (root, wheel, floppy, etc) from remote clients.
2978 Default: \fBhide local users = no\fR
2980 \fBhomedir map (G)\fR
2982 \fRis True, and \fBsmbd(8)\fRis also acting
2983 as a Win95/98 \fIlogon server\fR then this parameter
2984 specifies the NIS (or YP) map from which the server for the user's
2985 home directory should be extracted. At present, only the Sun
2986 auto.home map format is understood. The form of the map is:
2988 \fBusername server:/some/file/system\fR
2990 and the program will extract the servername from before
2991 the first ':'. There should probably be a better parsing system
2992 that copes with different map formats and also Amd (another
2995 \fBNOTE :\fRA working NIS client is required on
2996 the system for this option to work.
2998 See also \fInis homedir\fR
2999 , \fIdomain logons\fR
3002 Default: \fBhomedir map = <empty string>\fR
3004 Example: \fBhomedir map = amd.homedir\fR
3006 \fBhost msdfs (G)\fR
3007 This boolean parameter is only available
3008 if Samba has been configured and compiled with the \fB --with-msdfs\fR option. If set to yes,
3009 Samba will act as a Dfs server, and allow Dfs-aware clients
3010 to browse Dfs trees hosted on the server.
3012 See also the \fI msdfs root\fR share level parameter. For
3013 more information on setting up a Dfs tree on Samba,
3014 refer to msdfs_setup.html.
3016 Default: \fBhost msdfs = no\fR
3018 \fBhosts allow (S)\fR
3019 A synonym for this parameter is \fIallow
3022 This parameter is a comma, space, or tab delimited
3023 set of hosts which are permitted to access a service.
3025 If specified in the [global] section then it will
3026 apply to all services, regardless of whether the individual
3027 service has a different setting.
3029 You can specify the hosts by name or IP number. For
3030 example, you could restrict access to only the hosts on a
3031 Class C subnet with something like \fBallow hosts = 150.203.5.
3032 \fR\&. The full syntax of the list is described in the man
3033 page \fIhosts_access(5)\fR. Note that this man
3034 page may not be present on your system, so a brief description will
3037 Note that the localhost address 127.0.0.1 will always
3038 be allowed access unless specifically denied by a \fIhosts deny\fR option.
3040 You can also specify hosts by network/netmask pairs and
3041 by netgroup names if your system supports netgroups. The
3042 \fBEXCEPT\fR keyword can also be used to limit a
3043 wildcard list. The following examples may provide some help:
3045 Example 1: allow all IPs in 150.203.*.*; except one
3047 \fBhosts allow = 150.203. EXCEPT 150.203.6.66\fR
3049 Example 2: allow hosts that match the given network/netmask
3051 \fBhosts allow = 150.203.15.0/255.255.255.0\fR
3053 Example 3: allow a couple of hosts
3055 \fBhosts allow = lapland, arvidsjaur\fR
3057 Example 4: allow only hosts in NIS netgroup "foonet", but
3058 deny access from one particular host
3060 \fBhosts allow = @foonet\fR
3062 \fBhosts deny = pirate\fR
3064 Note that access still requires suitable user-level passwords.
3066 See \fBtestparm(1)\fR
3067 for a way of testing your host access to see if it does
3070 Default: \fBnone (i.e., all hosts permitted access)
3072 Example: \fBallow hosts = 150.203.5. myhost.mynet.edu.au
3074 \fBhosts deny (S)\fR
3075 The opposite of \fIhosts allow\fR
3076 - hosts listed here are \fBNOT\fR permitted access to
3077 services unless the specific services have their own lists to override
3078 this one. Where the lists conflict, the \fIallow\fR
3079 list takes precedence.
3081 Default: \fBnone (i.e., no hosts specifically excluded)
3083 Example: \fBhosts deny = 150.203.4. badhost.mynet.edu.au
3085 \fBhosts equiv (G)\fR
3086 If this global parameter is a non-null string,
3087 it specifies the name of a file to read for the names of hosts
3088 and users who will be allowed access without specifying a password.
3090 This is not be confused with \fIhosts allow\fR which is about hosts
3091 access to services and is more useful for guest services. \fI hosts equiv\fR may be useful for NT clients which will
3092 not supply passwords to samba.
3094 \fBNOTE :\fR The use of \fIhosts equiv
3095 \fRcan be a major security hole. This is because you are
3096 trusting the PC to supply the correct username. It is very easy to
3097 get a PC to supply a false username. I recommend that the
3098 \fIhosts equiv\fR option be only used if you really
3099 know what you are doing, or perhaps on a home network where you trust
3100 your spouse and kids. And only if you \fBreally\fR trust
3103 Default: \fBno host equivalences\fR
3105 Example: \fBhosts equiv = /etc/hosts.equiv\fR
3108 This allows you to include one config file
3109 inside another. The file is included literally, as though typed
3112 It takes the standard substitutions, except \fI%u
3113 \fR, \fI%P\fR and \fI%S\fR.
3115 Default: \fBno file included\fR
3117 Example: \fBinclude = /usr/local/samba/lib/admin_smb.conf
3119 \fBinherit permissions (S)\fR
3120 The permissions on new files and directories
3121 are normally governed by \fI create mask\fR, \fIdirectory mask\fR, \fIforce create mode\fR
3123 directory mode\fR but the boolean inherit
3124 permissions parameter overrides this.
3126 New directories inherit the mode of the parent directory,
3127 including bits such as setgid.
3129 New files inherit their read/write bits from the parent
3130 directory. Their execute bits continue to be determined by
3133 and \fImap system\fR
3136 Note that the setuid bit is \fBnever\fR set via
3137 inheritance (the code explicitly prohibits this).
3139 This can be particularly useful on large systems with
3140 many users, perhaps several thousand,to allow a single [homes]
3141 share to be used flexibly by each user.
3143 See also \fIcreate mask
3144 \fR, \fI directory mask\fR, \fIforce create mode\fR and \fIforce directory mode\fR
3147 Default: \fBinherit permissions = no\fR
3149 \fBinterfaces (G)\fR
3150 This option allows you to override the default
3151 network interfaces list that Samba will use for browsing, name
3152 registration and other NBT traffic. By default Samba will query
3153 the kernel for the list of all active interfaces and use any
3154 interfaces except 127.0.0.1 that are broadcast capable.
3156 The option takes a list of interface strings. Each string
3157 can be in any of the following forms:
3161 a network interface name (such as eth0).
3162 This may include shell-like wildcards so eth* will match
3163 any interface starting with the substring "eth"
3166 an IP address. In this case the netmask is
3167 determined from the list of interfaces obtained from the
3174 a broadcast/mask pair.
3177 The "mask" parameters can either be a bit length (such
3178 as 24 for a C class network) or a full netmask in dotted
3182 The "IP" parameters above can either be a full dotted
3183 decimal IP address or a hostname which will be looked up via
3184 the OS's normal hostname resolution mechanisms.
3187 For example, the following line:
3190 \fBinterfaces = eth0 192.168.2.10/24 192.168.3.10/255.255.255.0
3193 would configure three network interfaces corresponding
3194 to the eth0 device and IP addresses 192.168.2.10 and 192.168.3.10.
3195 The netmasks of the latter two interfaces would be set to 255.255.255.0.
3202 Default: \fBall active interfaces except 127.0.0.1
3203 that are broadcast capable\fR
3206 \fBinvalid users (S)\fR
3207 This is a list of users that should not be allowed
3208 to login to this service. This is really a \fBparanoid\fR
3209 check to absolutely ensure an improper setting does not breach
3212 A name starting with a '@' is interpreted as an NIS
3213 netgroup first (if your system supports NIS), and then as a UNIX
3214 group if the name was not found in the NIS netgroup database.
3216 A name starting with '+' is interpreted only
3217 by looking in the UNIX group database. A name starting with
3218 \&'&' is interpreted only by looking in the NIS netgroup database
3219 (this requires NIS to be working on your system). The characters
3220 \&'+' and '&' may be used at the start of the name in either order
3221 so the value \fI+&group\fR means check the
3222 UNIX group database, followed by the NIS netgroup database, and
3223 the value \fI&+group"\fR means check the NIS
3224 netgroup database, followed by the UNIX group database (the
3225 same as the '@' prefix).
3227 The current servicename is substituted for \fI%S\fR.
3228 This is useful in the [homes] section.
3230 See also \fIvalid users
3233 Default: \fBno invalid users\fR
3235 Example: \fBinvalid users = root fred admin @wheel
3238 The value of the parameter (an integer) represents
3239 the number of seconds between \fIkeepalive\fR
3240 packets. If this parameter is zero, no keepalive packets will be
3241 sent. Keepalive packets, if sent, allow the server to tell whether
3242 a client is still present and responding.
3244 Keepalives should, in general, not be needed if the socket
3245 being used has the SO_KEEPALIVE attribute set on it (see \fIsocket options\fR).
3246 Basically you should only use this option if you strike difficulties.
3248 Default: \fBkeepalive = 300\fR
3250 Example: \fBkeepalive = 600\fR
3252 \fBkernel oplocks (G)\fR
3253 For UNIXes that support kernel based \fIoplocks\fR
3254 (currently only IRIX and the Linux 2.4 kernel), this parameter
3255 allows the use of them to be turned on or off.
3257 Kernel oplocks support allows Samba \fIoplocks
3258 \fRto be broken whenever a local UNIX process or NFS operation
3259 accesses a file that \fBsmbd(8)\fR
3260 has oplocked. This allows complete data consistency between
3261 SMB/CIFS, NFS and local file access (and is a \fBvery\fR
3264 This parameter defaults to on on systems
3265 that have the support, and off on systems that
3266 don't. You should never need to touch this parameter.
3268 See also the \fIoplocks\fR
3269 and \fIlevel2 oplocks
3272 Default: \fBkernel oplocks = yes\fR
3274 \fBlanman auth (G)\fR
3275 This parameter determines whether or not smbd will
3276 attempt to authentication users using the LANMAN password hash.
3277 If disabled, only clients which support NT password hashes (e.g. Windows
3278 NT/2000 clients, smbclient, etc... but not Windows 95/98 or the MS DOS
3279 network client) will be able to connect to the Samba host.
3281 Default : \fBlanman auth = yes\fR
3283 \fBlevel2 oplocks (S)\fR
3284 This parameter controls whether Samba supports
3285 level2 (read-only) oplocks on a share.
3287 Level2, or read-only oplocks allow Windows NT clients
3288 that have an oplock on a file to downgrade from a read-write oplock
3289 to a read-only oplock once a second client opens the file (instead
3290 of releasing all oplocks on a second open, as in traditional,
3291 exclusive oplocks). This allows all openers of the file that
3292 support level2 oplocks to cache the file for read-ahead only (ie.
3293 they may not cache writes or lock requests) and increases performance
3294 for many accesses of files that are not commonly written (such as
3295 application .EXE files).
3297 Once one of the clients which have a read-only oplock
3298 writes to the file all clients are notified (no reply is needed
3299 or waited for) and told to break their oplocks to "none" and
3300 delete any read-ahead caches.
3302 It is recommended that this parameter be turned on
3303 to speed access to shared executables.
3305 For more discussions on level2 oplocks see the CIFS spec.
3307 Currently, if \fIkernel
3308 oplocks\fR are supported then level2 oplocks are
3309 not granted (even if this parameter is set to yes).
3310 Note also, the \fIoplocks\fR
3311 parameter must be set to "true" on this share in order for
3312 this parameter to have any effect.
3314 See also the \fIoplocks\fR
3315 and \fIkernel oplocks\fR
3318 Default: \fBlevel2 oplocks = yes\fR
3320 \fBlm announce (G)\fR
3321 This parameter determines if \fBnmbd(8)\fRwill produce Lanman announce
3322 broadcasts that are needed by OS/2 clients in order for them to see
3323 the Samba server in their browse list. This parameter can have three
3324 values, true, false, or
3325 auto. The default is auto.
3326 If set to false Samba will never produce these
3327 broadcasts. If set to true Samba will produce
3328 Lanman announce broadcasts at a frequency set by the parameter
3329 \fIlm interval\fR. If set to auto
3330 Samba will not send Lanman announce broadcasts by default but will
3331 listen for them. If it hears such a broadcast on the wire it will
3332 then start sending them at a frequency set by the parameter
3335 See also \fIlm interval
3338 Default: \fBlm announce = auto\fR
3340 Example: \fBlm announce = yes\fR
3342 \fBlm interval (G)\fR
3343 If Samba is set to produce Lanman announce
3344 broadcasts needed by OS/2 clients (see the \fIlm announce\fR parameter) then this
3345 parameter defines the frequency in seconds with which they will be
3346 made. If this is set to zero then no Lanman announcements will be
3347 made despite the setting of the \fIlm announce\fR
3353 Default: \fBlm interval = 60\fR
3355 Example: \fBlm interval = 120\fR
3357 \fBload printers (G)\fR
3358 A boolean variable that controls whether all
3359 printers in the printcap will be loaded for browsing by default.
3360 See the printers section for
3363 Default: \fBload printers = yes\fR
3365 \fBlocal master (G)\fR
3366 This option allows \fB nmbd(8)\fRto try and become a local master browser
3367 on a subnet. If set to False then \fB nmbd\fR will not attempt to become a local master browser
3368 on a subnet and will also lose in all browsing elections. By
3369 default this value is set to true. Setting this value to true doesn't
3370 mean that Samba will \fBbecome\fR the local master
3371 browser on a subnet, just that \fBnmbd\fR will \fB participate\fR in elections for local master browser.
3373 Setting this value to False will cause \fBnmbd\fR
3374 \fBnever\fR to become a local master browser.
3376 Default: \fBlocal master = yes\fR
3379 Synonym for \fI lock directory\fR.
3381 \fBlock directory (G)\fR
3382 This option specifies the directory where lock
3383 files will be placed. The lock files are used to implement the
3384 \fImax connections\fR
3387 Default: \fBlock directory = ${prefix}/var/locks\fR
3389 Example: \fBlock directory = /var/run/samba/locks\fR
3392 This controls whether or not locking will be
3393 performed by the server in response to lock requests from the
3396 If \fBlocking = no\fR, all lock and unlock
3397 requests will appear to succeed and all lock queries will report
3398 that the file in question is available for locking.
3400 If \fBlocking = yes\fR, real locking will be performed
3403 This option \fBmay\fR be useful for read-only
3404 filesystems which \fBmay\fR not need locking (such as
3405 cdrom drives), although setting this parameter of no
3406 is not really recommended even in this case.
3408 Be careful about disabling locking either globally or in a
3409 specific service, as lack of locking may result in data corruption.
3410 You should never need to set this parameter.
3412 Default: \fBlocking = yes\fR
3415 This option allows you to override the name
3416 of the Samba log file (also known as the debug file).
3418 This option takes the standard substitutions, allowing
3419 you to have separate log files for each user or machine.
3421 Example: \fBlog file = /usr/local/samba/var/log.%m
3424 The value of the parameter (an integer) allows
3425 the debug level (logging level) to be specified in the
3426 \fIsmb.conf\fR file. This is to give greater
3427 flexibility in the configuration of the system.
3429 The default will be the log level specified on
3430 the command line or level zero if none was specified.
3432 Example: \fBlog level = 3\fR
3434 \fBlogon drive (G)\fR
3435 This parameter specifies the local path to
3436 which the home directory will be connected (see \fIlogon home\fR)
3437 and is only used by NT Workstations.
3439 Note that this option is only useful if Samba is set up as a
3442 Default: \fBlogon drive = z:\fR
3444 Example: \fBlogon drive = h:\fR
3446 \fBlogon home (G)\fR
3447 This parameter specifies the home directory
3448 location when a Win95/98 or NT Workstation logs into a Samba PDC.
3451 C:\\> \fBNET USE H: /HOME\fR
3453 from a command prompt, for example.
3455 This option takes the standard substitutions, allowing
3456 you to have separate logon scripts for each user or machine.
3458 This parameter can be used with Win9X workstations to ensure
3459 that roaming profiles are stored in a subdirectory of the user's
3460 home directory. This is done in the following way:
3462 \fBlogon home = \\\\%N\\%U\\profile\fR
3464 This tells Samba to return the above string, with
3465 substitutions made when a client requests the info, generally
3466 in a NetUserGetInfo request. Win9X clients truncate the info to
3467 \\\\server\\share when a user does \fBnet use /home"\fR
3468 but use the whole string when dealing with profiles.
3470 Note that in prior versions of Samba, the \fIlogon path\fR was returned rather than
3471 \fIlogon home\fR. This broke \fBnet use
3472 /home\fR but allowed profiles outside the home directory.
3473 The current implementation is correct, and can be used for
3474 profiles if you use the above trick.
3476 This option is only useful if Samba is set up as a logon
3479 Default: \fBlogon home = "\\\\%N\\%U"\fR
3481 Example: \fBlogon home = "\\\\remote_smb_server\\%U"\fR
3483 \fBlogon path (G)\fR
3484 This parameter specifies the home directory
3485 where roaming profiles (NTuser.dat etc files for Windows NT) are
3486 stored. Contrary to previous versions of these manual pages, it has
3487 nothing to do with Win 9X roaming profiles. To find out how to
3488 handle roaming profiles for Win 9X system, see the \fIlogon home\fR parameter.
3490 This option takes the standard substitutions, allowing you
3491 to have separate logon scripts for each user or machine. It also
3492 specifies the directory from which the "Application Data",
3493 (\fIdesktop\fR, \fIstart menu\fR,
3494 \fInetwork neighborhood\fR, \fIprograms\fR
3495 and other folders, and their contents, are loaded and displayed on
3496 your Windows NT client.
3498 The share and the path must be readable by the user for
3499 the preferences and directories to be loaded onto the Windows NT
3500 client. The share must be writeable when the logs in for the first
3501 time, in order that the Windows NT client can create the NTuser.dat
3502 and other directories.
3504 Thereafter, the directories and any of the contents can,
3505 if required, be made read-only. It is not advisable that the
3506 NTuser.dat file be made read-only - rename it to NTuser.man to
3507 achieve the desired effect (a \fBMAN\fRdatory
3510 Windows clients can sometimes maintain a connection to
3511 the [homes] share, even though there is no user logged in.
3512 Therefore, it is vital that the logon path does not include a
3513 reference to the homes share (i.e. setting this parameter to
3514 \\%N\\%U\\profile_path will cause problems).
3516 This option takes the standard substitutions, allowing
3517 you to have separate logon scripts for each user or machine.
3519 Note that this option is only useful if Samba is set up
3522 Default: \fBlogon path = \\\\%N\\%U\\profile\fR
3524 Example: \fBlogon path = \\\\PROFILESERVER\\PROFILE\\%U\fR
3526 \fBlogon script (G)\fR
3527 This parameter specifies the batch file (.bat) or
3528 NT command file (.cmd) to be downloaded and run on a machine when
3529 a user successfully logs in. The file must contain the DOS
3530 style cr/lf line endings. Using a DOS-style editor to create the
3531 file is recommended.
3533 The script must be a relative path to the [netlogon]
3534 service. If the [netlogon] service specifies a \fIpath\fR of \fI/usr/local/samba/netlogon
3535 \fR, and \fBlogon script = STARTUP.BAT\fR, then
3536 the file that will be downloaded is:
3538 \fI/usr/local/samba/netlogon/STARTUP.BAT\fR
3540 The contents of the batch file is entirely your choice. A
3541 suggested command would be to add \fBNET TIME \\\\SERVER /SET
3542 /YES\fR, to force every machine to synchronize clocks with
3543 the same time server. Another use would be to add \fBNET USE
3544 U: \\\\SERVER\\UTILS\fR for commonly used utilities, or \fB NET USE Q: \\\\SERVER\\ISO9001_QA\fR for example.
3546 Note that it is particularly important not to allow write
3547 access to the [netlogon] share, or to grant users write permission
3548 on the batch files in a secure environment, as this would allow
3549 the batch files to be arbitrarily modified and security to be
3552 This option takes the standard substitutions, allowing you
3553 to have separate logon scripts for each user or machine.
3555 This option is only useful if Samba is set up as a logon
3558 Default: \fBno logon script defined\fR
3560 Example: \fBlogon script = scripts\\%U.bat\fR
3562 \fBlppause command (S)\fR
3563 This parameter specifies the command to be
3564 executed on the server host in order to stop printing or spooling
3565 a specific print job.
3567 This command should be a program or script which takes
3568 a printer name and job number to pause the print job. One way
3569 of implementing this is by using job priorities, where jobs
3570 having a too low priority won't be sent to the printer.
3572 If a \fI%p\fR is given then the printername
3573 is put in its place. A \fI%j\fR is replaced with
3574 the job number (an integer). On HPUX (see \fIprinting=hpux
3575 \fR), if the \fI-p%p\fR option is added
3576 to the lpq command, the job will show up with the correct status, i.e.
3577 if the job priority is lower than the set fence priority it will
3578 have the PAUSED status, whereas if the priority is equal or higher it
3579 will have the SPOOLED or PRINTING status.
3581 Note that it is good practice to include the absolute path
3582 in the lppause command as the PATH may not be available to the server.
3584 See also the \fIprinting
3587 Default: Currently no default value is given to
3588 this string, unless the value of the \fIprinting\fR
3589 parameter is SYSV, in which case the default is :
3591 \fBlp -i %p-%j -H hold\fR
3593 or if the value of the \fIprinting\fR parameter
3594 is SOFTQ, then the default is:
3596 \fBqstat -s -j%j -h\fR
3598 Example for HPUX: \fBlppause command = /usr/bin/lpalt
3601 \fBlpq cache time (G)\fR
3602 This controls how long lpq info will be cached
3603 for to prevent the \fBlpq\fR command being called too
3604 often. A separate cache is kept for each variation of the \fB lpq\fR command used by the system, so if you use different
3605 \fBlpq\fR commands for different users then they won't
3606 share cache information.
3608 The cache files are stored in \fI/tmp/lpq.xxxx\fR
3609 where xxxx is a hash of the \fBlpq\fR command in use.
3611 The default is 10 seconds, meaning that the cached results
3612 of a previous identical \fBlpq\fR command will be used
3613 if the cached data is less than 10 seconds old. A large value may
3614 be advisable if your \fBlpq\fR command is very slow.
3616 A value of 0 will disable caching completely.
3618 See also the \fIprinting
3621 Default: \fBlpq cache time = 10\fR
3623 Example: \fBlpq cache time = 30\fR
3625 \fBlpq command (S)\fR
3626 This parameter specifies the command to be
3627 executed on the server host in order to obtain \fBlpq
3628 \fR-style printer status information.
3630 This command should be a program or script which
3631 takes a printer name as its only parameter and outputs printer
3634 Currently eight styles of printer status information
3635 are supported; BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX and SOFTQ.
3636 This covers most UNIX systems. You control which type is expected
3637 using the \fIprinting =\fR option.
3639 Some clients (notably Windows for Workgroups) may not
3640 correctly send the connection number for the printer they are
3641 requesting status information about. To get around this, the
3642 server reports on the first printer service connected to by the
3643 client. This only happens if the connection number sent is invalid.
3645 If a \fI%p\fR is given then the printername
3646 is put in its place. Otherwise it is placed at the end of the
3649 Note that it is good practice to include the absolute path
3650 in the \fIlpq command\fR as the \fB$PATH
3651 \fRmay not be available to the server.
3653 See also the \fIprinting
3656 Default: \fBdepends on the setting of \fI printing\fB\fR
3658 Example: \fBlpq command = /usr/bin/lpq -P%p\fR
3660 \fBlpresume command (S)\fR
3661 This parameter specifies the command to be
3662 executed on the server host in order to restart or continue
3663 printing or spooling a specific print job.
3665 This command should be a program or script which takes
3666 a printer name and job number to resume the print job. See
3667 also the \fIlppause command
3670 If a \fI%p\fR is given then the printername
3671 is put in its place. A \fI%j\fR is replaced with
3672 the job number (an integer).
3674 Note that it is good practice to include the absolute path
3675 in the \fIlpresume command\fR as the PATH may not
3676 be available to the server.
3678 See also the \fIprinting
3681 Default: Currently no default value is given
3682 to this string, unless the value of the \fIprinting\fR
3683 parameter is SYSV, in which case the default is :
3685 \fBlp -i %p-%j -H resume\fR
3687 or if the value of the \fIprinting\fR parameter
3688 is SOFTQ, then the default is:
3690 \fBqstat -s -j%j -r\fR
3692 Example for HPUX: \fBlpresume command = /usr/bin/lpalt
3695 \fBlprm command (S)\fR
3696 This parameter specifies the command to be
3697 executed on the server host in order to delete a print job.
3699 This command should be a program or script which takes
3700 a printer name and job number, and deletes the print job.
3702 If a \fI%p\fR is given then the printername
3703 is put in its place. A \fI%j\fR is replaced with
3704 the job number (an integer).
3706 Note that it is good practice to include the absolute
3707 path in the \fIlprm command\fR as the PATH may not be
3708 available to the server.
3710 See also the \fIprinting
3713 Default: \fBdepends on the setting of \fIprinting
3715 Example 1: \fBlprm command = /usr/bin/lprm -P%p %j
3717 Example 2: \fBlprm command = /usr/bin/cancel %p-%j
3719 \fBmachine password timeout (G)\fR
3720 If a Samba server is a member of an Windows
3721 NT Domain (see the security=domain)
3722 parameter) then periodically a running smbd(8)process will try and change the MACHINE ACCOUNT
3723 PASSWORD stored in the TDB called \fIprivate/secrets.tdb
3724 \fR\&. This parameter specifies how often this password
3725 will be changed, in seconds. The default is one week (expressed in
3726 seconds), the same as a Windows NT Domain member server.
3728 See also \fBsmbpasswd(8)
3729 \fR, and the security=domain) parameter.
3731 Default: \fBmachine password timeout = 604800\fR
3733 \fBmagic output (S)\fR
3734 This parameter specifies the name of a file
3735 which will contain output created by a magic script (see the
3739 Warning: If two clients use the same \fImagic script
3740 \fRin the same directory the output file content
3743 Default: \fBmagic output = <magic script name>.out
3745 Example: \fBmagic output = myfile.txt\fR
3747 \fBmagic script (S)\fR
3748 This parameter specifies the name of a file which,
3749 if opened, will be executed by the server when the file is closed.
3750 This allows a UNIX script to be sent to the Samba host and
3751 executed on behalf of the connected user.
3753 Scripts executed in this way will be deleted upon
3754 completion assuming that the user has the appripriate level
3755 of priviledge and the ile permissions allow the deletion.
3757 If the script generates output, output will be sent to
3758 the file specified by the \fI magic output\fR parameter (see above).
3760 Note that some shells are unable to interpret scripts
3761 containing CR/LF instead of CR as
3762 the end-of-line marker. Magic scripts must be executable
3763 \fBas is\fR on the host, which for some hosts and
3764 some shells will require filtering at the DOS end.
3766 Magic scripts are \fBEXPERIMENTAL\fR and
3767 should \fBNOT\fR be relied upon.
3769 Default: \fBNone. Magic scripts disabled.\fR
3771 Example: \fBmagic script = user.csh\fR
3773 \fBmangle case (S)\fR
3774 See the section on NAME MANGLING
3776 Default: \fBmangle case = no\fR
3778 \fBmangled map (S)\fR
3779 This is for those who want to directly map UNIX
3780 file names which can not be represented on Windows/DOS. The mangling
3781 of names is not always what is needed. In particular you may have
3782 documents with file extensions that differ between DOS and UNIX.
3783 For example, under UNIX it is common to use \fI.html\fR
3784 for HTML files, whereas under Windows/DOS \fI.htm\fR
3785 is more commonly used.
3787 So to map \fIhtml\fR to \fIhtm\fR
3790 \fBmangled map = (*.html *.htm)\fR
3792 One very useful case is to remove the annoying \fI;1
3793 \fRoff the ends of filenames on some CDROMS (only visible
3794 under some UNIXes). To do this use a map of (*;1 *;).
3796 Default: \fBno mangled map\fR
3798 Example: \fBmangled map = (*;1 *;)\fR
3800 \fBmangled names (S)\fR
3801 This controls whether non-DOS names under UNIX
3802 should be mapped to DOS-compatible names ("mangled") and made visible,
3803 or whether non-DOS names should simply be ignored.
3805 See the section on NAME MANGLING for details on how to control the mangling process.
3807 If mangling is used then the mangling algorithm is as follows:
3811 The first (up to) five alphanumeric characters
3812 before the rightmost dot of the filename are preserved, forced
3813 to upper case, and appear as the first (up to) five characters
3814 of the mangled name.
3817 A tilde "~" is appended to the first part of the mangled
3818 name, followed by a two-character unique sequence, based on the
3819 original root name (i.e., the original filename minus its final
3820 extension). The final extension is included in the hash calculation
3821 only if it contains any upper case characters or is longer than three
3824 Note that the character to use may be specified using
3825 the \fImangling char\fR
3826 option, if you don't like '~'.
3829 The first three alphanumeric characters of the final
3830 extension are preserved, forced to upper case and appear as the
3831 extension of the mangled name. The final extension is defined as that
3832 part of the original filename after the rightmost dot. If there are no
3833 dots in the filename, the mangled name will have no extension (except
3834 in the case of "hidden files" - see below).
3837 Files whose UNIX name begins with a dot will be
3838 presented as DOS hidden files. The mangled name will be created as
3839 for other filenames, but with the leading dot removed and "___" as
3840 its extension regardless of actual original extension (that's three
3844 The two-digit hash value consists of upper case
3845 alphanumeric characters.
3848 This algorithm can cause name collisions only if files
3849 in a directory share the same first five alphanumeric characters.
3850 The probability of such a clash is 1/1300.
3853 The name mangling (if enabled) allows a file to be
3854 copied between UNIX directories from Windows/DOS while retaining
3855 the long UNIX filename. UNIX files can be renamed to a new extension
3856 from Windows/DOS and will retain the same basename. Mangled names
3857 do not change between sessions.
3860 Default: \fBmangled names = yes\fR
3863 \fBmangled stack (G)\fR
3864 This parameter controls the number of mangled names
3865 that should be cached in the Samba server smbd(8).
3867 This stack is a list of recently mangled base names
3868 (extensions are only maintained if they are longer than 3 characters
3869 or contains upper case characters).
3871 The larger this value, the more likely it is that mangled
3872 names can be successfully converted to correct long UNIX names.
3873 However, large stack sizes will slow most directory access. Smaller
3874 stacks save memory in the server (each stack element costs 256 bytes).
3876 It is not possible to absolutely guarantee correct long
3877 file names, so be prepared for some surprises!
3879 Default: \fBmangled stack = 50\fR
3881 Example: \fBmangled stack = 100\fR
3883 \fBmangling char (S)\fR
3884 This controls what character is used as
3885 the \fBmagic\fR character in name mangling. The default is a '~'
3886 but this may interfere with some software. Use this option to set
3887 it to whatever you prefer.
3889 Default: \fBmangling char = ~\fR
3891 Example: \fBmangling char = ^\fR
3893 \fBmap archive (S)\fR
3894 This controls whether the DOS archive attribute
3895 should be mapped to the UNIX owner execute bit. The DOS archive bit
3896 is set when a file has been modified since its last backup. One
3897 motivation for this option it to keep Samba/your PC from making
3898 any file it touches from becoming executable under UNIX. This can
3899 be quite annoying for shared source code, documents, etc...
3901 Note that this requires the \fIcreate mask\fR
3902 parameter to be set such that owner execute bit is not masked out
3903 (i.e. it must include 100). See the parameter \fIcreate mask\fR for details.
3905 Default: \fBmap archive = yes\fR
3907 \fBmap hidden (S)\fR
3908 This controls whether DOS style hidden files
3909 should be mapped to the UNIX world execute bit.
3911 Note that this requires the \fIcreate mask\fR
3912 to be set such that the world execute bit is not masked out (i.e.
3913 it must include 001). See the parameter \fIcreate mask\fR for details.
3915 Default: \fBmap hidden = no\fR
3917 \fBmap system (S)\fR
3918 This controls whether DOS style system files
3919 should be mapped to the UNIX group execute bit.
3921 Note that this requires the \fIcreate mask\fR
3922 to be set such that the group execute bit is not masked out (i.e.
3923 it must include 010). See the parameter \fIcreate mask\fR for details.
3925 Default: \fBmap system = no\fR
3927 \fBmap to guest (G)\fR
3928 This parameter is only useful in security modes other than \fIsecurity=share\fR
3929 - i.e. user, server,
3932 This parameter can take three different values, which tell
3933 smbd(8)what to do with user
3934 login requests that don't match a valid UNIX user in some way.
3936 The three settings are :
3940 Never - Means user login
3941 requests with an invalid password are rejected. This is the
3945 Bad User - Means user
3946 logins with an invalid password are rejected, unless the username
3947 does not exist, in which case it is treated as a guest login and
3948 mapped into the \fI guest account\fR.
3951 Bad Password - Means user logins
3952 with an invalid password are treated as a guest login and mapped
3953 into the guest account. Note that
3954 this can cause problems as it means that any user incorrectly typing
3955 their password will be silently logged on as "guest" - and
3956 will not know the reason they cannot access files they think
3957 they should - there will have been no message given to them
3958 that they got their password wrong. Helpdesk services will
3959 \fBhate\fR you if you set the \fImap to
3960 guest\fR parameter this way :-).
3963 Note that this parameter is needed to set up "Guest"
3964 share services when using \fIsecurity\fR modes other than
3965 share. This is because in these modes the name of the resource being
3966 requested is \fBnot\fR sent to the server until after
3967 the server has successfully authenticated the client so the server
3968 cannot make authentication decisions at the correct time (connection
3969 to the share) for "Guest" shares.
3972 For people familiar with the older Samba releases, this
3973 parameter maps to the old compile-time setting of the GUEST_SESSSETUP value in local.h.
3976 Default: \fBmap to guest = Never\fR
3979 Example: \fBmap to guest = Bad User\fR
3982 \fBmax connections (S)\fR
3983 This option allows the number of simultaneous
3984 connections to a service to be limited. If \fImax connections
3985 \fRis greater than 0 then connections will be refused if
3986 this number of connections to the service are already open. A value
3987 of zero mean an unlimited number of connections may be made.
3989 Record lock files are used to implement this feature. The
3990 lock files will be stored in the directory specified by the \fIlock directory\fR
3993 Default: \fBmax connections = 0\fR
3995 Example: \fBmax connections = 10\fR
3997 \fBmax disk size (G)\fR
3998 This option allows you to put an upper limit
3999 on the apparent size of disks. If you set this option to 100
4000 then all shares will appear to be not larger than 100 MB in
4003 Note that this option does not limit the amount of
4004 data you can put on the disk. In the above case you could still
4005 store much more than 100 MB on the disk, but if a client ever asks
4006 for the amount of free disk space or the total disk size then the
4007 result will be bounded by the amount specified in \fImax
4010 This option is primarily useful to work around bugs
4011 in some pieces of software that can't handle very large disks,
4012 particularly disks over 1GB in size.
4014 A \fImax disk size\fR of 0 means no limit.
4016 Default: \fBmax disk size = 0\fR
4018 Example: \fBmax disk size = 1000\fR
4020 \fBmax log size (G)\fR
4021 This option (an integer in kilobytes) specifies
4022 the max size the log file should grow to. Samba periodically checks
4023 the size and if it is exceeded it will rename the file, adding
4024 a \fI.old\fR extension.
4026 A size of 0 means no limit.
4028 Default: \fBmax log size = 5000\fR
4030 Example: \fBmax log size = 1000\fR
4033 This option controls the maximum number of
4034 outstanding simultaneous SMB operations that samba tells the client
4035 it will allow. You should never need to set this parameter.
4037 Default: \fBmax mux = 50\fR
4039 \fBmax open files (G)\fR
4040 This parameter limits the maximum number of
4041 open files that one smbd(8)file
4042 serving process may have open for a client at any one time. The
4043 default for this parameter is set very high (10,000) as Samba uses
4044 only one bit per unopened file.
4046 The limit of the number of open files is usually set
4047 by the UNIX per-process file descriptor limit rather than
4048 this parameter so you should never need to touch this parameter.
4050 Default: \fBmax open files = 10000\fR
4052 \fBmax print jobs (S)\fR
4053 This parameter limits the maximum number of
4054 jobs allowable in a Samba printer queue at any given moment.
4055 If this number is exceeded, \fB smbd(8)\fRwill remote "Out of Space" to the client.
4059 Default: \fBmax print jobs = 1000\fR
4061 Example: \fBmax print jobs = 5000\fR
4063 \fBmax protocol (G)\fR
4064 The value of the parameter (a string) is the highest
4065 protocol level that will be supported by the server.
4067 Possible values are :
4071 CORE: Earliest version. No
4072 concept of user names.
4075 COREPLUS: Slight improvements on
4076 CORE for efficiency.
4079 LANMAN1: First \fB modern\fR version of the protocol. Long filename
4083 LANMAN2: Updates to Lanman1 protocol.
4086 NT1: Current up to date version of
4087 the protocol. Used by Windows NT. Known as CIFS.
4090 Normally this option should not be set as the automatic
4091 negotiation phase in the SMB protocol takes care of choosing
4092 the appropriate protocol.
4099 Default: \fBmax protocol = NT1\fR
4102 Example: \fBmax protocol = LANMAN1\fR
4105 \fBmax smbd processes (G)\fR
4106 This parameter limits the maximum number of
4107 \fBsmbd(8)\fRprocesses concurrently running on a system and is intended
4108 as a stop gap to prevent degrading service to clients in the event
4109 that the server has insufficient resources to handle more than this
4110 number of connections. Remember that under normal operating
4111 conditions, each user will have an smbd associated with him or her
4112 to handle connections to all shares from a given host.
4114 Default: \fBmax smbd processes = 0\fR ## no limit
4116 Example: \fBmax smbd processes = 1000\fR
4119 This option tells nmbd(8)what the default 'time to live' of NetBIOS names should be (in seconds)
4120 when \fBnmbd\fR is requesting a name using either a
4121 broadcast packet or from a WINS server. You should never need to
4122 change this parameter. The default is 3 days.
4124 Default: \fBmax ttl = 259200\fR
4126 \fBmax wins ttl (G)\fR
4127 This option tells nmbd(8)
4128 when acting as a WINS server ( \fIwins support=yes\fR) what the maximum
4129 \&'time to live' of NetBIOS names that \fBnmbd\fR
4130 will grant will be (in seconds). You should never need to change this
4131 parameter. The default is 6 days (518400 seconds).
4134 wins ttl"\fR parameter.
4136 Default: \fBmax wins ttl = 518400\fR
4139 This option controls the maximum packet size
4140 that will be negotiated by Samba. The default is 65535, which
4141 is the maximum. In some cases you may find you get better performance
4142 with a smaller value. A value below 2048 is likely to cause problems.
4144 Default: \fBmax xmit = 65535\fR
4146 Example: \fBmax xmit = 8192\fR
4148 \fBmessage command (G)\fR
4149 This specifies what command to run when the
4150 server receives a WinPopup style message.
4152 This would normally be a command that would
4153 deliver the message somehow. How this is to be done is
4154 up to your imagination.
4158 \fBmessage command = csh -c 'xedit %s;rm %s' &\fR
4160 This delivers the message using \fBxedit\fR, then
4161 removes it afterwards. \fBNOTE THAT IT IS VERY IMPORTANT
4162 THAT THIS COMMAND RETURN IMMEDIATELY\fR. That's why I
4163 have the '&' on the end. If it doesn't return immediately then
4164 your PCs may freeze when sending messages (they should recover
4165 after 30secs, hopefully).
4167 All messages are delivered as the global guest user.
4168 The command takes the standard substitutions, although \fI %u\fR won't work (\fI%U\fR may be better
4171 Apart from the standard substitutions, some additional
4172 ones apply. In particular:
4176 \fI%s\fR = the filename containing
4180 \fI%t\fR = the destination that
4181 the message was sent to (probably the server name).
4184 \fI%f\fR = who the message
4188 You could make this command send mail, or whatever else
4189 takes your fancy. Please let us know of any really interesting
4193 Here's a way of sending the messages as mail to root:
4196 \fBmessage command = /bin/mail -s 'message from %f on
4197 %m' root < %s; rm %s\fR
4200 If you don't have a message command then the message
4201 won't be delivered and Samba will tell the sender there was
4202 an error. Unfortunately WfWg totally ignores the error code
4203 and carries on regardless, saying that the message was delivered.
4206 If you want to silently delete it then try:
4209 \fBmessage command = rm %s\fR
4212 Default: \fBno message command\fR
4215 Example: \fBmessage command = csh -c 'xedit %s;
4219 \fBmin passwd length (G)\fR
4220 Synonym for \fImin password length\fR.
4222 \fBmin password length (G)\fR
4223 This option sets the minimum length in characters
4224 of a plaintext password that \fBsmbd\fR will accept when performing
4225 UNIX password changing.
4228 password sync\fR, \fIpasswd program\fR and \fIpasswd chat debug\fR
4231 Default: \fBmin password length = 5\fR
4233 \fBmin print space (S)\fR
4234 This sets the minimum amount of free disk
4235 space that must be available before a user will be able to spool
4236 a print job. It is specified in kilobytes. The default is 0, which
4237 means a user can always spool a print job.
4239 See also the \fIprinting
4242 Default: \fBmin print space = 0\fR
4244 Example: \fBmin print space = 2000\fR
4246 \fBmin protocol (G)\fR
4247 The value of the parameter (a string) is the
4248 lowest SMB protocol dialect than Samba will support. Please refer
4249 to the \fImax protocol\fR
4250 parameter for a list of valid protocol names and a brief description
4251 of each. You may also wish to refer to the C source code in
4252 \fIsource/smbd/negprot.c\fR for a listing of known protocol
4253 dialects supported by clients.
4255 If you are viewing this parameter as a security measure, you should
4256 also refer to the \fIlanman
4257 auth\fR parameter. Otherwise, you should never need
4258 to change this parameter.
4260 Default : \fBmin protocol = CORE\fR
4262 Example : \fBmin protocol = NT1\fR # disable DOS
4265 \fBmin wins ttl (G)\fR
4266 This option tells nmbd(8)when acting as a WINS server (\fI wins support = yes\fR) what the minimum 'time to live'
4267 of NetBIOS names that \fBnmbd\fR will grant will be (in
4268 seconds). You should never need to change this parameter. The default
4269 is 6 hours (21600 seconds).
4271 Default: \fBmin wins ttl = 21600\fR
4273 \fBmsdfs root (S)\fR
4274 This boolean parameter is only available if
4275 Samba is configured and compiled with the \fB --with-msdfs\fR option. If set to yes>,
4276 Samba treats the share as a Dfs root and allows clients to browse
4277 the distributed file system tree rooted at the share directory.
4278 Dfs links are specified in the share directory by symbolic
4279 links of the form \fImsdfs:serverA\\shareA,serverB\\shareB
4280 \fRand so on. For more information on setting up a Dfs tree
4281 on Samba, refer to msdfs_setup.html
4284 See also \fIhost msdfs
4286 Default: \fBmsdfs root = no\fR
4288 \fBname resolve order (G)\fR
4289 This option is used by the programs in the Samba
4290 suite to determine what naming services to use and in what order
4291 to resolve host names to IP addresses. The option takes a space
4292 separated string of name resolution options.
4294 The options are :"lmhosts", "host", "wins" and "bcast". They
4295 cause names to be resolved as follows :
4299 lmhosts : Lookup an IP
4300 address in the Samba lmhosts file. If the line in lmhosts has
4301 no name type attached to the NetBIOS name (see the lmhosts(5)for details) then
4302 any name type matches for lookup.
4305 host : Do a standard host
4306 name to IP address resolution, using the system \fI/etc/hosts
4307 \fR, NIS, or DNS lookups. This method of name resolution
4308 is operating system depended for instance on IRIX or Solaris this
4309 may be controlled by the \fI/etc/nsswitch.conf\fR
4310 file). Note that this method is only used if the NetBIOS name
4311 type being queried is the 0x20 (server) name type, otherwise
4315 wins : Query a name with
4316 the IP address listed in the \fI wins server\fR parameter. If no WINS server has
4317 been specified this method will be ignored.
4320 bcast : Do a broadcast on
4321 each of the known local interfaces listed in the \fIinterfaces\fR
4322 parameter. This is the least reliable of the name resolution
4323 methods as it depends on the target host being on a locally
4327 Default: \fBname resolve order = lmhosts host wins bcast
4330 Example: \fBname resolve order = lmhosts bcast host
4333 This will cause the local lmhosts file to be examined
4334 first, followed by a broadcast attempt, followed by a normal
4335 system hostname lookup.
4338 \fBnetbios aliases (G)\fR
4339 This is a list of NetBIOS names that nmbd(8)will advertise as additional
4340 names by which the Samba server is known. This allows one machine
4341 to appear in browse lists under multiple names. If a machine is
4342 acting as a browse server or logon server none
4343 of these names will be advertised as either browse server or logon
4344 servers, only the primary name of the machine will be advertised
4345 with these capabilities.
4350 Default: \fBempty string (no additional names)\fR
4352 Example: \fBnetbios aliases = TEST TEST1 TEST2\fR
4354 \fBnetbios name (G)\fR
4355 This sets the NetBIOS name by which a Samba
4356 server is known. By default it is the same as the first component
4357 of the host's DNS name. If a machine is a browse server or
4358 logon server this name (or the first component
4359 of the hosts DNS name) will be the name that these services are
4365 Default: \fBmachine DNS name\fR
4367 Example: \fBnetbios name = MYNAME\fR
4369 \fBnetbios scope (G)\fR
4370 This sets the NetBIOS scope that Samba will
4371 operate under. This should not be set unless every machine
4372 on your LAN also sets this value.
4374 \fBnis homedir (G)\fR
4375 Get the home share server from a NIS map. For
4376 UNIX systems that use an automounter, the user's home directory
4377 will often be mounted on a workstation on demand from a remote
4380 When the Samba logon server is not the actual home directory
4381 server, but is mounting the home directories via NFS then two
4382 network hops would be required to access the users home directory
4383 if the logon server told the client to use itself as the SMB server
4384 for home directories (one over SMB and one over NFS). This can
4387 This option allows Samba to return the home share as
4388 being on a different server to the logon server and as
4389 long as a Samba daemon is running on the home directory server,
4390 it will be mounted on the Samba client directly from the directory
4391 server. When Samba is returning the home share to the client, it
4392 will consult the NIS map specified in \fIhomedir map\fR and return the server
4395 Note that for this option to work there must be a working
4396 NIS system and the Samba server with this option must also
4399 Default: \fBnis homedir = no\fR
4401 \fBnt acl support (G)\fR
4402 This boolean parameter controls whether
4403 smbd(8)will attempt to map
4404 UNIX permissions into Windows NT access control lists.
4406 Default: \fBnt acl support = yes\fR
4408 \fBnt pipe support (G)\fR
4409 This boolean parameter controls whether
4410 smbd(8)will allow Windows NT
4411 clients to connect to the NT SMB specific IPC$
4412 pipes. This is a developer debugging option and can be left
4415 Default: \fBnt pipe support = yes\fR
4417 \fBnt smb support (G)\fR
4418 This boolean parameter controls whether smbd(8)will negotiate NT specific SMB
4419 support with Windows NT clients. Although this is a developer
4420 debugging option and should be left alone, benchmarking has discovered
4421 that Windows NT clients give faster performance with this option
4422 set to no. This is still being investigated.
4423 If this option is set to no then Samba offers
4424 exactly the same SMB calls that versions prior to Samba 2.0 offered.
4425 This information may be of use if any users are having problems
4426 with NT SMB support.
4428 You should not need to ever disable this parameter.
4430 Default: \fBnt smb support = yes\fR
4432 \fBnull passwords (G)\fR
4433 Allow or disallow client access to accounts
4434 that have null passwords.
4436 See also smbpasswd (5).
4438 Default: \fBnull passwords = no\fR
4440 \fBobey pam restrictions (G)\fR
4441 When Samba 2.2 is configure to enable PAM support
4442 (i.e. --with-pam), this parameter will control whether or not Samba
4443 should obey PAM's account and session management directives. The
4444 default behavior is to use PAM for clear text authentication only
4445 and to ignore any account or session management. Note that Samba
4446 always ignores PAM for authentication in the case of \fIencrypt passwords = yes\fR
4447 \&. The reason is that PAM modules cannot support the challenge/response
4448 authentication mechanism needed in the presence of SMB password encryption.
4450 Default: \fBobey pam restrictions = no\fR
4453 This is a boolean option that controls whether
4454 connections with usernames not in the \fIuser\fR
4455 list will be allowed. By default this option is disabled so that a
4456 client can supply a username to be used by the server. Enabling
4457 this parameter will force the server to only user the login
4458 names from the \fIuser\fR list and is only really
4459 useful in shave level
4462 Note that this also means Samba won't try to deduce
4463 usernames from the service name. This can be annoying for
4464 the [homes] section. To get around this you could use \fBuser =
4465 %S\fR which means your \fIuser\fR list
4466 will be just the service name, which for home directories is the
4469 See also the \fIuser\fR
4472 Default: \fBonly user = no\fR
4474 \fBonly guest (S)\fR
4475 A synonym for \fI guest only\fR.
4477 \fBoplock break wait time (G)\fR
4478 This is a tuning parameter added due to bugs in
4479 both Windows 9x and WinNT. If Samba responds to a client too
4480 quickly when that client issues an SMB that can cause an oplock
4481 break request, then the network client can fail and not respond
4482 to the break request. This tuning parameter (which is set in milliseconds)
4483 is the amount of time Samba will wait before sending an oplock break
4484 request to such (broken) clients.
4486 \fBDO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ
4487 AND UNDERSTOOD THE SAMBA OPLOCK CODE\fR.
4489 Default: \fBoplock break wait time = 0\fR
4491 \fBoplock contention limit (S)\fR
4492 This is a \fBvery\fR advanced
4493 smbd(8)tuning option to
4494 improve the efficiency of the granting of oplocks under multiple
4495 client contention for the same file.
4497 In brief it specifies a number, which causes smbd not to
4498 grant an oplock even when requested if the approximate number of
4499 clients contending for an oplock on the same file goes over this
4500 limit. This causes \fBsmbd\fR to behave in a similar
4503 \fBDO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ
4504 AND UNDERSTOOD THE SAMBA OPLOCK CODE\fR.
4506 Default: \fBoplock contention limit = 2\fR
4509 This boolean option tells smbd whether to
4510 issue oplocks (opportunistic locks) to file open requests on this
4511 share. The oplock code can dramatically (approx. 30% or more) improve
4512 the speed of access to files on Samba servers. It allows the clients
4513 to aggressively cache files locally and you may want to disable this
4514 option for unreliable network environments (it is turned on by
4515 default in Windows NT Servers). For more information see the file
4516 \fISpeed.txt\fR in the Samba \fIdocs/\fR
4519 Oplocks may be selectively turned off on certain files with a
4520 share. See the \fI veto oplock files\fR parameter. On some systems
4521 oplocks are recognized by the underlying operating system. This
4522 allows data synchronization between all access to oplocked files,
4523 whether it be via Samba or NFS or a local UNIX process. See the
4524 \fIkernel oplocks\fR parameter for details.
4526 See also the \fIkernel
4527 oplocks\fR and \fI level2 oplocks\fR parameters.
4529 Default: \fBoplocks = yes\fR
4532 This integer value controls what level Samba
4533 advertises itself as for browse elections. The value of this
4534 parameter determines whether nmbd(8)has a chance of becoming a local master browser for the \fI WORKGROUP\fR in the local broadcast area.
4536 \fBNote :\fRBy default, Samba will win
4537 a local master browsing election over all Microsoft operating
4538 systems except a Windows NT 4.0/2000 Domain Controller. This
4539 means that a misconfigured Samba host can effectively isolate
4540 a subnet for browsing purposes. See \fIBROWSING.txt
4541 \fRin the Samba \fIdocs/\fR directory
4544 Default: \fBos level = 20\fR
4546 Example: \fBos level = 65 \fR
4548 \fBos2 driver map (G)\fR
4549 The parameter is used to define the absolute
4550 path to a file containing a mapping of Windows NT printer driver
4551 names to OS/2 printer driver names. The format is:
4553 <nt driver name> = <os2 driver
4556 For example, a valid entry using the HP LaserJet 5
4557 printer driver woudl appear as \fBHP LaserJet 5L = LASERJET.HP
4560 The need for the file is due to the printer driver namespace
4561 problem described in the Samba
4562 Printing HOWTO. For more details on OS/2 clients, please
4563 refer to the OS2-Client-HOWTO
4564 containing in the Samba documentation.
4566 Default: \fBos2 driver map = <empty string>
4568 \fBpam password change (G)\fR
4569 With the addition of better PAM support in Samba 2.2,
4570 this parameter, it is possible to use PAM's password change control
4571 flag for Samba. If enabled, then PAM will be used for password
4572 changes when requested by an SMB client, and the \fIpasswd chat\fR must be
4573 be changed to work with the pam prompts.
4575 Default: \fBpam password change = no\fR
4577 \fBpanic action (G)\fR
4578 This is a Samba developer option that allows a
4579 system command to be called when either smbd(8)crashes. This is usually used to draw attention to the fact that
4582 Default: \fBpanic action = <empty string>\fR
4584 Example: \fBpanic action = "/bin/sleep 90000"\fR
4586 \fBpasswd chat (G)\fR
4587 This string controls the \fB"chat"\fR
4588 conversation that takes places between smbdand the local password changing
4589 program to change the users password. The string describes a
4590 sequence of response-receive pairs that smbd(8)uses to determine what to send to the
4591 \fIpasswd program\fR
4592 and what to expect back. If the expected output is not
4593 received then the password is not changed.
4595 This chat sequence is often quite site specific, depending
4596 on what local methods are used for password control (such as NIS
4599 The string can contain the macros \fI%o\fR
4600 and \fI%n\fR which are substituted for the old
4601 and new passwords respectively. It can also contain the standard
4602 macros \\n, \\r, \\t and %s to give line-feed,
4603 carriage-return, tab and space.
4605 The string can also contain a '*' which matches
4606 any sequence of characters.
4608 Double quotes can be used to collect strings with spaces
4609 in them into a single string.
4611 If the send string in any part of the chat sequence
4612 is a fullstop ".", then no string is sent. Similarly,
4613 if the expect string is a fullstop then no string is expected.
4615 Note that if the \fIunix
4616 password sync\fR parameter is set to true, then this
4617 sequence is called \fBAS ROOT\fR when the SMB password
4618 in the smbpasswd file is being changed, without access to the old
4619 password cleartext. In this case the old password cleartext is set
4620 to "" (the empty string).
4623 password change\fR parameter is set to true, then the
4624 chat sequence should consist of three elements. The first element should
4625 match the pam prompt for the old password, the second element should match
4626 the pam prompt for the first request for the new password, and the final
4627 element should match the pam prompt for the second request for the new password.
4628 These matches are done case insentively. Under most conditions this change
4629 is done as root so the prompt for the old password will never be matched.
4631 See also \fIunix password
4632 sync\fR, \fI passwd program\fR , \fIpasswd chat debug\fR and \fIpam password change\fR.
4634 Default: \fBpasswd chat = *new*password* %n\\n
4635 *new*password* %n\\n *changed*\fR
4637 Example: \fBpasswd chat = "*Enter OLD password*" %o\\n
4638 "*Enter NEW password*" %n\\n "*Reenter NEW password*" %n\\n "*Password
4641 \fBpasswd chat debug (G)\fR
4642 This boolean specifies if the passwd chat script
4643 parameter is run in \fBdebug\fR mode. In this mode the
4644 strings passed to and received from the passwd chat are printed
4645 in the smbd(8)log with a
4647 of 100. This is a dangerous option as it will allow plaintext passwords
4648 to be seen in the \fBsmbd\fR log. It is available to help
4649 Samba admins debug their \fIpasswd chat\fR scripts
4650 when calling the \fIpasswd program\fR and should
4651 be turned off after this has been done. This parameter is off by
4654 See also <\fIpasswd chat\fR
4655 , \fIpasswd program\fR
4658 Default: \fBpasswd chat debug = no\fR
4660 \fBpasswd program (G)\fR
4661 The name of a program that can be used to set
4662 UNIX user passwords. Any occurrences of \fI%u\fR
4663 will be replaced with the user name. The user name is checked for
4664 existence before calling the password changing program.
4666 Also note that many passwd programs insist in \fBreasonable
4667 \fRpasswords, such as a minimum length, or the inclusion
4668 of mixed case chars and digits. This can pose a problem as some clients
4669 (such as Windows for Workgroups) uppercase the password before sending
4672 \fBNote\fR that if the \fIunix
4673 password sync\fR parameter is set to True
4674 then this program is called \fBAS ROOT\fR
4675 before the SMB password in the smbpasswd(5)
4676 file is changed. If this UNIX password change fails, then
4677 \fBsmbd\fR will fail to change the SMB password also
4678 (this is by design).
4680 If the \fIunix password sync\fR parameter
4681 is set this parameter \fBMUST USE ABSOLUTE PATHS\fR
4682 for \fBALL\fR programs called, and must be examined
4683 for security implications. Note that by default \fIunix
4684 password sync\fR is set to False.
4689 Default: \fBpasswd program = /bin/passwd\fR
4691 Example: \fBpasswd program = /sbin/npasswd %u\fR
4693 \fBpassword level (G)\fR
4694 Some client/server combinations have difficulty
4695 with mixed-case passwords. One offending client is Windows for
4696 Workgroups, which for some reason forces passwords to upper
4697 case when using the LANMAN1 protocol, but leaves them alone when
4698 using COREPLUS! Another problem child is the Windows 95/98
4699 family of operating systems. These clients upper case clear
4700 text passwords even when NT LM 0.12 selected by the protocol
4701 negotiation request/response.
4703 This parameter defines the maximum number of characters
4704 that may be upper case in passwords.
4706 For example, say the password given was "FRED". If \fI password level\fR is set to 1, the following combinations
4707 would be tried if "FRED" failed:
4709 "Fred", "fred", "fRed", "frEd","freD"
4711 If \fIpassword level\fR was set to 2,
4712 the following combinations would also be tried:
4714 "FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ..
4718 The higher value this parameter is set to the more likely
4719 it is that a mixed case password will be matched against a single
4720 case password. However, you should be aware that use of this
4721 parameter reduces security and increases the time taken to
4722 process a new connection.
4724 A value of zero will cause only two attempts to be
4725 made - the password as is and the password in all-lower case.
4727 Default: \fBpassword level = 0\fR
4729 Example: \fBpassword level = 4\fR
4731 \fBpassword server (G)\fR
4732 By specifying the name of another SMB server (such
4733 as a WinNT box) with this option, and using \fBsecurity = domain
4734 \fRor \fBsecurity = server\fR you can get Samba
4735 to do all its username/password validation via a remote server.
4737 This option sets the name of the password server to use.
4738 It must be a NetBIOS name, so if the machine's NetBIOS name is
4739 different from its Internet name then you may have to add its NetBIOS
4740 name to the lmhosts file which is stored in the same directory
4741 as the \fIsmb.conf\fR file.
4743 The name of the password server is looked up using the
4745 resolve order\fR and so may resolved
4746 by any method and order described in that parameter.
4748 The password server much be a machine capable of using
4749 the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in
4750 user level security mode.
4752 \fBNOTE:\fR Using a password server
4753 means your UNIX box (running Samba) is only as secure as your
4754 password server. \fBDO NOT CHOOSE A PASSWORD SERVER THAT
4755 YOU DON'T COMPLETELY TRUST\fR.
4757 Never point a Samba server at itself for password
4758 serving. This will cause a loop and could lock up your Samba
4761 The name of the password server takes the standard
4762 substitutions, but probably the only useful one is \fI%m
4763 \fR, which means the Samba server will use the incoming
4764 client as the password server. If you use this then you better
4765 trust your clients, and you had better restrict them with hosts allow!
4767 If the \fIsecurity\fR parameter is set to
4768 domain, then the list of machines in this
4769 option must be a list of Primary or Backup Domain controllers for the
4770 Domain or the character '*', as the Samba server is effectively
4771 in that domain, and will use cryptographically authenticated RPC calls
4772 to authenticate the user logging on. The advantage of using \fB security = domain\fR is that if you list several hosts in the
4773 \fIpassword server\fR option then \fBsmbd
4774 \fRwill try each in turn till it finds one that responds. This
4775 is useful in case your primary server goes down.
4777 If the \fIpassword server\fR option is set
4778 to the character '*', then Samba will attempt to auto-locate the
4779 Primary or Backup Domain controllers to authenticate against by
4780 doing a query for the name WORKGROUP<1C>
4781 and then contacting each server returned in the list of IP
4782 addresses from the name resolution source.
4784 If the \fIsecurity\fR parameter is
4785 set to server, then there are different
4786 restrictions that \fBsecurity = domain\fR doesn't
4791 You may list several password servers in
4792 the \fIpassword server\fR parameter, however if an
4793 \fBsmbd\fR makes a connection to a password server,
4794 and then the password server fails, no more users will be able
4795 to be authenticated from this \fBsmbd\fR. This is a
4796 restriction of the SMB/CIFS protocol when in \fBsecurity=server
4797 \fRmode and cannot be fixed in Samba.
4800 If you are using a Windows NT server as your
4801 password server then you will have to ensure that your users
4802 are able to login from the Samba server, as when in \fB security=server\fR mode the network logon will appear to
4803 come from there rather than from the users workstation.
4806 See also the \fIsecurity
4810 Default: \fBpassword server = <empty string>\fR
4813 Example: \fBpassword server = NT-PDC, NT-BDC1, NT-BDC2
4816 Example: \fBpassword server = *\fR
4820 This parameter specifies a directory to which
4821 the user of the service is to be given access. In the case of
4822 printable services, this is where print data will spool prior to
4823 being submitted to the host for printing.
4825 For a printable service offering guest access, the service
4826 should be readonly and the path should be world-writeable and
4827 have the sticky bit set. This is not mandatory of course, but
4828 you probably won't get the results you expect if you do
4831 Any occurrences of \fI%u\fR in the path
4832 will be replaced with the UNIX username that the client is using
4833 on this connection. Any occurrences of \fI%m\fR
4834 will be replaced by the NetBIOS name of the machine they are
4835 connecting from. These replacements are very useful for setting
4836 up pseudo home directories for users.
4838 Note that this path will be based on \fIroot dir\fR if one was specified.
4842 Example: \fBpath = /home/fred\fR
4844 \fBposix locking (S)\fR
4845 The \fBsmbd(8)\fRdaemon maintains an database of file locks obtained by SMB clients.
4846 The default behavior is to map this internal database to POSIX
4847 locks. This means that file locks obtained by SMB clients are
4848 consistent with those seen by POSIX compliant applications accessing
4849 the files via a non-SMB method (e.g. NFS or local file access).
4850 You should never need to disable this parameter.
4852 Default: \fBposix locking = yes\fR
4855 This option specifies a command to be run
4856 whenever the service is disconnected. It takes the usual
4857 substitutions. The command may be run as the root on some
4860 An interesting example may be do unmount server
4863 \fBpostexec = /etc/umount /cdrom\fR
4865 See also \fIpreexec\fR
4868 Default: \fBnone (no command executed)\fR
4870 Example: \fBpostexec = echo \\"%u disconnected from %S
4871 from %m (%I)\\" >> /tmp/log\fR
4873 \fBpostscript (S)\fR
4874 This parameter forces a printer to interpret
4875 the print files as postscript. This is done by adding a %!
4876 to the start of print output.
4878 This is most useful when you have lots of PCs that persist
4879 in putting a control-D at the start of print jobs, which then
4880 confuses your printer.
4882 Default: \fBpostscript = no\fR
4885 This option specifies a command to be run whenever
4886 the service is connected to. It takes the usual substitutions.
4888 An interesting example is to send the users a welcome
4889 message every time they log in. Maybe a message of the day? Here
4892 \fBpreexec = csh -c 'echo \\"Welcome to %S!\\" |
4893 /usr/local/samba/bin/smbclient -M %m -I %I' & \fR
4895 Of course, this could get annoying after a while :-)
4897 See also \fIpreexec close
4901 Default: \fBnone (no command executed)\fR
4903 Example: \fBpreexec = echo \\"%u connected to %S from %m
4904 (%I)\\" >> /tmp/log\fR
4906 \fBpreexec close (S)\fR
4907 This boolean option controls whether a non-zero
4908 return code from \fIpreexec
4909 \fRshould close the service being connected to.
4911 Default: \fBpreexec close = no\fR
4913 \fBpreferred master (G)\fR
4914 This boolean parameter controls if nmbd(8)is a preferred master browser
4917 If this is set to true, on startup, \fBnmbd\fR
4918 will force an election, and it will have a slight advantage in
4919 winning the election. It is recommended that this parameter is
4920 used in conjunction with \fB\fI domain master\fB = yes\fR, so that \fB nmbd\fR can guarantee becoming a domain master.
4922 Use this option with caution, because if there are several
4923 hosts (whether Samba servers, Windows 95 or NT) that are preferred
4924 master browsers on the same subnet, they will each periodically
4925 and continuously attempt to become the local master browser.
4926 This will result in unnecessary broadcast traffic and reduced browsing
4929 See also \fIos level\fR
4932 Default: \fBpreferred master = auto\fR
4934 \fBprefered master (G)\fR
4935 Synonym for \fI preferred master\fR for people who cannot spell :-).
4938 This is a list of services that you want to be
4939 automatically added to the browse lists. This is most useful
4940 for homes and printers services that would otherwise not be
4943 Note that if you just want all printers in your
4944 printcap file loaded then the \fIload printers\fR option is easier.
4946 Default: \fBno preloaded services\fR
4948 Example: \fBpreload = fred lp colorlp\fR
4950 \fBpreserve case (S)\fR
4951 This controls if new filenames are created
4952 with the case that the client passes, or if they are forced to
4953 be the \fIdefault case
4956 Default: \fBpreserve case = yes\fR
4958 See the section on NAME
4959 MANGLING for a fuller discussion.
4961 \fBprint command (S)\fR
4962 After a print job has finished spooling to
4963 a service, this command will be used via a \fBsystem()\fR
4964 call to process the spool file. Typically the command specified will
4965 submit the spool file to the host's printing subsystem, but there
4966 is no requirement that this be the case. The server will not remove
4967 the spool file, so whatever command you specify should remove the
4968 spool file when it has been processed, otherwise you will need to
4969 manually remove old spool files.
4971 The print command is simply a text string. It will be used
4972 verbatim, with two exceptions: All occurrences of \fI%s
4973 \fRand \fI%f\fR will be replaced by the
4974 appropriate spool file name, and all occurrences of \fI%p
4975 \fRwill be replaced by the appropriate printer name. The
4976 spool file name is generated automatically by the server, the printer
4977 name is discussed below.
4979 The print command \fBMUST\fR contain at least
4980 one occurrence of \fI%s\fR or \fI%f
4981 \fR- the \fI%p\fR is optional. At the time
4982 a job is submitted, if no printer name is supplied the \fI%p
4983 \fRwill be silently removed from the printer command.
4985 If specified in the [global] section, the print command given
4986 will be used for any printable service that does not have its own
4987 print command specified.
4989 If there is neither a specified print command for a
4990 printable service nor a global print command, spool files will
4991 be created but not processed and (most importantly) not removed.
4993 Note that printing may fail on some UNIXes from the
4994 nobody account. If this happens then create
4995 an alternative guest account that can print and set the \fIguest account\fR
4996 in the [global] section.
4998 You can form quite complex print commands by realizing
4999 that they are just passed to a shell. For example the following
5000 will log a print job, print the file, then remove it. Note that
5001 \&';' is the usual separator for command in shell scripts.
5003 \fBprint command = echo Printing %s >>
5004 /tmp/print.log; lpr -P %p %s; rm %s\fR
5006 You may have to vary this command considerably depending
5007 on how you normally print files on your system. The default for
5008 the parameter varies depending on the setting of the \fIprinting\fR parameter.
5010 Default: For \fBprinting= BSD, AIX, QNX, LPRNG
5013 \fBprint command = lpr -r -P%p %s\fR
5015 For \fBprinting= SYS or HPUX :\fR
5017 \fBprint command = lp -c -d%p %s; rm %s\fR
5019 For \fBprinting=SOFTQ :\fR
5021 \fBprint command = lp -d%p -s %s; rm %s\fR
5023 Example: \fBprint command = /usr/local/samba/bin/myprintscript
5027 Synonym for \fIprintable\fR.
5030 If this parameter is yes, then
5031 clients may open, write to and submit spool files on the directory
5032 specified for the service.
5034 Note that a printable service will ALWAYS allow writing
5035 to the service path (user privileges permitting) via the spooling
5036 of print data. The \fIwriteable
5037 \fRparameter controls only non-printing access to
5040 Default: \fBprintable = no\fR
5043 Synonym for \fI printcap name\fR.
5045 \fBprintcap name (G)\fR
5046 This parameter may be used to override the
5047 compiled-in default printcap name used by the server (usually \fI /etc/printcap\fR). See the discussion of the [printers] section above for reasons
5048 why you might want to do this.
5050 On System V systems that use \fBlpstat\fR to
5051 list available printers you can use \fBprintcap name = lpstat
5052 \fRto automatically obtain lists of available printers. This
5053 is the default for systems that define SYSV at configure time in
5054 Samba (this includes most System V based systems). If \fI printcap name\fR is set to \fBlpstat\fR on
5055 these systems then Samba will launch \fBlpstat -v\fR and
5056 attempt to parse the output to obtain a printer list.
5058 A minimal printcap file would look something like this:
5071 where the '|' separates aliases of a printer. The fact
5072 that the second alias has a space in it gives a hint to Samba
5073 that it's a comment.
5075 \fBNOTE\fR: Under AIX the default printcap
5076 name is \fI/etc/qconfig\fR. Samba will assume the
5077 file is in AIX \fIqconfig\fR format if the string
5078 \fIqconfig\fR appears in the printcap filename.
5080 Default: \fBprintcap name = /etc/printcap\fR
5082 Example: \fBprintcap name = /etc/myprintcap\fR
5084 \fBprinter admin (S)\fR
5085 This is a list of users that can do anything to
5086 printers via the remote administration interfaces offered by MS-RPC
5087 (usually using a NT workstation). Note that the root user always
5090 Default: \fBprinter admin = <empty string>\fR
5092 Example: \fBprinter admin = admin, @staff\fR
5094 \fBprinter driver (S)\fR
5095 \fBNote :\fRThis is a depreciated
5096 parameter and will be removed in the next major release
5097 following version 2.2. Please see the instructions in
5098 \fIPRINTER_DRIVER2.txt\fR in the \fIdocs
5099 \fRof the Samba distribution for more information
5100 on the new method of loading printer drivers onto a Samba server.
5102 This option allows you to control the string
5103 that clients receive when they ask the server for the printer driver
5104 associated with a printer. If you are using Windows95 or Windows NT
5105 then you can use this to automate the setup of printers on your
5108 You need to set this parameter to the exact string (case
5109 sensitive) that describes the appropriate printer driver for your
5110 system. If you don't know the exact string to use then you should
5111 first try with no \fI printer driver\fR option set and the client will
5112 give you a list of printer drivers. The appropriate strings are
5113 shown in a scroll box after you have chosen the printer manufacturer.
5118 Example: \fBprinter driver = HP LaserJet 4L\fR
5120 \fBprinter driver file (G)\fR
5121 \fBNote :\fRThis is a depreciated
5122 parameter and will be removed in the next major release
5123 following version 2.2. Please see the instructions in
5124 \fIPRINTER_DRIVER2.txt\fR in the \fIdocs
5125 \fRof the Samba distribution for more information
5126 on the new method of loading printer drivers onto a Samba server.
5128 This parameter tells Samba where the printer driver
5129 definition file, used when serving drivers to Windows 95 clients, is
5130 to be found. If this is not set, the default is :
5132 \fISAMBA_INSTALL_DIRECTORY
5133 /lib/printers.def\fR
5135 This file is created from Windows 95 \fImsprint.inf
5136 \fRfiles found on the Windows 95 client system. For more
5137 details on setting up serving of printer drivers to Windows 95
5138 clients, see the documentation file in the \fIdocs/\fR
5139 directory, \fIPRINTER_DRIVER.txt\fR.
5141 See also \fI printer driver location\fR.
5143 Default: \fBNone (set in compile).\fR
5145 Example: \fBprinter driver file =
5146 /usr/local/samba/printers/drivers.def\fR
5148 \fBprinter driver location (S)\fR
5149 \fBNote :\fRThis is a depreciated
5150 parameter and will be removed in the next major release
5151 following version 2.2. Please see the instructions in
5152 \fIPRINTER_DRIVER2.txt\fR in the \fIdocs
5153 \fRof the Samba distribution for more information
5154 on the new method of loading printer drivers onto a Samba server.
5156 This parameter tells clients of a particular printer
5157 share where to find the printer driver files for the automatic
5158 installation of drivers for Windows 95 machines. If Samba is set up
5159 to serve printer drivers to Windows 95 machines, this should be set to
5161 \fB\\\\MACHINE\\PRINTER$\fR
5163 Where MACHINE is the NetBIOS name of your Samba server,
5164 and PRINTER$ is a share you set up for serving printer driver
5165 files. For more details on setting this up see the documentation
5166 file in the \fIdocs/\fR directory, \fI PRINTER_DRIVER.txt\fR.
5168 See also \fI printer driver file\fR.
5172 Example: \fBprinter driver location = \\\\MACHINE\\PRINTER$
5174 \fBprinter name (S)\fR
5175 This parameter specifies the name of the printer
5176 to which print jobs spooled through a printable service will be sent.
5178 If specified in the [global] section, the printer
5179 name given will be used for any printable service that does
5180 not have its own printer name specified.
5182 Default: \fBnone (but may be lp
5185 Example: \fBprinter name = laserwriter\fR
5188 Synonym for \fI printer name\fR.
5191 This parameters controls how printer status
5192 information is interpreted on your system. It also affects the
5193 default values for the \fIprint command\fR,
5194 \fIlpq command\fR, \fIlppause command
5195 \fR, \fIlpresume command\fR, and
5196 \fIlprm command\fR if specified in the
5199 Currently eight printing styles are supported. They are
5206 To see what the defaults are for the other print
5207 commands when using the various options use the testparm(1)program.
5209 This option can be set on a per printer basis
5211 See also the discussion in the [printers] section.
5214 Synonym for \fImax protocol\fR.
5217 Synonym for \fIguest
5220 \fBqueuepause command (S)\fR
5221 This parameter specifies the command to be
5222 executed on the server host in order to pause the printerqueue.
5224 This command should be a program or script which takes
5225 a printer name as its only parameter and stops the printerqueue,
5226 such that no longer jobs are submitted to the printer.
5228 This command is not supported by Windows for Workgroups,
5229 but can be issued from the Printer's window under Windows 95
5232 If a \fI%p\fR is given then the printername
5233 is put in its place. Otherwise it is placed at the end of the command.
5235 Note that it is good practice to include the absolute
5236 path in the command as the PATH may not be available to the
5239 Default: \fBdepends on the setting of \fIprinting
5241 Example: \fBqueuepause command = disable %p\fR
5243 \fBqueueresume command (S)\fR
5244 This parameter specifies the command to be
5245 executed on the server host in order to resume the printerqueue. It
5246 is the command to undo the behavior that is caused by the
5247 previous parameter (\fI queuepause command\fR).
5249 This command should be a program or script which takes
5250 a printer name as its only parameter and resumes the printerqueue,
5251 such that queued jobs are resubmitted to the printer.
5253 This command is not supported by Windows for Workgroups,
5254 but can be issued from the Printer's window under Windows 95
5257 If a \fI%p\fR is given then the printername
5258 is put in its place. Otherwise it is placed at the end of the
5261 Note that it is good practice to include the absolute
5262 path in the command as the PATH may not be available to the
5265 Default: \fBdepends on the setting of \fIprinting\fB\fR
5267 Example: \fBqueuepause command = enable %p
5270 This boolean parameter controls whether smbd(8)will support the "Read
5271 Block Multiplex" SMB. This is now rarely used and defaults to
5272 no. You should never need to set this
5275 Default: \fBread bmpx = no\fR
5278 This is a list of users that are given read-only
5279 access to a service. If the connecting user is in this list then
5280 they will not be given write access, no matter what the \fIwriteable\fR
5281 option is set to. The list can include group names using the
5282 syntax described in the \fI invalid users\fR parameter.
5284 See also the \fI write list\fR parameter and the \fIinvalid users\fR
5287 Default: \fBread list = <empty string>\fR
5289 Example: \fBread list = mary, @students\fR
5292 Note that this is an inverted synonym for \fIwriteable\fR.
5295 This parameter controls whether or not the server
5296 will support the raw read SMB requests when transferring data
5299 If enabled, raw reads allow reads of 65535 bytes in
5300 one packet. This typically provides a major performance benefit.
5302 However, some clients either negotiate the allowable
5303 block size incorrectly or are incapable of supporting larger block
5304 sizes, and for these clients you may need to disable raw reads.
5306 In general this parameter should be viewed as a system tuning
5307 tool and left severely alone. See also \fIwrite raw\fR.
5309 Default: \fBread raw = yes\fR
5312 The option \fIread size\fR
5313 affects the overlap of disk reads/writes with network reads/writes.
5314 If the amount of data being transferred in several of the SMB
5315 commands (currently SMBwrite, SMBwriteX and SMBreadbraw) is larger
5316 than this value then the server begins writing the data before it
5317 has received the whole packet from the network, or in the case of
5318 SMBreadbraw, it begins writing to the network before all the data
5319 has been read from disk.
5321 This overlapping works best when the speeds of disk and
5322 network access are similar, having very little effect when the
5323 speed of one is much greater than the other.
5325 The default value is 16384, but very little experimentation
5326 has been done yet to determine the optimal value, and it is likely
5327 that the best value will vary greatly between systems anyway.
5328 A value over 65536 is pointless and will cause you to allocate
5329 memory unnecessarily.
5331 Default: \fBread size = 16384\fR
5333 Example: \fBread size = 8192\fR
5335 \fBremote announce (G)\fR
5336 This option allows you to setup nmbd(8)to periodically announce itself
5337 to arbitrary IP addresses with an arbitrary workgroup name.
5339 This is useful if you want your Samba server to appear
5340 in a remote workgroup for which the normal browse propagation
5341 rules don't work. The remote workgroup can be anywhere that you
5342 can send IP packets to.
5346 \fBremote announce = 192.168.2.255/SERVERS
5347 192.168.4.255/STAFF\fR
5349 the above line would cause nmbd to announce itself
5350 to the two given IP addresses using the given workgroup names.
5351 If you leave out the workgroup name then the one given in
5353 parameter is used instead.
5355 The IP addresses you choose would normally be the broadcast
5356 addresses of the remote networks, but can also be the IP addresses
5357 of known browse masters if your network config is that stable.
5359 See the documentation file \fIBROWSING.txt\fR
5360 in the \fIdocs/\fR directory.
5362 Default: \fBremote announce = <empty string>
5364 \fBremote browse sync (G)\fR
5365 This option allows you to setup nmbd(8)to periodically request
5366 synchronization of browse lists with the master browser of a samba
5367 server that is on a remote segment. This option will allow you to
5368 gain browse lists for multiple workgroups across routed networks. This
5369 is done in a manner that does not work with any non-samba servers.
5371 This is useful if you want your Samba server and all local
5372 clients to appear in a remote workgroup for which the normal browse
5373 propagation rules don't work. The remote workgroup can be anywhere
5374 that you can send IP packets to.
5378 \fBremote browse sync = 192.168.2.255 192.168.4.255
5380 the above line would cause \fBnmbd\fR to request
5381 the master browser on the specified subnets or addresses to
5382 synchronize their browse lists with the local server.
5384 The IP addresses you choose would normally be the broadcast
5385 addresses of the remote networks, but can also be the IP addresses
5386 of known browse masters if your network config is that stable. If
5387 a machine IP address is given Samba makes NO attempt to validate
5388 that the remote machine is available, is listening, nor that it
5389 is in fact the browse master on it's segment.
5391 Default: \fBremote browse sync = <empty string>
5393 \fBrestrict acl with mask (S)\fR
5394 This is a boolean parameter. If set to false (default), then
5395 Creation of files with access control lists (ACLS) and modification of ACLs
5396 using the Windows NT/2000 ACL editor will be applied directly to the file
5399 If set to True, then all requests to set an ACL on a file will have the
5400 parameters \fIcreate mask\fR,
5401 \fIforce create mode\fR
5402 applied before setting the ACL, and all requests to set an ACL on a directory will
5403 have the parameters \fIdirectory
5405 directory mode\fR applied before setting the ACL.
5407 See also \fIcreate mask\fR,
5408 \fIforce create mode\fR,
5409 \fIdirectory mask\fR,
5410 \fIforce directory mode\fR
5412 Default: \fBrestrict acl with mask = no\fR
5414 \fBrestrict anonymous (G)\fR
5415 This is a boolean parameter. If it is true, then
5416 anonymous access to the server will be restricted, namely in the
5417 case where the server is expecting the client to send a username,
5418 but it doesn't. Setting it to true will force these anonymous
5419 connections to be denied, and the client will be required to always
5420 supply a username and password when connecting. Use of this parameter
5421 is only recommended for homogeneous NT client environments.
5423 This parameter makes the use of macro expansions that rely
5424 on the username (%U, %G, etc) consistent. NT 4.0
5425 likes to use anonymous connections when refreshing the share list,
5426 and this is a way to work around that.
5428 When restrict anonymous is true, all anonymous connections
5429 are denied no matter what they are for. This can effect the ability
5430 of a machine to access the samba Primary Domain Controller to revalidate
5431 it's machine account after someone else has logged on the client
5432 interactively. The NT client will display a message saying that
5433 the machine's account in the domain doesn't exist or the password is
5434 bad. The best way to deal with this is to reboot NT client machines
5435 between interactive logons, using "Shutdown and Restart", rather
5436 than "Close all programs and logon as a different user".
5438 Default: \fBrestrict anonymous = no\fR
5441 Synonym for \fIroot directory"\fR.
5444 Synonym for \fIroot directory"\fR.
5446 \fBroot directory (G)\fR
5447 The server will \fBchroot()\fR (i.e.
5448 Change it's root directory) to this directory on startup. This is
5449 not strictly necessary for secure operation. Even without it the
5450 server will deny access to files not in one of the service entries.
5451 It may also check for, and deny access to, soft links to other
5452 parts of the filesystem, or attempts to use ".." in file names
5453 to access other directories (depending on the setting of the \fIwide links\fR
5456 Adding a \fIroot directory\fR entry other
5457 than "/" adds an extra level of security, but at a price. It
5458 absolutely ensures that no access is given to files not in the
5459 sub-tree specified in the \fIroot directory\fR
5460 option, \fBincluding\fR some files needed for
5461 complete operation of the server. To maintain full operability
5462 of the server you will need to mirror some system files
5463 into the \fIroot directory\fR tree. In particular
5464 you will need to mirror \fI/etc/passwd\fR (or a
5465 subset of it), and any binaries or configuration files needed for
5466 printing (if required). The set of files that must be mirrored is
5467 operating system dependent.
5469 Default: \fBroot directory = /\fR
5471 Example: \fBroot directory = /homes/smb\fR
5473 \fBroot postexec (S)\fR
5474 This is the same as the \fIpostexec\fR
5475 parameter except that the command is run as root. This
5476 is useful for unmounting filesystems
5477 (such as cdroms) after a connection is closed.
5479 See also \fI postexec\fR.
5481 Default: \fBroot postexec = <empty string>
5483 \fBroot preexec (S)\fR
5484 This is the same as the \fIpreexec\fR
5485 parameter except that the command is run as root. This
5486 is useful for mounting filesystems (such as cdroms) after a
5487 connection is closed.
5489 See also \fI preexec\fR and \fIpreexec close\fR.
5491 Default: \fBroot preexec = <empty string>
5493 \fBroot preexec close (S)\fR
5494 This is the same as the \fIpreexec close
5495 \fRparameter except that the command is run as root.
5497 See also \fI preexec\fR and \fIpreexec close\fR.
5499 Default: \fBroot preexec close = no\fR
5502 This option affects how clients respond to
5503 Samba and is one of the most important settings in the \fI smb.conf\fR file.
5505 The option sets the "security mode bit" in replies to
5506 protocol negotiations with smbd(8)
5507 to turn share level security on or off. Clients decide
5508 based on this bit whether (and how) to transfer user and password
5509 information to the server.
5511 The default is \fBsecurity = user\fR, as this is
5512 the most common setting needed when talking to Windows 98 and
5515 The alternatives are \fBsecurity = share\fR,
5516 \fBsecurity = server\fR or \fBsecurity=domain
5519 In versions of Samba prior to 2..0, the default was
5520 \fBsecurity = share\fR mainly because that was
5521 the only option at one stage.
5523 There is a bug in WfWg that has relevance to this
5524 setting. When in user or server level security a WfWg client
5525 will totally ignore the password you type in the "connect
5526 drive" dialog box. This makes it very difficult (if not impossible)
5527 to connect to a Samba service as anyone except the user that
5528 you are logged into WfWg as.
5530 If your PCs use usernames that are the same as their
5531 usernames on the UNIX machine then you will want to use
5532 \fBsecurity = user\fR. If you mostly use usernames
5533 that don't exist on the UNIX box then use \fBsecurity =
5536 You should also use \fBsecurity = share\fR if you
5537 want to mainly setup shares without a password (guest shares). This
5538 is commonly used for a shared printer server. It is more difficult
5539 to setup guest shares with \fBsecurity = user\fR, see
5540 the \fImap to guest\fR
5541 parameter for details.
5543 It is possible to use \fBsmbd\fR in a \fB hybrid mode\fR where it is offers both user and share
5544 level security under different \fINetBIOS aliases\fR.
5546 The different settings will now be explained.
5550 When clients connect to a share level security server then
5551 need not log onto the server with a valid username and password before
5552 attempting to connect to a shared resource (although modern clients
5553 such as Windows 95/98 and Windows NT will send a logon request with
5554 a username but no password when talking to a \fBsecurity = share
5555 \fRserver). Instead, the clients send authentication information
5556 (passwords) on a per-share basis, at the time they attempt to connect
5559 Note that \fBsmbd\fR \fBALWAYS\fR
5560 uses a valid UNIX user to act on behalf of the client, even in
5561 \fBsecurity = share\fR level security.
5563 As clients are not required to send a username to the server
5564 in share level security, \fBsmbd\fR uses several
5565 techniques to determine the correct UNIX user to use on behalf
5568 A list of possible UNIX usernames to match with the given
5569 client password is constructed using the following methods :
5574 only\fR parameter is set, then all the other
5575 stages are missed and only the \fIguest account\fR username is checked.
5578 Is a username is sent with the share connection
5579 request, then this username (after mapping - see \fIusername map\fR),
5580 is added as a potential username.
5583 If the client did a previous \fBlogon
5584 \fRrequest (the SessionSetup SMB call) then the
5585 username sent in this SMB will be added as a potential username.
5588 The name of the service the client requested is
5589 added as a potential username.
5592 The NetBIOS name of the client is added to
5593 the list as a potential username.
5596 Any users on the \fI user\fR list are added as potential usernames.
5599 If the \fIguest only\fR parameter is
5600 not set, then this list is then tried with the supplied password.
5601 The first user for whom the password matches will be used as the
5605 If the \fIguest only\fR parameter is
5606 set, or no username can be determined then if the share is marked
5607 as available to the \fIguest account\fR, then this
5608 guest user will be used, otherwise access is denied.
5611 Note that it can be \fBvery\fR confusing
5612 in share-level security as to which UNIX username will eventually
5613 be used in granting access.
5616 See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.
5622 This is the default security setting in Samba 2.2.
5623 With user-level security a client must first "log=on" with a
5624 valid username and password (which can be mapped using the \fIusername map\fR
5625 parameter). Encrypted passwords (see the \fIencrypted passwords\fR parameter) can also
5626 be used in this security mode. Parameters such as \fIuser\fR and \fIguest only\fR if set are then applied and
5627 may change the UNIX user to use on this connection, but only after
5628 the user has been successfully authenticated.
5631 \fBNote\fR that the name of the resource being
5632 requested is \fBnot\fR sent to the server until after
5633 the server has successfully authenticated the client. This is why
5634 guest shares don't work in user level security without allowing
5635 the server to automatically map unknown users into the \fIguest account\fR.
5636 See the \fImap to guest\fR
5637 parameter for details on doing this.
5640 See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.
5643 \fBSECURITY = SERVER
5646 In this mode Samba will try to validate the username/password
5647 by passing it to another SMB server, such as an NT box. If this
5648 fails it will revert to \fBsecurity = user\fR, but note
5649 that if encrypted passwords have been negotiated then Samba cannot
5650 revert back to checking the UNIX password file, it must have a valid
5651 \fIsmbpasswd\fR file to check users against. See the
5652 documentation file in the \fIdocs/\fR directory
5653 \fIENCRYPTION.txt\fR for details on how to set this
5657 \fBNote\fR that from the clients point of
5658 view \fBsecurity = server\fR is the same as \fB security = user\fR. It only affects how the server deals
5659 with the authentication, it does not in any way affect what the
5663 \fBNote\fR that the name of the resource being
5664 requested is \fBnot\fR sent to the server until after
5665 the server has successfully authenticated the client. This is why
5666 guest shares don't work in user level security without allowing
5667 the server to automatically map unknown users into the \fIguest account\fR.
5668 See the \fImap to guest\fR
5669 parameter for details on doing this.
5672 See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.
5675 See also the \fIpassword
5676 server\fR parameter and the \fIencrypted passwords\fR
5680 \fBSECURITY = DOMAIN
5683 This mode will only work correctly if smbpasswd(8)has been used to add this
5684 machine into a Windows NT Domain. It expects the \fIencrypted passwords\fR
5685 parameter to be set to true. In this
5686 mode Samba will try to validate the username/password by passing
5687 it to a Windows NT Primary or Backup Domain Controller, in exactly
5688 the same way that a Windows NT Server would do.
5691 \fBNote\fR that a valid UNIX user must still
5692 exist as well as the account on the Domain Controller to allow
5693 Samba to have a valid UNIX account to map file access to.
5696 \fBNote\fR that from the clients point
5697 of view \fBsecurity = domain\fR is the same as \fBsecurity = user
5698 \fR\&. It only affects how the server deals with the authentication,
5699 it does not in any way affect what the client sees.
5702 \fBNote\fR that the name of the resource being
5703 requested is \fBnot\fR sent to the server until after
5704 the server has successfully authenticated the client. This is why
5705 guest shares don't work in user level security without allowing
5706 the server to automatically map unknown users into the \fIguest account\fR.
5707 See the \fImap to guest\fR
5708 parameter for details on doing this.
5711 \fBBUG:\fR There is currently a bug in the
5712 implementation of \fBsecurity = domain\fR with respect
5713 to multi-byte character set usernames. The communication with a
5714 Domain Controller must be done in UNICODE and Samba currently
5715 does not widen multi-byte user names to UNICODE correctly, thus
5716 a multi-byte username will not be recognized correctly at the
5717 Domain Controller. This issue will be addressed in a future release.
5720 See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.
5723 See also the \fIpassword
5724 server\fR parameter and the \fIencrypted passwords\fR
5728 Default: \fBsecurity = USER\fR
5731 Example: \fBsecurity = DOMAIN\fR
5734 \fBsecurity mask (S)\fR
5735 This parameter controls what UNIX permission
5736 bits can be modified when a Windows NT client is manipulating
5737 the UNIX permission on a file using the native NT security
5740 This parameter is applied as a mask (AND'ed with) to
5741 the changed permission bits, thus preventing any bits not in
5742 this mask from being modified. Essentially, zero bits in this
5743 mask may be treated as a set of bits the user is not allowed
5746 If not set explicitly this parameter is 0777, allowing
5747 a user to modify all the user/group/world permissions on a file.
5749 \fBNote\fR that users who can access the
5750 Samba server through other means can easily bypass this
5751 restriction, so it is primarily useful for standalone
5752 "appliance" systems. Administrators of most normal systems will
5753 probably want to leave it set to 0777.
5755 See also the \fIforce directory security mode\fR,
5757 security mask\fR, \fIforce security mode\fR parameters.
5759 Default: \fBsecurity mask = 0777\fR
5761 Example: \fBsecurity mask = 0770\fR
5763 \fBserver string (G)\fR
5764 This controls what string will show up in the
5765 printer comment box in print manager and next to the IPC connection
5766 in \fBnet view"\fR. It can be any string that you wish
5767 to show to your users.
5769 It also sets what will appear in browse lists next
5770 to the machine name.
5772 A \fI%v\fR will be replaced with the Samba
5775 A \fI%h\fR will be replaced with the
5778 Default: \fBserver string = Samba %v\fR
5780 Example: \fBserver string = University of GNUs Samba
5783 \fBset directory (S)\fR
5784 If \fBset directory = no\fR, then
5785 users of the service may not use the setdir command to change
5788 The \fBsetdir\fR command is only implemented
5789 in the Digital Pathworks client. See the Pathworks documentation
5792 Default: \fBset directory = no\fR
5794 \fBshare modes (S)\fR
5795 This enables or disables the honoring of
5796 the \fIshare modes\fR during a file open. These
5797 modes are used by clients to gain exclusive read or write access
5800 These open modes are not directly supported by UNIX, so
5801 they are simulated using shared memory, or lock files if your
5802 UNIX doesn't support shared memory (almost all do).
5804 The share modes that are enabled by this option are
5806 DENY_READ, DENY_WRITE,
5807 DENY_NONE and DENY_FCB.
5809 This option gives full share compatibility and enabled
5812 You should \fBNEVER\fR turn this parameter
5813 off as many Windows applications will break if you do so.
5815 Default: \fBshare modes = yes\fR
5817 \fBshort preserve case (S)\fR
5818 This boolean parameter controls if new files
5819 which conform to 8.3 syntax, that is all in upper case and of
5820 suitable length, are created upper case, or if they are forced
5821 to be the \fIdefault case
5822 \fR\&. This option can be use with \fBpreserve case = yes\fR
5823 to permit long filenames to retain their case, while short
5826 See the section on NAME MANGLING.
5828 Default: \fBshort preserve case = yes\fR
5830 \fBshow add printer wizard (G)\fR
5831 With the introduction of MS-RPC based printing support
5832 for Windows NT/2000 client in Samba 2.2, a "Printers..." folder will
5833 appear on Samba hosts in the share listing. Normally this folder will
5834 contain an icon for the MS Add Printer Wizard (APW). However, it is
5835 possible to disable this feature regardless of the level of privilege
5836 of the connected user.
5838 Under normal circumstances, the Windows NT/2000 client will
5839 open a handle on the printer server with OpenPrinterEx() asking for
5840 Administrator privileges. If the user does not have administrative
5841 access on the print server (i.e is not root or a member of the
5842 \fIprinter admin\fR group), the OpenPrinterEx()
5843 call fails and the clients another open call with a request for
5844 a lower privilege level. This should succeed, however the APW
5845 icon will not be displayed.
5847 Disabling the \fIshow add printer wizard\fR
5848 parameter will always cause the OpenPrinterEx() on the server
5849 to fail. Thus the APW icon will never be displayed. \fB Note :\fRThis does not prevent the same user from having
5850 administrative privilege on an individual printer.
5852 See also \fIaddprinter
5853 command\fR, \fIdeleteprinter command\fR, \fIprinter admin\fR
5855 Default :\fBshow add printer wizard = yes\fR
5857 \fBsmb passwd file (G)\fR
5858 This option sets the path to the encrypted
5859 smbpasswd file. By default the path to the smbpasswd file
5860 is compiled into Samba.
5862 Default: \fBsmb passwd file = ${prefix}/private/smbpasswd
5864 Example: \fBsmb passwd file = /etc/samba/smbpasswd
5866 \fBsocket address (G)\fR
5867 This option allows you to control what
5868 address Samba will listen for connections on. This is used to
5869 support multiple virtual interfaces on the one server, each
5870 with a different configuration.
5872 By default samba will accept connections on any
5875 Example: \fBsocket address = 192.168.2.20\fR
5877 \fBsocket options (G)\fR
5878 This option allows you to set socket options
5879 to be used when talking with the client.
5881 Socket options are controls on the networking layer
5882 of the operating systems which allow the connection to be
5885 This option will typically be used to tune your Samba
5886 server for optimal performance for your local network. There is
5887 no way that Samba can know what the optimal parameters are for
5888 your net, so you must experiment and choose them yourself. We
5889 strongly suggest you read the appropriate documentation for your
5890 operating system first (perhaps \fBman setsockopt\fR
5893 You may find that on some systems Samba will say
5894 "Unknown socket option" when you supply an option. This means you
5895 either incorrectly typed it or you need to add an include file
5896 to includes.h for your OS. If the latter is the case please
5897 send the patch to samba@samba.org <URL:mailto:samba@samba.org>.
5899 Any of the supported socket options may be combined
5900 in any way you like, as long as your OS allows it.
5902 This is the list of socket options currently settable
5937 Those marked with a \fB'*'\fR take an integer
5938 argument. The others can optionally take a 1 or 0 argument to enable
5939 or disable the option, by default they will be enabled if you
5940 don't specify 1 or 0.
5943 To specify an argument use the syntax SOME_OPTION=VALUE
5944 for example \fBSO_SNDBUF=8192\fR. Note that you must
5945 not have any spaces before or after the = sign.
5948 If you are on a local network then a sensible option
5952 \fBsocket options = IPTOS_LOWDELAY\fR
5955 If you have a local network then you could try:
5958 \fBsocket options = IPTOS_LOWDELAY TCP_NODELAY\fR
5961 If you are on a wide area network then perhaps try
5962 setting IPTOS_THROUGHPUT.
5965 Note that several of the options may cause your Samba
5966 server to fail completely. Use these options with caution!
5969 Default: \fBsocket options = TCP_NODELAY\fR
5972 Example: \fBsocket options = IPTOS_LOWDELAY\fR
5975 \fBsource environment (G)\fR
5976 This parameter causes Samba to set environment
5977 variables as per the content of the file named.
5979 If the value of this parameter starts with a "|" character
5980 then Samba will treat that value as a pipe command to open and
5981 will set the environment variables from the output of the pipe.
5983 The contents of the file or the output of the pipe should
5984 be formatted as the output of the standard Unix \fBenv(1)
5985 \fRcommand. This is of the form :
5987 Example environment entry:
5989 \fBSAMBA_NETBIOS_NAME=myhostname\fR
5991 Default: \fBNo default value\fR
5993 Examples: \fBsource environment = |/etc/smb.conf.sh
5995 Example: \fBsource environment =
5996 /usr/local/smb_env_vars\fR
5999 This variable is part of SSL-enabled Samba. This
6000 is only available if the SSL libraries have been compiled on your
6001 system and the configure option \fB--with-ssl\fR was
6002 given at configure time.
6004 \fBNote\fR that for export control reasons
6005 this code is \fBNOT\fR enabled by default in any
6006 current binary version of Samba.
6008 This variable enables or disables the entire SSL mode. If
6009 it is set to no, the SSL enabled samba behaves
6010 exactly like the non-SSL samba. If set to yes,
6011 it depends on the variables \fI ssl hosts\fR and \fIssl hosts resign\fR whether an SSL
6012 connection will be required.
6014 Default: \fBssl=no\fR
6016 \fBssl CA certDir (G)\fR
6017 This variable is part of SSL-enabled Samba. This
6018 is only available if the SSL libraries have been compiled on your
6019 system and the configure option \fB--with-ssl\fR was
6020 given at configure time.
6022 \fBNote\fR that for export control reasons
6023 this code is \fBNOT\fR enabled by default in any
6024 current binary version of Samba.
6026 This variable defines where to look up the Certification
6027 Authorities. The given directory should contain one file for
6028 each CA that samba will trust. The file name must be the hash
6029 value over the "Distinguished Name" of the CA. How this directory
6030 is set up is explained later in this document. All files within the
6031 directory that don't fit into this naming scheme are ignored. You
6032 don't need this variable if you don't verify client certificates.
6034 Default: \fBssl CA certDir = /usr/local/ssl/certs
6036 \fBssl CA certFile (G)\fR
6037 This variable is part of SSL-enabled Samba. This
6038 is only available if the SSL libraries have been compiled on your
6039 system and the configure option \fB--with-ssl\fR was
6040 given at configure time.
6042 \fBNote\fR that for export control reasons
6043 this code is \fBNOT\fR enabled by default in any
6044 current binary version of Samba.
6046 This variable is a second way to define the trusted CAs.
6047 The certificates of the trusted CAs are collected in one big
6048 file and this variable points to the file. You will probably
6049 only use one of the two ways to define your CAs. The first choice is
6050 preferable if you have many CAs or want to be flexible, the second
6051 is preferable if you only have one CA and want to keep things
6052 simple (you won't need to create the hashed file names). You
6053 don't need this variable if you don't verify client certificates.
6055 Default: \fBssl CA certFile = /usr/local/ssl/certs/trustedCAs.pem
6057 \fBssl ciphers (G)\fR
6058 This variable is part of SSL-enabled Samba. This
6059 is only available if the SSL libraries have been compiled on your
6060 system and the configure option \fB--with-ssl\fR was
6061 given at configure time.
6063 \fBNote\fR that for export control reasons
6064 this code is \fBNOT\fR enabled by default in any
6065 current binary version of Samba.
6067 This variable defines the ciphers that should be offered
6068 during SSL negotiation. You should not set this variable unless
6069 you know what you are doing.
6071 \fBssl client cert (G)\fR
6072 This variable is part of SSL-enabled Samba. This
6073 is only available if the SSL libraries have been compiled on your
6074 system and the configure option \fB--with-ssl\fR was
6075 given at configure time.
6077 \fBNote\fR that for export control reasons
6078 this code is \fBNOT\fR enabled by default in any
6079 current binary version of Samba.
6081 The certificate in this file is used by \fBsmbclient(1)\fRif it exists. It's needed
6082 if the server requires a client certificate.
6084 Default: \fBssl client cert = /usr/local/ssl/certs/smbclient.pem
6086 \fBssl client key (G)\fR
6087 This variable is part of SSL-enabled Samba. This
6088 is only available if the SSL libraries have been compiled on your
6089 system and the configure option \fB--with-ssl\fR was
6090 given at configure time.
6092 \fBNote\fR that for export control reasons
6093 this code is \fBNOT\fR enabled by default in any
6094 current binary version of Samba.
6096 This is the private key for \fBsmbclient(1)\fR. It's only needed if the
6097 client should have a certificate.
6099 Default: \fBssl client key = /usr/local/ssl/private/smbclient.pem
6101 \fBssl compatibility (G)\fR
6102 This variable is part of SSL-enabled Samba. This
6103 is only available if the SSL libraries have been compiled on your
6104 system and the configure option \fB--with-ssl\fR was
6105 given at configure time.
6107 \fBNote\fR that for export control reasons
6108 this code is \fBNOT\fR enabled by default in any
6109 current binary version of Samba.
6111 This variable defines whether SSLeay should be configured
6112 for bug compatibility with other SSL implementations. This is
6113 probably not desirable because currently no clients with SSL
6114 implementations other than SSLeay exist.
6116 Default: \fBssl compatibility = no\fR
6119 See \fI ssl hosts resign\fR.
6121 \fBssl hosts resign (G)\fR
6122 This variable is part of SSL-enabled Samba. This
6123 is only available if the SSL libraries have been compiled on your
6124 system and the configure option \fB--with-ssl\fR was
6125 given at configure time.
6127 \fBNote\fR that for export control reasons
6128 this code is \fBNOT\fR enabled by default in any
6129 current binary version of Samba.
6131 These two variables define whether samba will go
6132 into SSL mode or not. If none of them is defined, samba will
6133 allow only SSL connections. If the \fIssl hosts\fR variable lists
6134 hosts (by IP-address, IP-address range, net group or name),
6135 only these hosts will be forced into SSL mode. If the \fI ssl hosts resign\fR variable lists hosts, only these
6136 hosts will NOT be forced into SSL mode. The syntax for these two
6137 variables is the same as for the \fI hosts allow\fR and \fIhosts deny\fR pair of variables, only
6138 that the subject of the decision is different: It's not the access
6139 right but whether SSL is used or not.
6141 The example below requires SSL connections from all hosts
6142 outside the local net (which is 192.168.*.*).
6144 Default: \fBssl hosts = <empty string>\fR
6146 \fBssl hosts resign = <empty string>\fR
6148 Example: \fBssl hosts resign = 192.168.\fR
6150 \fBssl require clientcert (G)\fR
6151 This variable is part of SSL-enabled Samba. This
6152 is only available if the SSL libraries have been compiled on your
6153 system and the configure option \fB--with-ssl\fR was
6154 given at configure time.
6156 \fBNote\fR that for export control reasons
6157 this code is \fBNOT\fR enabled by default in any
6158 current binary version of Samba.
6160 If this variable is set to yes, the
6161 server will not tolerate connections from clients that don't
6162 have a valid certificate. The directory/file given in \fIssl CA certDir\fR
6163 and \fIssl CA certFile
6164 \fRwill be used to look up the CAs that issued
6165 the client's certificate. If the certificate can't be verified
6166 positively, the connection will be terminated. If this variable
6167 is set to no, clients don't need certificates.
6168 Contrary to web applications you really \fBshould\fR
6169 require client certificates. In the web environment the client's
6170 data is sensitive (credit card numbers) and the server must prove
6171 to be trustworthy. In a file server environment the server's data
6172 will be sensitive and the clients must prove to be trustworthy.
6174 Default: \fBssl require clientcert = no\fR
6176 \fBssl require servercert (G)\fR
6177 This variable is part of SSL-enabled Samba. This
6178 is only available if the SSL libraries have been compiled on your
6179 system and the configure option \fB--with-ssl\fR was
6180 given at configure time.
6182 \fBNote\fR that for export control reasons
6183 this code is \fBNOT\fR enabled by default in any
6184 current binary version of Samba.
6186 If this variable is set to yes, the
6188 will request a certificate from the server. Same as
6190 clientcert\fR for the server.
6192 Default: \fBssl require servercert = no\fR
6194 \fBssl server cert (G)\fR
6195 This variable is part of SSL-enabled Samba. This
6196 is only available if the SSL libraries have been compiled on your
6197 system and the configure option \fB--with-ssl\fR was
6198 given at configure time.
6200 \fBNote\fR that for export control reasons
6201 this code is \fBNOT\fR enabled by default in any
6202 current binary version of Samba.
6204 This is the file containing the server's certificate.
6205 The server \fBmust\fR have a certificate. The
6206 file may also contain the server's private key. See later for
6207 how certificates and private keys are created.
6209 Default: \fBssl server cert = <empty string>
6211 \fBssl server key (G)\fR
6212 This variable is part of SSL-enabled Samba. This
6213 is only available if the SSL libraries have been compiled on your
6214 system and the configure option \fB--with-ssl\fR was
6215 given at configure time.
6217 \fBNote\fR that for export control reasons
6218 this code is \fBNOT\fR enabled by default in any
6219 current binary version of Samba.
6221 This file contains the private key of the server. If
6222 this variable is not defined, the key is looked up in the
6223 certificate file (it may be appended to the certificate).
6224 The server \fBmust\fR have a private key
6225 and the certificate \fBmust\fR
6226 match this private key.
6228 Default: \fBssl server key = <empty string>
6230 \fBssl version (G)\fR
6231 This variable is part of SSL-enabled Samba. This
6232 is only available if the SSL libraries have been compiled on your
6233 system and the configure option \fB--with-ssl\fR was
6234 given at configure time.
6236 \fBNote\fR that for export control reasons
6237 this code is \fBNOT\fR enabled by default in any
6238 current binary version of Samba.
6240 This enumeration variable defines the versions of the
6241 SSL protocol that will be used. ssl2or3 allows
6242 dynamic negotiation of SSL v2 or v3, ssl2 results
6243 in SSL v2, ssl3 results in SSL v3 and
6244 tls1 results in TLS v1. TLS (Transport Layer
6245 Security) is the new standard for SSL.
6247 Default: \fBssl version = "ssl2or3"\fR
6249 \fBstat cache (G)\fR
6250 This parameter determines if smbd(8)will use a cache in order to
6251 speed up case insensitive name mappings. You should never need
6252 to change this parameter.
6254 Default: \fBstat cache = yes\fR
6256 \fBstat cache size (G)\fR
6257 This parameter determines the number of
6258 entries in the \fIstat cache\fR. You should
6259 never need to change this parameter.
6261 Default: \fBstat cache size = 50\fR
6264 This enables or disables logging of connections
6265 to a status file that smbstatus(1)can read.
6267 With this disabled \fBsmbstatus\fR won't be able
6268 to tell you what connections are active. You should never need to
6269 change this parameter.
6271 Default: \fBstatus = yes\fR
6273 \fBstrict locking (S)\fR
6274 This is a boolean that controls the handling of
6275 file locking in the server. When this is set to yes
6276 the server will check every read and write access for file locks, and
6277 deny access if locks exist. This can be slow on some systems.
6279 When strict locking is no the server does file
6280 lock checks only when the client explicitly asks for them.
6282 Well behaved clients always ask for lock checks when it
6283 is important, so in the vast majority of cases \fBstrict
6284 locking = no\fR is preferable.
6286 Default: \fBstrict locking = no\fR
6288 \fBstrict sync (S)\fR
6289 Many Windows applications (including the Windows
6290 98 explorer shell) seem to confuse flushing buffer contents to
6291 disk with doing a sync to disk. Under UNIX, a sync call forces
6292 the process to be suspended until the kernel has ensured that
6293 all outstanding data in kernel disk buffers has been safely stored
6294 onto stable storage. This is very slow and should only be done
6295 rarely. Setting this parameter to no (the
6296 default) means that smbd ignores the Windows applications requests for
6297 a sync call. There is only a possibility of losing data if the
6298 operating system itself that Samba is running on crashes, so there is
6299 little danger in this default setting. In addition, this fixes many
6300 performance problems that people have reported with the new Windows98
6301 explorer shell file copies.
6303 See also the \fIsync
6304 always>\fR parameter.
6306 Default: \fBstrict sync = no\fR
6309 This is a boolean that controls whether to
6310 strip trailing dots off UNIX filenames. This helps with some
6311 CDROMs that have filenames ending in a single dot.
6313 Default: \fBstrip dot = no\fR
6315 \fBsync always (S)\fR
6316 This is a boolean parameter that controls
6317 whether writes will always be written to stable storage before
6318 the write call returns. If this is false then the server will be
6319 guided by the client's request in each write call (clients can
6320 set a bit indicating that a particular write should be synchronous).
6321 If this is true then every write will be followed by a \fBfsync()
6322 \fRcall to ensure the data is written to disk. Note that
6323 the \fIstrict sync\fR parameter must be set to
6324 yes in order for this parameter to have
6327 See also the \fIstrict
6330 Default: \fBsync always = no\fR
6333 This parameter maps how Samba debug messages
6334 are logged onto the system syslog logging levels. Samba debug
6335 level zero maps onto syslog LOG_ERR, debug
6336 level one maps onto LOG_WARNING, debug level
6337 two maps onto LOG_NOTICE, debug level three
6338 maps onto LOG_INFO. All higher levels are mapped to LOG_DEBUG.
6340 This parameter sets the threshold for sending messages
6341 to syslog. Only messages with debug level less than this value
6342 will be sent to syslog.
6344 Default: \fBsyslog = 1\fR
6346 \fBsyslog only (G)\fR
6347 If this parameter is set then Samba debug
6348 messages are logged into the system syslog only, and not to
6349 the debug log files.
6351 Default: \fBsyslog only = no\fR
6353 \fBtemplate homedir (G)\fR
6354 \fBNOTE:\fR this parameter is
6355 only available in Samba 3.0.
6357 When filling out the user information for a Windows NT
6358 user, the winbindd(8)daemon
6359 uses this parameter to fill in the home directory for that user.
6360 If the string \fI%D\fR is present it is substituted
6361 with the user's Windows NT domain name. If the string \fI%U
6362 \fRis present it is substituted with the user's Windows
6365 Default: \fBtemplate homedir = /home/%D/%U\fR
6367 \fBtemplate shell (G)\fR
6368 \fBNOTE:\fR this parameter is
6369 only available in Samba 3.0.
6371 When filling out the user information for a Windows NT
6372 user, the winbindd(8)daemon
6373 uses this parameter to fill in the login shell for that user.
6375 Default: \fBtemplate shell = /bin/false\fR
6377 \fBtime offset (G)\fR
6378 This parameter is a setting in minutes to add
6379 to the normal GMT to local time conversion. This is useful if
6380 you are serving a lot of PCs that have incorrect daylight
6381 saving time handling.
6383 Default: \fBtime offset = 0\fR
6385 Example: \fBtime offset = 60\fR
6387 \fBtime server (G)\fR
6388 This parameter determines if
6389 nmbd(8)advertises itself as a time server to Windows
6392 Default: \fBtime server = no\fR
6394 \fBtimestamp logs (G)\fR
6395 Synonym for \fI debug timestamp\fR.
6397 \fBtotal print jobs (G)\fR
6398 This parameter accepts an integer value which defines
6399 a limit on the maximum number of print jobs that will be accepted
6400 system wide at any given time. If a print job is submitted
6401 by a client which will exceed this number, then smbd will return an
6402 error indicating that no space is available on the server. The
6403 default value of 0 means that no such limit exists. This parameter
6404 can be used to prevent a server from exceeding its capacity and is
6405 designed as a printing throttle. See also
6406 \fImax print jobs\fR.
6408 Default: \fBtotal print jobs = 0\fR
6410 Example: \fBtotal print jobs = 5000\fR
6412 \fBunix password sync (G)\fR
6413 This boolean parameter controls whether Samba
6414 attempts to synchronize the UNIX password with the SMB password
6415 when the encrypted SMB password in the smbpasswd file is changed.
6416 If this is set to true the program specified in the \fIpasswd
6417 program\fRparameter is called \fBAS ROOT\fR -
6418 to allow the new UNIX password to be set without access to the
6419 old UNIX password (as the SMB password has change code has no
6420 access to the old password cleartext, only the new).
6423 program\fR, \fI passwd chat\fR.
6425 Default: \fBunix password sync = no\fR
6427 \fBupdate encrypted (G)\fR
6428 This boolean parameter allows a user logging
6429 on with a plaintext password to have their encrypted (hashed)
6430 password in the smbpasswd file to be updated automatically as
6431 they log on. This option allows a site to migrate from plaintext
6432 password authentication (users authenticate with plaintext
6433 password over the wire, and are checked against a UNIX account
6434 database) to encrypted password authentication (the SMB
6435 challenge/response authentication mechanism) without forcing
6436 all users to re-enter their passwords via smbpasswd at the time the
6437 change is made. This is a convenience option to allow the change over
6438 to encrypted passwords to be made over a longer period. Once all users
6439 have encrypted representations of their passwords in the smbpasswd
6440 file this parameter should be set to no.
6442 In order for this parameter to work correctly the \fIencrypt passwords\fR
6443 parameter must be set to no when
6444 this parameter is set to yes.
6446 Note that even when this parameter is set a user
6447 authenticating to \fBsmbd\fR must still enter a valid
6448 password in order to connect correctly, and to update their hashed
6449 (smbpasswd) passwords.
6451 Default: \fBupdate encrypted = no\fR
6453 \fBuse rhosts (G)\fR
6454 If this global parameter is a true, it specifies
6455 that the UNIX users \fI.rhosts\fR file in their home directory
6456 will be read to find the names of hosts and users who will be allowed
6457 access without specifying a password.
6459 \fBNOTE:\fR The use of \fIuse rhosts
6460 \fRcan be a major security hole. This is because you are
6461 trusting the PC to supply the correct username. It is very easy to
6462 get a PC to supply a false username. I recommend that the \fI use rhosts\fR option be only used if you really know what
6465 Default: \fBuse rhosts = no\fR
6468 Synonym for \fI username\fR.
6471 Synonym for \fI username\fR.
6474 Multiple users may be specified in a comma-delimited
6475 list, in which case the supplied password will be tested against
6476 each username in turn (left to right).
6478 The \fIusername\fR line is needed only when
6479 the PC is unable to supply its own username. This is the case
6480 for the COREPLUS protocol or where your users have different WfWg
6481 usernames to UNIX usernames. In both these cases you may also be
6482 better using the \\\\server\\share%user syntax instead.
6484 The \fIusername\fR line is not a great
6485 solution in many cases as it means Samba will try to validate
6486 the supplied password against each of the usernames in the
6487 \fIusername\fR line in turn. This is slow and
6488 a bad idea for lots of users in case of duplicate passwords.
6489 You may get timeouts or security breaches using this parameter
6492 Samba relies on the underlying UNIX security. This
6493 parameter does not restrict who can login, it just offers hints
6494 to the Samba server as to what usernames might correspond to the
6495 supplied password. Users can login as whoever they please and
6496 they will be able to do no more damage than if they started a
6497 telnet session. The daemon runs as the user that they log in as,
6498 so they cannot do anything that user cannot do.
6500 To restrict a service to a particular set of users you
6501 can use the \fIvalid users
6504 If any of the usernames begin with a '@' then the name
6505 will be looked up first in the yp netgroups list (if Samba
6506 is compiled with netgroup support), followed by a lookup in
6507 the UNIX groups database and will expand to a list of all users
6508 in the group of that name.
6510 If any of the usernames begin with a '+' then the name
6511 will be looked up only in the UNIX groups database and will
6512 expand to a list of all users in the group of that name.
6514 If any of the usernames begin with a '&'then the name
6515 will be looked up only in the yp netgroups database (if Samba
6516 is compiled with netgroup support) and will expand to a list
6517 of all users in the netgroup group of that name.
6519 Note that searching though a groups database can take
6520 quite some time, and some clients may time out during the
6523 See the section NOTE ABOUT
6524 USERNAME/PASSWORD VALIDATION for more information on how
6525 this parameter determines access to the services.
6527 Default: \fBThe guest account if a guest service,
6528 else <empty string>.\fR
6530 Examples:\fBusername = fred, mary, jack, jane,
6533 \fBusername level (G)\fR
6534 This option helps Samba to try and 'guess' at
6535 the real UNIX username, as many DOS clients send an all-uppercase
6536 username. By default Samba tries all lowercase, followed by the
6537 username with the first letter capitalized, and fails if the
6538 username is not found on the UNIX machine.
6540 If this parameter is set to non-zero the behavior changes.
6541 This parameter is a number that specifies the number of uppercase
6542 combinations to try while trying to determine the UNIX user name. The
6543 higher the number the more combinations will be tried, but the slower
6544 the discovery of usernames will be. Use this parameter when you have
6545 strange usernames on your UNIX machine, such as AstrangeUser
6548 Default: \fBusername level = 0\fR
6550 Example: \fBusername level = 5\fR
6552 \fBusername map (G)\fR
6553 This option allows you to specify a file containing
6554 a mapping of usernames from the clients to the server. This can be
6555 used for several purposes. The most common is to map usernames
6556 that users use on DOS or Windows machines to those that the UNIX
6557 box uses. The other is to map multiple users to a single username
6558 so that they can more easily share files.
6560 The map file is parsed line by line. Each line should
6561 contain a single UNIX username on the left then a '=' followed
6562 by a list of usernames on the right. The list of usernames on the
6563 right may contain names of the form @group in which case they
6564 will match any UNIX username in that group. The special client
6565 name '*' is a wildcard and matches any name. Each line of the
6566 map file may be up to 1023 characters long.
6568 The file is processed on each line by taking the
6569 supplied username and comparing it with each username on the right
6570 hand side of the '=' signs. If the supplied name matches any of
6571 the names on the right hand side then it is replaced with the name
6572 on the left. Processing then continues with the next line.
6574 If any line begins with a '#' or a ';' then it is
6577 If any line begins with an '!' then the processing
6578 will stop after that line if a mapping was done by the line.
6579 Otherwise mapping continues with every line being processed.
6580 Using '!' is most useful when you have a wildcard mapping line
6583 For example to map from the name admin
6584 or administrator to the UNIX name root you would use:
6586 \fBroot = admin administrator\fR
6588 Or to map anyone in the UNIX group system
6589 to the UNIX name sys you would use:
6593 You can have as many mappings as you like in a username
6596 If your system supports the NIS NETGROUP option then
6597 the netgroup database is checked before the \fI/etc/group
6598 \fRdatabase for matching groups.
6600 You can map Windows usernames that have spaces in them
6601 by using double quotes around the name. For example:
6603 \fBtridge = "Andrew Tridgell"\fR
6605 would map the windows username "Andrew Tridgell" to the
6606 unix username "tridge".
6608 The following example would map mary and fred to the
6609 unix user sys, and map the rest to guest. Note the use of the
6610 \&'!' to tell Samba to stop processing if it gets a match on
6621 Note that the remapping is applied to all occurrences
6622 of usernames. Thus if you connect to \\\\server\\fred and fred is remapped to mary then you
6623 will actually be connecting to \\\\server\\mary and will need to
6624 supply a password suitable for mary not
6625 fred. The only exception to this is the
6626 username passed to the \fI password server\fR (if you have one). The password
6627 server will receive whatever username the client supplies without
6630 Also note that no reverse mapping is done. The main effect
6631 this has is with printing. Users who have been mapped may have
6632 trouble deleting print jobs as PrintManager under WfWg will think
6633 they don't own the print job.
6635 Default: \fBno username map\fR
6637 Example: \fBusername map = /usr/local/samba/lib/users.map
6640 This boolean parameter is only available if
6641 Samba has been configured and compiled with the option \fB --with-utmp\fR. If set to True then Samba will attempt
6642 to add utmp or utmpx records (depending on the UNIX system) whenever a
6643 connection is made to a Samba server. Sites may use this to record the
6644 user connecting to a Samba share.
6646 See also the \fI utmp directory\fR parameter.
6648 Default: \fButmp = no\fR
6650 \fButmp directory(G)\fR
6651 This parameter is only available if Samba has
6652 been configured and compiled with the option \fB --with-utmp\fR. It specifies a directory pathname that is
6653 used to store the utmp or utmpx files (depending on the UNIX system) that
6654 record user connections to a Samba server. See also the \fIutmp\fR parameter. By default this is
6655 not set, meaning the system will use whatever utmp file the
6656 native system is set to use (usually
6657 \fI/var/run/utmp\fR on Linux).
6659 Default: \fBno utmp directory\fR
6661 \fBvalid chars (G)\fR
6662 The option allows you to specify additional
6663 characters that should be considered valid by the server in
6664 filenames. This is particularly useful for national character
6665 sets, such as adding u-umlaut or a-ring.
6667 The option takes a list of characters in either integer
6668 or character form with spaces between them. If you give two
6669 characters with a colon between them then it will be taken as
6670 an lowercase:uppercase pair.
6672 If you have an editor capable of entering the characters
6673 into the config file then it is probably easiest to use this
6674 method. Otherwise you can specify the characters in octal,
6675 decimal or hexadecimal form using the usual C notation.
6677 For example to add the single character 'Z' to the charset
6678 (which is a pointless thing to do as it's already there) you could
6679 do one of the following
6685 valid chars = 0132:0172
6690 The last two examples above actually add two characters,
6691 and alter the uppercase and lowercase mappings appropriately.
6693 Note that you \fBMUST\fR specify this parameter
6694 after the \fIclient code page\fR parameter if you
6695 have both set. If \fIclient code page\fR is set after
6696 the \fIvalid chars\fR parameter the \fIvalid
6697 chars\fR settings will be overwritten.
6699 See also the \fIclient
6700 code page\fR parameter.
6702 Default: \fBSamba defaults to using a reasonable set
6703 of valid characters for English systems\fR
6705 Example: \fBvalid chars = 0345:0305 0366:0326 0344:0304
6707 The above example allows filenames to have the Swedish
6710 \fBNOTE:\fR It is actually quite difficult to
6711 correctly produce a \fIvalid chars\fR line for
6712 a particular system. To automate the process tino@augsburg.net <URL:mailto:tino@augsburg.net> has written
6713 a package called \fBvalidchars\fR which will automatically
6714 produce a complete \fIvalid chars\fR line for
6715 a given client system. Look in the \fIexamples/validchars/
6716 \fRsubdirectory of your Samba source code distribution
6719 \fBvalid users (S)\fR
6720 This is a list of users that should be allowed
6721 to login to this service. Names starting with '@', '+' and '&'
6722 are interpreted using the same rules as described in the
6723 \fIinvalid users\fR parameter.
6725 If this is empty (the default) then any user can login.
6726 If a username is in both this list and the \fIinvalid
6727 users\fR list then access is denied for that user.
6729 The current servicename is substituted for \fI%S
6730 \fR\&. This is useful in the [homes] section.
6732 See also \fIinvalid users
6734 Default: \fBNo valid users list (anyone can login)
6736 Example: \fBvalid users = greg, @pcusers\fR
6739 This is a list of files and directories that
6740 are neither visible nor accessible. Each entry in the list must
6741 be separated by a '/', which allows spaces to be included
6742 in the entry. '*' and '?' can be used to specify multiple files
6743 or directories as in DOS wildcards.
6745 Each entry must be a unix path, not a DOS path and
6746 must \fBnot\fR include the unix directory
6749 Note that the \fIcase sensitive\fR option
6750 is applicable in vetoing files.
6752 One feature of the veto files parameter that it is important
6753 to be aware of, is that if a directory contains nothing but files
6754 that match the veto files parameter (which means that Windows/DOS
6755 clients cannot ever see them) is deleted, the veto files within
6756 that directory \fBare automatically deleted\fR along
6757 with it, if the user has UNIX permissions to do so.
6759 Setting this parameter will affect the performance
6760 of Samba, as it will be forced to check all files and directories
6761 for a match as they are scanned.
6763 See also \fIhide files
6764 \fRand \fI case sensitive\fR.
6766 Default: \fBNo files or directories are vetoed.
6771 ; Veto any files containing the word Security,
6772 ; any ending in .tmp, and any directory containing the
6774 veto files = /*Security*/*.tmp/*root*/
6776 ; Veto the Apple specific files that a NetAtalk server
6778 veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
6783 \fBveto oplock files (S)\fR
6784 This parameter is only valid when the \fIoplocks\fR
6785 parameter is turned on for a share. It allows the Samba administrator
6786 to selectively turn off the granting of oplocks on selected files that
6787 match a wildcarded list, similar to the wildcarded list used in the
6791 Default: \fBNo files are vetoed for oplock
6794 You might want to do this on files that you know will
6795 be heavily contended for by clients. A good example of this
6796 is in the NetBench SMB benchmark program, which causes heavy
6797 client contention for files ending in \fI.SEM\fR.
6798 To cause Samba not to grant oplocks on these files you would use
6799 the line (either in the [global] section or in the section for
6800 the particular NetBench share :
6802 Example: \fBveto oplock files = /*;.SEM/
6804 \fBvfs object (S)\fR
6805 This parameter specifies a shared object file that
6806 is used for Samba VFS I/O operations. By default, normal
6807 disk I/O operations are used but these can be overloaded
6808 with a VFS object. The Samba VFS layer is new to Samba 2.2 and
6809 must be enabled at compile time with --with-vfs.
6811 Default : \fBno value\fR
6813 \fBvfs options (S)\fR
6814 This parameter allows parameters to be passed
6815 to the vfs layer at initialisation time. The Samba VFS layer
6816 is new to Samba 2.2 and must be enabled at compile time
6817 with --with-vfs. See also \fI vfs object\fR.
6819 Default : \fBno value\fR
6822 This allows you to override the volume label
6823 returned for a share. Useful for CDROMs with installation programs
6824 that insist on a particular volume label.
6826 Default: \fBthe name of the share\fR
6828 \fBwide links (S)\fR
6829 This parameter controls whether or not links
6830 in the UNIX file system may be followed by the server. Links
6831 that point to areas within the directory tree exported by the
6832 server are always allowed; this parameter controls access only
6833 to areas that are outside the directory tree being exported.
6835 Note that setting this parameter can have a negative
6836 effect on your server performance due to the extra system calls
6837 that Samba has to do in order to perform the link checks.
6839 Default: \fBwide links = yes\fR
6841 \fBwinbind cache time\fR
6842 \fBNOTE:\fR this parameter is only
6843 available in Samba 3.0.
6845 This parameter specifies the number of seconds the
6846 winbindd(8)daemon will cache
6847 user and group information before querying a Windows NT server
6850 Default: \fBwinbind cache type = 15\fR
6853 \fBNOTE:\fR this parameter is only
6854 available in Samba 3.0.
6856 The winbind gid parameter specifies the range of group
6857 ids that are allocated by the winbindd(8)daemon. This range of group ids should have no
6858 existing local or nis groups within it as strange conflicts can
6861 Default: \fBwinbind gid = <empty string>
6863 Example: \fBwinbind gid = 10000-20000\fR
6865 \fBwinbind separator\fR
6866 \fBNOTE:\fR this parameter is only
6867 available in Samba 3.0.
6869 This parameter allows an admin to define the character
6870 used when listing a username of the form of \fIDOMAIN
6871 \fR\\\fIuser\fR. This parameter
6872 is only applicable when using the \fIpam_winbind.so\fR
6873 and \fInss_winbind.so\fR modules for UNIX services.
6875 Example: \fBwinbind separator = \\\fR
6877 Example: \fBwinbind separator = +\fR
6880 \fBNOTE:\fR this parameter is only
6881 available in Samba 3.0.
6883 The winbind gid parameter specifies the range of group
6884 ids that are allocated by the winbindd(8)daemon. This range of ids should have no
6885 existing local or nis users within it as strange conflicts can
6888 Default: \fBwinbind uid = <empty string>
6890 Example: \fBwinbind uid = 10000-20000\fR
6893 When Samba is running as a WINS server this
6894 allows you to call an external program for all changes to the
6895 WINS database. The primary use for this option is to allow the
6896 dynamic update of external name resolution databases such as
6899 The wins hook parameter specifies the name of a script
6900 or executable that will be called as follows:
6902 \fBwins_hook operation name nametype ttl IP_list
6906 The first argument is the operation and is one
6907 of "add", "delete", or "refresh". In most cases the operation can
6908 be ignored as the rest of the parameters provide sufficient
6909 information. Note that "refresh" may sometimes be called when the
6910 name has not previously been added, in that case it should be treated
6914 The second argument is the netbios name. If the
6915 name is not a legal name then the wins hook is not called.
6916 Legal names contain only letters, digits, hyphens, underscores
6920 The third argument is the netbios name
6921 type as a 2 digit hexadecimal number.
6924 The fourth argument is the TTL (time to live)
6925 for the name in seconds.
6928 The fifth and subsequent arguments are the IP
6929 addresses currently registered for that name. If this list is
6930 empty then the name should be deleted.
6933 An example script that calls the BIND dynamic DNS update
6934 program \fBnsupdate\fR is provided in the examples
6935 directory of the Samba source code.
6938 \fBwins proxy (G)\fR
6939 This is a boolean that controls if nmbd(8)will respond to broadcast name
6940 queries on behalf of other hosts. You may need to set this
6941 to yes for some older clients.
6943 Default: \fBwins proxy = no\fR
6945 \fBwins server (G)\fR
6946 This specifies the IP address (or DNS name: IP
6947 address for preference) of the WINS server that nmbd(8)should register with. If you have a WINS server on
6948 your network then you should set this to the WINS server's IP.
6950 You should point this at your WINS server if you have a
6951 multi-subnetted network.
6953 \fBNOTE\fR. You need to set up Samba to point
6954 to a WINS server if you have multiple subnets and wish cross-subnet
6955 browsing to work correctly.
6957 See the documentation file \fIBROWSING.txt\fR
6958 in the docs/ directory of your Samba source distribution.
6960 Default: \fBnot enabled\fR
6962 Example: \fBwins server = 192.9.200.1\fR
6964 \fBwins support (G)\fR
6965 This boolean controls if the
6966 nmbd(8)process in Samba will act as a WINS server. You should
6967 not set this to true unless you have a multi-subnetted network and
6968 you wish a particular \fBnmbd\fR to be your WINS server.
6969 Note that you should \fBNEVER\fR set this to true
6970 on more than one machine in your network.
6972 Default: \fBwins support = no\fR
6975 This controls what workgroup your server will
6976 appear to be in when queried by clients. Note that this parameter
6977 also controls the Domain name used with the \fBsecurity=domain\fR
6980 Default: \fBset at compile time to WORKGROUP\fR
6982 Example: \fBworkgroup = MYGROUP\fR
6985 Synonym for \fI writeable\fR for people who can't spell :-).
6987 \fBwrite cache size (S)\fR
6988 If this integer parameter is set to non-zero value,
6989 Samba will create an in-memory cache for each oplocked file
6990 (it does \fBnot\fR do this for
6991 non-oplocked files). All writes that the client does not request
6992 to be flushed directly to disk will be stored in this cache if possible.
6993 The cache is flushed onto disk when a write comes in whose offset
6994 would not fit into the cache or when the file is closed by the client.
6995 Reads for the file are also served from this cache if the data is stored
6998 This cache allows Samba to batch client writes into a more
6999 efficient write size for RAID disks (ie. writes may be tuned to
7000 be the RAID stripe size) and can improve performance on systems
7001 where the disk subsystem is a bottleneck but there is free
7002 memory for userspace programs.
7004 The integer parameter specifies the size of this cache
7005 (per oplocked file) in bytes.
7007 Default: \fBwrite cache size = 0\fR
7009 Example: \fBwrite cache size = 262144\fR
7011 for a 256k cache size per file.
7013 \fBwrite list (S)\fR
7014 This is a list of users that are given read-write
7015 access to a service. If the connecting user is in this list then
7016 they will be given write access, no matter what the \fIwriteable\fR
7017 option is set to. The list can include group names using the
7020 Note that if a user is in both the read list and the
7021 write list then they will be given write access.
7023 See also the \fIread list
7026 Default: \fBwrite list = <empty string>
7028 Example: \fBwrite list = admin, root, @staff
7031 Synonym for \fI writeable\fR.
7034 This parameter controls whether or not the server
7035 will support raw writes SMB's when transferring data from clients.
7036 You should never need to change this parameter.
7038 Default: \fBwrite raw = yes\fR
7041 An inverted synonym is \fIread only\fR.
7043 If this parameter is no, then users
7044 of a service may not create or modify files in the service's
7047 Note that a printable service (\fBprintable = yes\fR)
7048 will \fBALWAYS\fR allow writing to the directory
7049 (user privileges permitting), but only via spooling operations.
7051 Default: \fBwriteable = no\fR
7054 Although the configuration file permits service names
7055 to contain spaces, your client software may not. Spaces will
7056 be ignored in comparisons anyway, so it shouldn't be a
7057 problem - but be aware of the possibility.
7059 On a similar note, many clients - especially DOS clients -
7060 limit service names to eight characters. smbd(8)
7061 has no such limitation, but attempts to connect from such
7062 clients will fail if they truncate the service names. For this reason
7063 you should probably keep your service names down to eight characters
7066 Use of the [homes] and [printers] special sections make life
7067 for an administrator easy, but the various combinations of default
7068 attributes can be tricky. Take extreme care when designing these
7069 sections. In particular, ensure that the permissions on spool
7070 directories are correct.
7073 This man page is correct for version 2.2 of
7085 \fBtestprns(1)\fR.SH "AUTHOR"
7087 The original Samba software and related utilities
7088 were created by Andrew Tridgell. Samba is now developed
7089 by the Samba Team as an Open Source project similar
7090 to the way the Linux kernel is developed.
7092 The original Samba man pages were written by Karl Auer.
7093 The man page sources were converted to YODL format (another
7094 excellent piece of Open Source software, available at
7095 ftp://ftp.icce.rug.nl/pub/unix/ <URL:ftp://ftp.icce.rug.nl/pub/unix/>) and updated for the Samba 2.0
7096 release by Jeremy Allison. The conversion to DocBook for
7097 Samba 2.2 was done by Gerald Carter