Revert to 3.4.7...for now?

git-svn-id: svn://svn.debian.org/svn/pkg-samba/trunk/samba@3416 fc4039ab-9d04-0410-8cac-899223bdd6b0
author: bubulle <bubulle@alioth.debian.org> 2010-04-06 18:12:47 +0000
committer: bubulle <bubulle@alioth.debian.org> 2010-04-06 18:12:47 +0000
commit: c038a4e9c09ba4ac77d885ac0afee418f41b8891 (patch)
tree: f5b2444727ff995f46dabbbf94863e9926501444 /docs/htmldocs/using_samba
parent: 9e2f5a6ab663f7a111832217c527508c75ddae8a (diff)
download: samba-c038a4e9c09ba4ac77d885ac0afee418f41b8891.tar.gz
163 files changed, 41924 insertions, 0 deletions
diff --git a/docs/htmldocs/using_samba/appa.html b/docs/htmldocs/using_samba/appa.html
new file mode 100644
index 0000000000..9f3dc4b56f
--- /dev/null
+++ b/docs/htmldocs/using_samba/appa.html
@@ -0,0 +1,362 @@
+<html>
+<body bgcolor="#ffffff">
+
+<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76" 
+hspace="10" align="left" />
+<h1 class="head0">Appendix A. Example Configuration Files</h1>
+
+
+<p>Earlier in this book, we provided information on how to set
+parameters inside the Samba configuration file, but rarely have we
+shown an example of a complete file that can actually be used to run
+a server. In this appendix, we provide examples of complete
+configuration files for running Samba in the various modes
+we've discussed. Using one of these examples, you
+can run Samba as a workgroup authentication server, workgroup server,
+primary domain controller, or domain member server.</p>
+
+<p>We have kept the examples simple so that they have the most universal
+application. They can be used as starting templates, which you can
+easily modify to fit your own needs, to get a Samba server up and
+running with minimal delay. The comments inside the files indicate
+what needs to be changed, and how, to work on a particular system on
+your network.</p>
+
+
+
+<div class="sect1"><a name="samba2-APP-A-SECT-1"/>
+
+<h2 class="head1">Samba in a Workgroup</h2>
+
+<p>If your network is configured as a workgroup, adding a Samba server
+is pretty simple. Samba even lets you add features, such as
+user-level security and WINS, that would normally require an
+expensive Windows NT/2000 Server.</p>
+
+
+<div class="sect2"><a name="samba2-APP-A-SECT-1.1"/>
+
+<h3 class="head2">Authentication and WINS Server</h3>
+
+<p>In a workgroup environment, Samba can be set up with share-level
+security and without offering WINS name service. This works and is
+simple, but we generally recommend that user-level security be
+enabled to allow Windows 95/98/Me systems to make use of it. Also, it
+only takes a single parameter to enable Samba as a WINS server,
+resulting in far better network efficiency.
+<a name="INDEX-1"/><a name="INDEX-2"/><a name="INDEX-3"/>Here is the configuration file
+that does it:</p>
+
+<blockquote><pre class="code">[global]
+    # replace &quot;toltec&quot; with your system's hostname
+
+    netbios name = toltec
+
+    # replace &quot;METRAN&quot; with the name of your workgroup
+
+    workgroup = METRAN
+
+    security = user
+    encrypt passwords = yes
+
+    # Run a WINS server
+
+    wins support = yes
+
+    # The following three lines ensure that the Samba
+    # server will maintain the role of master browser.
+    # Make sure no other Samba server has its OS level
+    # set higher than it is here.
+
+    local master = yes
+    preferred master = yes
+    os level = 65
+
+# Make home directories on the server available to users.
+
+[homes]
+    comment = %u's Home Directory
+    browsable = no
+    read only = no
+    map archive = yes
+
+# This is a shared directory, accessible by all
+# users. Use your own share name and path.
+
+[d]
+    path = /d
+    create mask = 0700
+    read only = no</pre></blockquote>
+
+<p>Generally, you will use a configuration file similar to this one when
+<a name="INDEX-4"/><a name="INDEX-5"/>adding your first Samba server to the
+workgroup.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-APP-A-SECT-1.2"/>
+
+<h3 class="head2">Workgroup Server</h3>
+
+<p><a name="INDEX-6"/><a name="INDEX-7"/>Things are a
+little different if another system&mdash;either a Samba server or
+Windows NT/2000 server&mdash;is already handling WINS and/or
+authentication. In this case, Samba is configured to use that server
+for WINS. Here is a configuration file that does this:</p>
+
+<blockquote><pre class="code">[global]
+    # replace &quot;mixtec&quot; with your system's hostname
+
+    netbios name = mixtec
+
+    # replace &quot;METRAN&quot; with your workgroup name
+
+    workgroup = METRAN
+
+    security = user
+    encrypt passwords = yes
+
+    # Replace &quot;172.16.1.1&quot; with the IP address
+    # of your WINS server. If there is none,
+    # omit this line.
+
+    wins server = 172.16.1.1
+
+    # The OS level is set to 17 to allow
+    # this system to win over all Windows
+    # versions, but not the Samba server 
+    # that uses the configuration file
+    # in the previous section.
+
+    os level = 17
+
+[homes]
+    comment = %u's Home Directory
+    browsable = no
+    read only = no
+
+# This is a shared directory, accessible by all
+# users. Use your own share name and path.
+
+[d]
+    path = /d
+    create mask = 0700
+    read only = no</pre></blockquote>
+
+<p>Once you have a server in your workgroup handling authentication and
+WINS, this is the configuration file to use when adding additional
+Samba servers to the workgroup.</p>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-APP-A-SECT-2"/>
+
+<h2 class="head1">Samba in a Windows NT Domain</h2>
+
+<p>When operating in a Windows NT domain, Samba can act either as a
+primary domain controller or as a domain member server.</p>
+
+
+<div class="sect2"><a name="samba2-APP-A-SECT-2.1"/>
+
+<h3 class="head2">Primary Domain Controller</h3>
+
+<p><a name="INDEX-8"/><a name="INDEX-9"/>Setting up Samba as a primary domain
+controller is more complicated than the other configurations.
+However, the extra difficulty is offset by having a more secure
+network and additional features such as logon scripts and roaming
+profiles. In the following configuration file, we also include
+support for a Microsoft Dfs share:</p>
+
+<blockquote><pre class="code">[global]
+    # Replace &quot;toltec&quot; with the hostname of your system.
+
+    netbios name = toltec
+
+    # Replace &quot;METRAN&quot; with the name of your Windows NT domain.
+
+    workgroup = METRAN
+
+    # Run a WINS server
+
+    wins support = yes
+    
+    # Always act as the local master browser
+    # and domain master browser.  Do not allow
+    # any other system to take over these roles!
+
+    domain master = yes
+    local master = yes
+    preferred master = yes
+    os level = 255
+
+    # Perform domain authentication.
+
+    security = user
+    encrypt passwords = yes
+    domain logons = yes
+    
+    # The location of user profiles for Windows NT/2000/XP.
+
+    logon path = \\%L\profiles\%u\%m
+
+    # Users' Windows home directories and storage of Win95/98/Me roaming profiles.
+
+    logon drive = G:
+    logon home = \\toltec\%u\.win_profile\%m
+
+    # The following line is optional because
+    # Samba always offers NetBIOS time service.
+    # This causes it to also be advertised:
+
+    time server = yes
+
+    # The logon script used for all users,
+    # Relative to [netlogon] share directory.
+
+    logon script = logon.bat
+
+    # The group identifying administrative users.
+    # If you have domain users in the Domain Admins
+    # group, use them here instead of &quot;jay&quot;.
+
+    domain admin group = root jay
+
+    # For adding machine accounts automatically.
+    # This example works on Linux. For other host
+    # operating systems, you might need a different
+    # command.
+
+    add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u
+
+    # Provide Microsoft Dfs support.
+
+    host msdfs = yes
+
+# The netlogon share is required for
+# functioning as the primary domain controller.
+# Make sure the directory used for the path exists.
+
+[netlogon]
+    path = /usr/local/samba/lib/netlogon
+    writable = no
+    browsable = no
+
+# The profiles share is for storing
+# Windows NT/2000/XP roaming profiles.
+# Use your own path, and make sure
+# the directory exists.
+
+[profiles]
+    path = /home/samba-ntprof
+    writable = yes
+    create mask = 0600
+    directory mask = 0700
+    browsable = no
+
+[homes]
+    comment = Home Directory
+    browsable = no
+    read only = no
+    map archive = yes
+
+# The Dfs share.
+# Use your own path, making
+# sure the directory exists.
+
+[dfs]
+    comment = Dfs share
+    path = /usr/local/samba/dfs
+    msdfs root = yes
+
+# A shared directory, accessible by all domain users.
+# Use your own share name and path.
+
+[d]
+    comment = %u's Home Directory
+    path = /d
+    create mask = 0700
+    read only = no</pre></blockquote>
+
+<p>See <a href="ch04.html">Chapter 4</a> for more information on configuring
+Samba as a primary domain controller, and see <a href="ch08.html">Chapter 8</a> for more information about setting up a
+Microsoft Dfs share. <a name="INDEX-10"/><a name="INDEX-11"/></p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-APP-A-SECT-2.2"/>
+
+<h3 class="head2">Domain Member Server</h3>
+
+<p><a name="INDEX-12"/><a name="INDEX-13"/>In a domain that
+already has either a Samba PDC or Windows NT/2000 Server PDC,
+additional Samba servers can be added as domain member servers using
+the following configuration file:</p>
+
+<blockquote><pre class="code">[global]
+    # Replace &quot;mixtec&quot; with the system's hostname.
+
+    netbios name = mixtec
+
+    # Replace &quot;METRAN&quot; with the name of your domain.
+
+    workgroup = METRAN
+
+    # Replace &quot;172.16.1.1&quot; with the
+    # IP address of your WINS server.
+
+    wins server = 172.16.1.1
+
+    os level = 33
+    
+    security = domain
+    encrypt passwords = yes
+    password server = *
+
+# Home directories.
+
+[homes]
+    comment = %u's Home Directory
+    browsable = no
+    read only = no
+    map archive = yes
+
+# This is an example printers
+# share, which works for Linux.
+
+[printers]
+    printable = yes
+    printing = BSD
+    print command = /usr/bin/lpr -P%p %s
+    path = /var/tmp
+    min print space = 2000
+
+# A shared directory, accessible by all domain users.
+# Use your own share name and path.
+
+[d]
+    path = /d
+    create mask = 0755
+    read only = no</pre></blockquote>
+
+<p>See <a href="ch10.html">Chapter 10</a> for more information on sharing
+printers with Samba.</p>
+
+
+</div>
+
+
+</div>
+
+<hr/><h4 class="head4"><a href="toc.html">TOC</a></h4>
+</body></html>
diff --git a/docs/htmldocs/using_samba/appb.html b/docs/htmldocs/using_samba/appb.html
new file mode 100644
index 0000000000..9cb6d957a8
--- /dev/null
+++ b/docs/htmldocs/using_samba/appb.html
@@ -0,0 +1,1840 @@
+<html>
+<body bgcolor="#ffffff">
+
+<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
+hspace="10" align="left" />
+
+<h1 class="head0">Appendix B. Samba Configuration Option Quick Reference</h1>
+
+
+<p>The first section of this appendix lists each option that can be used
+in a Samba configuration file, which is usually named
+<em class="filename">smb.conf</em>. Most configuration files contain a
+global section of options that apply to all services (shares) and a
+separate section for various individual shares. If an option applies
+only to the global section, <tt class="literal">[global]</tt> appears to
+the right of its name in the following reference section.</p>
+
+<p>Except where noted, when specifying elements of a list, the elements
+can be separated by spaces, tabs, commas, semicolons, escaped
+newlines, or escaped carriage returns.</p>
+
+<p>Following this reference section is a glossary of value types, and a
+list of variables Samba recognizes.</p>
+
+
+
+<div class="sect1"><a name="samba2-APP-B-SECT-1"/>
+
+<h2 class="head1">Configuration File Options</h2>
+
+</div>
+
+
+<a name="INDEX-1"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>abort shutdown script = command</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a command that stops the shutdown procedure started by
+<tt class="literal">shutdown script</tt>. The command will be run with the
+UID of the connected user. New in Samba 3.0.</p></div>
+<a name="INDEX-2"/><a name="INDEX-3"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>add printer command = command</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a command that creates a new
+<a name="INDEX-3"/>printer on the system hosting the Samba
+server. This command runs as <tt class="literal">root</tt> when the Windows
+NT/2000/XP Add Printer Wizard is run. The command will be passed a
+printer name, share name, port name, driver name, Windows NT/2000/XP
+driver location, and Windows 95/98/Me driver location, in that order.
+It will need to add the printer to the system and a share definition
+for the printer to <em class="filename">smb.conf.</em> See also
+<tt class="literal">add printer wizard</tt>, <tt class="literal">printing</tt>,
+and <tt class="literal">show add printer wizard</tt>.</p></div>
+<a name="INDEX-4"/><a name="INDEX-5"/><a name="INDEX-6"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>add machine script = command</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a command that adds a computer to the Samba
+server's <a name="INDEX-5"/><a name="INDEX-6"/>domain. New in Samba 3.0.</p></div>
+<a name="INDEX-7"/><a name="INDEX-8"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>add share command = command</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a command that creates a new
+<a name="INDEX-8"/>share on the Samba server. This command
+runs as <tt class="literal">root</tt> when a share is created using the
+Windows NT/2000/XP Server Manager. The client user must be logged on
+as the <tt class="literal">root</tt> user. The command will be passed the
+name of the Samba configuration file, the name of the share to be
+created, the full pathname of a directory on the Samba server (which
+must already exist), and a string to use as a comment for the share,
+in that order. The command must add a share definition for the share
+to <em class="filename">smb.conf.</em> See also <tt class="literal">add printer
+command</tt>, for adding a print share.</p></div>
+<a name="INDEX-9"/><a name="INDEX-10"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>add user script = command</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a command that creates a new
+<a name="INDEX-10"/>user on the system hosting the Samba
+server. This command runs as <tt class="literal">root</tt> when access to a
+Samba share is attempted by a Windows user who does not have an
+account on the hosting system, but does have an account maintained by
+a primary domain controller on a different system. The command should
+accept the name of the user as a single argument that matches the
+behavior of typical <em class="emphasis">adduser</em> commands. Samba
+honors the <tt class="literal">%u</tt> value (username) as the argument to
+the command. Requires <tt class="literal">security</tt>
+<tt class="literal">=</tt> <tt class="literal">server</tt> or
+<tt class="literal">security</tt> <tt class="literal">=</tt>
+<tt class="literal">domain</tt>. See also <tt class="literal">delete user</tt>
+<tt class="literal">script</tt>.</p></div>
+<a name="INDEX-11"/><a name="INDEX-12"/><a name="INDEX-13"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>admin users = user list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: user list</p><p><b class="emphasis-bold">Default</b>: NULL</p><p><a name="INDEX-12"/>Specifies users who will be granted
+<a name="INDEX-13"/><tt class="literal">root</tt>
+permissions on the share by Samba.</p></div>
+<a name="INDEX-14"/><a name="INDEX-15"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ads server = value</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: DNS hostname or IP address</p><p><b class="emphasis-bold">Default</b>: NONE</p><p>Specifies the <a name="INDEX-15"/>Active Directory server, used by
+Samba 3.0 for authenticating clients. Requires
+<tt class="literal">security</tt> <tt class="literal">= ads</tt>. New in Samba
+3.0.</p></div>
+<a name="INDEX-16"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>algorithmic rid base = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: positive integer</p><p><b class="emphasis-bold">Default</b>: 1000</p><p>Specifies the base value that Samba uses when calculating Windows
+domain security identifier equivalents to Unix UIDs. See also
+<tt class="literal">non unix account range</tt>. New in Samba 3.0.</p></div>
+<a name="INDEX-17"/><a name="INDEX-18"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>allow hosts = host list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: list of hosts or networks</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies systems that can connect to the share or
+<a name="INDEX-18"/>shares. If NULL, any
+system can access the share unless there is a <tt class="literal">hosts
+deny</tt> option. Synonym for <tt class="literal">hosts</tt>
+<tt class="literal">allow</tt>.</p></div>
+<a name="INDEX-19"/><a name="INDEX-20"/><a name="INDEX-21"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>allow trusted domains = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Allows access to users who lack accounts on the Samba server but have
+accounts in another, trusted <a name="INDEX-20"/><a name="INDEX-21"/>domain.
+Requires <tt class="literal">security</tt> <tt class="literal">= server</tt> or
+<tt class="literal">security</tt> <tt class="literal">=</tt>
+<tt class="literal">domain</tt>.</p></div>
+<a name="INDEX-22"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>announce as = value</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: NT, Win95, Wf W</p><p><b class="emphasis-bold">Default</b>: NT</p><p>Has Samba announce itself as something other than an NT server.
+Discouraged because it interferes with serving browse lists.</p></div>
+<a name="INDEX-23"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>announce version = value</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: two numbers separated by a dot character</p><p><b class="emphasis-bold">Default</b>: 4.5</p><p>Instructs Samba to announce itself as a different version SMB server.
+Discouraged.</p></div>
+<a name="INDEX-24"/><a name="INDEX-25"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>auth methods = list</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: guest, sam, ntdomain</p><p><b class="emphasis-bold">Default</b>: NONE</p><p>Specifies what methods Samba tries in turn to
+<a name="INDEX-25"/>authenticate users. New in Samba
+3.0.</p></div>
+<a name="INDEX-26"/><a name="INDEX-27"/><a name="INDEX-28"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>auto services = service list</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: service list</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a list of <a name="INDEX-27"/><a name="INDEX-28"/>shares that always appear in
+browse lists. Also called <tt class="literal">preload</tt>.</p></div>
+<a name="INDEX-29"/><a name="INDEX-30"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>available = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If set to NO, denies access to a share. The
+<a name="INDEX-30"/>share appears in the browse list, but
+attempts to access it will fail.</p></div>
+<a name="INDEX-31"/><a name="INDEX-32"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>bind interfaces only = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, shares and browsing are provided only on interfaces in
+an <a name="INDEX-32"/>interfaces list (see
+<tt class="literal">interfaces</tt>). If you set this option to YES, be
+sure to add 127.0.0.1 to the interfaces list to allow
+<em class="emphasis">smbpasswd</em> to connect to the local system to
+change passwords. This is a convenience option; it does not improve
+security.</p></div>
+<a name="INDEX-33"/><a name="INDEX-34"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>block size = number</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: integer</p><p><b class="emphasis-bold">Default</b>: 1024</p><p>Sets the size of disk blocks as reported by <em class="emphasis">smbd</em>
+to the client. <a name="INDEX-34"/>Obsolete
+starting with Samba 3.0.</p></div>
+<a name="INDEX-35"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>blocking locks = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If YES, honors byte range lock requests with time limits. Samba will
+queue the requests and retry them until the time period expires.</p></div>
+<a name="INDEX-36"/><a name="INDEX-37"/><a name="INDEX-38"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>browsable = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p><a name="INDEX-37"/><a name="INDEX-38"/>Allows a share to be announced
+in browse lists. Also called <tt class="literal">browseable</tt>.</p></div>
+<a name="INDEX-39"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>browse list = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If YES, serves the browse list to other systems on the network. Avoid
+changing.</p></div>
+<a name="INDEX-40"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>browseable = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Synonym for <tt class="literal">browsable</tt>.</p></div>
+<a name="INDEX-41"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>case sensitive = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If YES, uses the exact case the client supplied when trying to
+resolve a filename. If NO, matches either upper- or lowercase name.
+Avoid changing. Also called <tt class="literal">casesignames</tt>.</p></div>
+<a name="INDEX-42"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>casesignames = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Synonym for <tt class="literal">case</tt> <tt class="literal">sensitive</tt>.</p></div>
+<a name="INDEX-43"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>change notify timeout = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: positive number</p><p><b class="emphasis-bold">Default</b>: 60</p><p>Sets the number of seconds between checks when a client asks for
+notification of changes in a directory. Avoid lowering.</p></div>
+<a name="INDEX-44"/><a name="INDEX-45"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>change share command = command</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a command that modifies a
+<a name="INDEX-45"/>share
+definition on the Samba server. This command runs as
+<tt class="literal">root</tt> when a share is created using the Windows
+NT/2000/XP Server Manager. The client user must be logged on as the
+<tt class="literal">root</tt> user. The command is passed the name of the
+Samba configuration file, the name of the share to be modified, the
+full pathname of a directory on the Samba server (which must already
+exist), and a string to use as a comment for the share, in that
+order. The command modifies the share definition for the share in
+<em class="filename">smb.conf.</em> See also <tt class="literal">add share
+command</tt> and <tt class="literal">delete share command</tt>.</p></div>
+<a name="INDEX-46"/><a name="INDEX-47"/><a name="INDEX-48"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>character set = name</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: ISO8859-1, ISO8859-2, ISO8859-5, KOI8-R</p><p><b class="emphasis-bold">Default</b>: NULL</p><p><a name="INDEX-47"/>If set, translates from DOS code
+pages to the Western European (ISO8859-1), Eastern European
+(ISO8859-2), Russian Cyrillic (ISO8859-5), or Alternate Russian
+(KOI8-R) character set. The <tt class="literal">client</tt>
+<tt class="literal">code</tt> <tt class="literal">page</tt> option must be set to
+850. <a name="INDEX-48"/>Obsolete starting with Samba 3.0.</p></div>
+<a name="INDEX-49"/><a name="INDEX-50"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>client code page = name</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: see <a href="ch11.html#samba2-CHP-11-TABLE-4">Table 11-4</a> in <a href="ch11.html">Chapter 11</a></p><p><b class="emphasis-bold">Default</b>: 850 (MS-DOS Latin 1)</p><p>Sets the DOS code page explicitly, overriding any previous
+<tt class="literal">valid</tt> <tt class="literal">chars</tt> settings. Examples
+of values are 850 for Western European, 437 for the U.S. standard,
+and 932 for Japanese Shift-JIS. <a name="INDEX-50"/>Obsolete starting with Samba 3.0.</p></div>
+<a name="INDEX-51"/><a name="INDEX-52"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>code page directory = directory</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: full directory name</p><p><b class="emphasis-bold">Default</b>: <em class="filename">/usr/local/samba/lib/codepages</em></p><p>Specifies the directory that stores code pages.
+<a name="INDEX-52"/>Obsolete starting with Samba 3.0.</p></div>
+<a name="INDEX-53"/><a name="INDEX-54"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>coding system = value</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: euc, cap, hex, hexN, sjis, j8bb, j8bj, jis8, j8bh,
+j8@b, j8@j,j8@h, j7bb, j7bj, jis7, j7bh, j7@b, j7@j, j7@h, jubb,
+jubj, junet, jubh, ju@b, ju@j, ju@h</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets the coding system used, notably for Kanji. This is employed for
+filenames and should correspond to the code page in use. The
+<tt class="literal">client</tt> <tt class="literal">code</tt>
+<tt class="literal">page</tt> option must be set to 932 ( Japanese
+Shift-JIS). <a name="INDEX-54"/>Obsolete starting with Samba 3.0.</p></div>
+<a name="INDEX-55"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>comment = string</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: string</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets the comment corresponding to a share. The comment appears in
+places such as a <em class="emphasis">net view</em> listing or through the
+Network Neighborhood. See also the <tt class="literal">server</tt>
+<tt class="literal">string</tt> configuration option.</p></div>
+<a name="INDEX-56"/><a name="INDEX-57"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>config file = filename</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: \filename</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Selects a new Samba <a name="INDEX-57"/>configuration file to read instead of the
+current one. Used to relocate the configuration file or used with
+<tt class="literal">%</tt> variables to select custom configuration files
+for some users or systems.</p></div>
+<a name="INDEX-58"/><a name="INDEX-59"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>copy = section name</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: existing section's name</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Copies the configuration of an already defined share into the
+<a name="INDEX-59"/>share in which this option
+appears. Used with <tt class="literal">%</tt> variables to select custom
+configurations for systems, architectures, and users. Each option
+specified or copied takes precedence over earlier specifications of
+the option.</p></div>
+<a name="INDEX-60"/><a name="INDEX-61"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>create mask = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: octal value from 0 to 0777</p><p><b class="emphasis-bold">Default</b>: 0744</p><p>Sets the maximum allowable <a name="INDEX-61"/>permissions for new files (e.g.,
+0755). See also <tt class="literal">directory</tt> <tt class="literal">mask</tt>.
+To require certain permissions to be set, see
+<tt class="literal">force</tt> <tt class="literal">create</tt>
+<tt class="literal">mask</tt> and <tt class="literal">force</tt>
+<tt class="literal">directory</tt> <tt class="literal">mask</tt>. Also called
+<tt class="literal">create</tt> <tt class="literal">mode</tt>.</p></div>
+<a name="INDEX-62"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>create mode = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: octal value from 0 to 0777</p><p><b class="emphasis-bold">Default</b>: 0744</p><p>Synonym for <tt class="literal">create</tt> <tt class="literal">mask</tt>.</p></div>
+<a name="INDEX-63"/><a name="INDEX-64"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>csc policy = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: manual, documents, programs, or disable</p><p><b class="emphasis-bold">Default</b>: manual</p><p>Sets the client-side <a name="INDEX-64"/>caching policy, telling them how to
+cache files offline if they are capable of doing so.</p></div>
+<a name="INDEX-65"/><a name="INDEX-66"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>deadtime = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number</p><p><b class="emphasis-bold">Default</b>: 0</p><p>Specifies the time in minutes before an unused
+<a name="INDEX-66"/>connection will be
+terminated. Zero means never. Used to keep clients from tying up
+server resources for long periods of time. If used, clients must
+autoreconnect after the specified period of inactivity. See also
+<tt class="literal">keepalive</tt>.</p></div>
+<a name="INDEX-67"/><a name="INDEX-68"/><a name="INDEX-69"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>debug hires timestamp = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Changes the <a name="INDEX-68"/><a name="INDEX-69"/>timestamps in log entries from seconds
+to microseconds. Useful for measuring performance.</p></div>
+<a name="INDEX-70"/><a name="INDEX-71"/><a name="INDEX-72"/><a name="INDEX-73"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>debug pid = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Adds the process ID of the Samba server to <a name="INDEX-71"/><a name="INDEX-72"/><a name="INDEX-73"/>log lines, making it easier to
+debug a particular server. Requires debug <tt class="literal">timestamp =
+yes</tt> to work.</p></div>
+<a name="INDEX-74"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>debug timestamp = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Timestamps all log messages. Can be turned off when
+it's not useful (e.g., in debugging ). Also called
+<tt class="literal">timestamp</tt> <tt class="literal">logs</tt>.</p></div>
+<a name="INDEX-75"/><a name="INDEX-76"/><a name="INDEX-77"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>debug uid = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p><a name="INDEX-76"/><a name="INDEX-77"/>Adds the real and effective
+user ID and group ID of the user being served to the logs, making it
+easier to debug one particular user.</p></div>
+<a name="INDEX-78"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>debuglevel = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number</p><p><b class="emphasis-bold">Default</b>: 0</p><p>Sets the logging level used. Values of 3 or more slow Samba
+noticeably. Also called <tt class="literal">log</tt>
+<tt class="literal">level</tt>. Recommended value is 1.</p></div>
+<a name="INDEX-79"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>default = service name</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: share name</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies the name of a service (share) to provide if someone
+requests a service he doesn't have permission to use
+or that doesn't exist. The path is set from the name
+the client specified, with any underscore ( _ ) characters changed to
+slash ( / ) characters, allowing access to any directory on the Samba
+server. Use is discouraged. See also <tt class="literal">load
+printers</tt>. Also called <tt class="literal">default service</tt>.</p></div>
+<a name="INDEX-80"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>default case = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: LOWER, UPPER</p><p><b class="emphasis-bold">Default</b>: LOWER</p><p>Sets the case in which to store new filenames. LOWER indicates
+lowercase, and UPPER indicates uppercase.</p></div>
+<a name="INDEX-81"/><a name="INDEX-82"/><a name="INDEX-83"/><a name="INDEX-84"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>default devmode = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Used with printer shares being accessed by Windows NT/2000/XP clients
+to set a default device mode for the
+<a name="INDEX-82"/><a name="INDEX-83"/><a name="INDEX-84"/>printer. Can be
+problematic. Use with care.</p></div>
+<a name="INDEX-85"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>default service = share name</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: share name</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Synonym for <tt class="literal">default</tt>.</p></div>
+<a name="INDEX-86"/><a name="INDEX-87"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>delete printer command = command</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a command that removes a
+<a name="INDEX-87"/>printer from the system hosting the
+Samba server and deletes its service definition from
+<em class="filename">smb.conf</em>. The command is passed a printer name
+as its only argument. See also <tt class="literal">add printer
+command</tt>, <tt class="literal">printing</tt>, and <tt class="literal">show add
+printer wizard</tt>.</p></div>
+<a name="INDEX-88"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>delete readonly = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: NO, YES</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, allows delete requests to remove read-only files. This
+is not allowed in MS-DOS/Windows, but it is normal in Unix, which has
+separate directory permissions. Used with programs such as RCS.</p></div>
+<a name="INDEX-89"/><a name="INDEX-90"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>delete share command = command</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a command that deletes a
+<a name="INDEX-90"/>share
+from the Samba server. The command runs when a user logged in as the
+<tt class="literal">root</tt> user on a Windows NT/2000/XP system deletes a
+share using Server Manager. The command is passed the name of the
+Samba configuration file and the name of the share to be deleted. The
+command must remove the definition of the share from the
+configuration file. See also <tt class="literal">add share command</tt> and
+<tt class="literal">change share command</tt>.</p></div>
+<a name="INDEX-91"/><a name="INDEX-92"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>delete user script = command</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: full path to script</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets the command to run as <tt class="literal">root</tt> when a user
+connects who no longer has an account on the
+domain's PDC. Honors <tt class="literal">%u</tt>. Can be
+used to delete the
+<a name="INDEX-92"/>user account automatically from
+the Samba server's host. Requires
+<tt class="literal">security</tt> <tt class="literal">=</tt>
+<tt class="literal">domain</tt> or <tt class="literal">security = user</tt>. Use
+with caution. See also <tt class="literal">add user script</tt>.</p></div>
+<a name="INDEX-93"/><a name="INDEX-94"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>delete veto files = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: NO, YES</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, allows delete requests for a
+<a name="INDEX-94"/>directory containing
+files or subdirectories the user can't see due to
+the <tt class="literal">veto</tt> <tt class="literal">files</tt> option. If set
+to NO, the directory is not deleted and still contains invisible
+files.</p></div>
+<a name="INDEX-95"/><a name="INDEX-96"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>deny hosts = host list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: hosts or networks</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a list of systems from which to refuse
+<a name="INDEX-96"/>connections.
+Also called <tt class="literal">hosts</tt> <tt class="literal">deny</tt>.</p></div>
+<a name="INDEX-97"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>dfree command = command</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: varies</p><p>Specifies a command to run on the server to return free disk space.
+Not needed unless the Samba host system's
+<em class="emphasis">dfree</em> command does not work properly.</p></div>
+<a name="INDEX-98"/><a name="INDEX-99"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>directory = directory</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: Unix directory name</p><p><b class="emphasis-bold">Default</b>: varies</p><p>Sets the path to the
+<a name="INDEX-99"/>directory provided by a file share or
+used by a printer share. If the option is omitted in the
+<tt class="literal">[homes]</tt> share, it is set automatically to the
+user's home directory; otherwise, it defaults
+to<em class="filename"> /tmp</em>. For a printer share, the directory is
+used to spool printer files. Honors the <tt class="literal">%u</tt> (user)
+and <tt class="literal">%m</tt> (machine) variables. Synonym for
+<tt class="literal">path</tt>.</p></div>
+<a name="INDEX-100"/><a name="INDEX-101"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>directory mask = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: octal value from 0 to 0777</p><p><b class="emphasis-bold">Default</b>: 0755</p><p>Sets the maximum allowable permissions for newly created
+<a name="INDEX-101"/>directories. To require
+that certain permissions be set, see the <tt class="literal">force</tt>
+<tt class="literal">create</tt> <tt class="literal">mask</tt> and
+<tt class="literal">force</tt> <tt class="literal">directory</tt>
+<tt class="literal">mask</tt> options. Also called
+<tt class="literal">directory</tt> <tt class="literal">mode</tt>.</p></div>
+<a name="INDEX-102"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>directory mode = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: octal value from 0 to 0777</p><p><b class="emphasis-bold">Default</b>: 0755</p><p>Synonym for <tt class="literal">directory</tt> <tt class="literal">mask</tt>.</p></div>
+<a name="INDEX-103"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>directory security mask = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: octal value from 0 to 0777</p><p><b class="emphasis-bold">Default</b>:  same as <tt class="literal">directory</tt> <tt class="literal">mode</tt></p><p>Controls which permission bits can be changed if a user edits the
+Unix permissions of directories on the Samba server from a Windows
+system. Any bit that is set in the mask can be changed by the user;
+any bit that is clear remains the same on the directory even if the
+user tries to change it. Requires <tt class="literal">nt</tt>
+<tt class="literal">acl</tt> <tt class="literal">support</tt>
+<tt class="literal">=</tt> <tt class="literal">YES</tt>.</p></div>
+<a name="INDEX-104"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>disable spools = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, Windows NT/2000/XP systems will downgrade to
+Lanman-style printing. Prevents printer driver uploading and
+downloading from working. Use with care. See also <tt class="literal">use client
+driver</tt>.</p></div>
+<a name="INDEX-105"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>dns proxy = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If set to YES and if <tt class="literal">wins</tt>
+<tt class="literal">server</tt> <tt class="literal">=</tt>
+<tt class="literal">YES</tt>, looks up hostnames in DNS when they are not
+found using WINS.</p></div>
+<a name="INDEX-106"/><a name="INDEX-107"/><a name="INDEX-108"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>domain admin group = user list</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: usernames and/or group names</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies users who are in the <a name="INDEX-107"/>Domain Admins group and have
+<a name="INDEX-108"/>domain
+administrator authority when Samba is the PDC. See also
+<tt class="literal">domain guest group</tt> and <tt class="literal">domain
+logons</tt>. Useful in Samba 2.2 only. Obsolete in Samba 3.0.</p></div>
+<a name="INDEX-109"/><a name="INDEX-110"/><a name="INDEX-111"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>domain guest group = user/group list</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: list of usernames and/or group names</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies users who are in the <a name="INDEX-110"/>Domain Guest group when Samba is the PDC.
+See also <tt class="literal">domain admin group</tt> and <tt class="literal">domain
+logons</tt>. Useful in Samba 2.2 only. <a name="INDEX-111"/>Obsolete in Samba 3.0.</p></div>
+<a name="INDEX-112"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>domain logons = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Causes Samba to serve domain logons. This is one of the basic
+functions required when Samba is acting as the PDC.</p></div>
+<a name="INDEX-113"/><a name="INDEX-114"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>domain master = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: automatic</p><p>Makes Samba a <a name="INDEX-114"/>domain master browser for its domain. When
+domain logons are enabled, <tt class="literal">domain master</tt> defaults
+to YES. Otherwise, it defaults to NO.</p></div>
+<a name="INDEX-115"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>dont descend = list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: list of directories</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Prohibits a change directory or search in the directories specified.
+This is a browsing-convenience option; it doesn't
+provide any extra security.</p></div>
+<a name="INDEX-116"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>dos filemode = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Allows anyone with write permissions to change permissions on a file,
+as allowed by MS-DOS.</p></div>
+<a name="INDEX-117"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>dos filetime resolution = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Sets file times on Unix to match MS-DOS standards (rounding to the
+next even second). Recommended if using Visual C++ or a PC
+<em class="emphasis">make</em> program to avoid remaking the programs
+unnecessarily. Use with the <tt class="literal">dos</tt>
+<tt class="literal">filetimes</tt> option.</p></div>
+<a name="INDEX-118"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>dos filetimes = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Allows nonowners to change file times if they can write to the files,
+matching the behavior of MS-DOS and Windows. See also
+<tt class="literal">dos</tt> <tt class="literal">filetime</tt>
+<tt class="literal">resolution</tt>.</p></div>
+<a name="INDEX-119"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>encrypt passwords = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO in Samba 2.2, YES in Samba 3.0</p><p>If enabled, Samba will use password encryption. Requires an
+<em class="filename">smbpasswd</em> file on the Samba server.</p></div>
+<a name="INDEX-120"/><a name="INDEX-121"/><a name="INDEX-122"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>enhanced browsing = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Automatically synchronizes <a name="INDEX-121"/><a name="INDEX-122"/>browse lists with all domain master
+browsers known to the WINS server. Makes cross-subnet browsing more
+reliable, but also can cause empty workgroups to persist forever in
+browse lists.</p></div>
+<a name="INDEX-123"/><a name="INDEX-124"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>enumports command = command</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Allows for a command to provide clients with customized
+MS-DOS/Windows <a name="INDEX-124"/>port names (e.g., PRN:) corresponding
+to printers. Samba's default behavior is to return
+<tt class="literal">Samba Printer Port</tt>. The command must return a
+series of lines, with one port name per line.</p></div>
+<a name="INDEX-125"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>exec = command</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets a command to run as the user before connecting to the share.
+Synonym for <tt class="literal">preexec</tt>. See also the
+<tt class="literal">postexec</tt>, <tt class="literal">root</tt>
+<tt class="literal">preexec</tt>, and <tt class="literal">root postexec</tt>
+options.</p></div>
+<a name="INDEX-126"/><a name="INDEX-127"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>fake directory create times = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>A bug fix for users of Microsoft
+<em class="emphasis">nmake</em><a name="INDEX-127"/>. If YES, Samba sets directory create
+times such that <em class="emphasis">nmake</em> won't
+remake all files every time.</p></div>
+<a name="INDEX-128"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>fake oplocks = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set, returns YES whenever a client asks if it can lock a file and
+cache it locally but does not enforce the lock on the server. Results
+in performance improvement for read-only shares. <em class="emphasis">Never use
+with read/write shares!</em> See also
+<tt class="literal">oplocks</tt> and <tt class="literal">veto</tt>
+<tt class="literal">oplock</tt> <tt class="literal">files</tt>.</p></div>
+<a name="INDEX-129"/><a name="INDEX-130"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>follow symlinks = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If set to YES, Samba follows <a name="INDEX-130"/>symlinks in a file share(s). See the
+<tt class="literal">wide</tt> <tt class="literal">links</tt> option if you want
+to restrict symlinks to just the current share.</p></div>
+<a name="INDEX-131"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>force create mode = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: octal value from 0 to 0777</p><p><b class="emphasis-bold">Default</b>: 0</p><p>Takes effect when a user on a Windows client creates a file that
+resides on the Samba server. This option ensures that bits set in
+this mask will always be set on the new file. Used with the
+<tt class="literal">create mask</tt> configuration option.</p></div>
+<a name="INDEX-132"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>force directory mode = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: octal value from 0 to 0777</p><p><b class="emphasis-bold">Default</b>: 0</p><p>Takes effect when a user on a Windows client creates a directory on
+the Samba server. This option ensures that bits set in the mask will
+be set on every newly created directory. Used with <tt class="literal">directory
+mask</tt>.</p></div>
+<a name="INDEX-133"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>force directory security mode = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: octal value from 0 to 0777</p><p><b class="emphasis-bold">Default</b>:  same as <tt class="literal">force</tt>
+<tt class="literal">directory</tt> <tt class="literal">mode</tt></p><p>Takes effect when a user on a Windows client edits the Unix
+permissions of a directory on the Samba server. This option ensures
+that bits set in this mask will be set on the directory. Requires
+<tt class="literal">nt</tt> <tt class="literal">acl</tt>
+<tt class="literal">support</tt> <tt class="literal">=</tt>
+<tt class="literal">YES</tt>.</p></div>
+<a name="INDEX-134"/><a name="INDEX-135"/><a name="INDEX-136"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>force group = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: a Unix group name</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets the effective group name assigned to all users accessing a
+share. Used to override a
+<a name="INDEX-135"/><a name="INDEX-136"/>user's
+normal group memberships.</p></div>
+<a name="INDEX-137"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>force security mode = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: octal value from 0 to 0777</p><p><b class="emphasis-bold">Default</b>: same as <tt class="literal">force</tt> <tt class="literal">create</tt>
+<tt class="literal">mode</tt></p><p>Takes effect when a user on a Windows client edits the Unix
+permissions of a file on the Samba server. This option ensures that
+bits set in the mask will always be set on the file. Requires
+<tt class="literal">nt</tt> <tt class="literal">acl</tt>
+<tt class="literal">support</tt> <tt class="literal">=</tt>
+<tt class="literal">YES</tt>. See also <tt class="literal">force directory security
+mode</tt> for directories.</p></div>
+<a name="INDEX-138"/><a name="INDEX-139"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>force unknown acl user = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>When set, unknown users or groups in Windows NT ACLs will be mapped
+to the user or group of the connected user. <a name="INDEX-139"/>Obsolete starting with Samba
+3.0.</p></div>
+<a name="INDEX-140"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>force user = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: a single username</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets the effective username assigned to all users accessing a share.
+Discouraged.</p></div>
+<a name="INDEX-141"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>fstype = string</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: NTFS, FAT, Samba</p><p><b class="emphasis-bold">Default</b>: NTFS</p><p>Sets the filesystem type reported to the client. Avoid changing.</p></div>
+<a name="INDEX-142"/><a name="INDEX-143"/><a name="INDEX-144"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>getwd cache = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Caches the current <a name="INDEX-143"/><a name="INDEX-144"/>directory for performance.
+Recommended with the <tt class="literal">wide</tt> <tt class="literal">links</tt>
+option.</p></div>
+<a name="INDEX-145"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>group = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: a Unix group name</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Synonym for <tt class="literal">force</tt> <tt class="literal">group</tt>.</p></div>
+<a name="INDEX-146"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>guest account = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: a single username</p><p><b class="emphasis-bold">Default</b>: varies</p><p>Sets the name of the unprivileged Unix account to use for tasks such
+as printing and for accessing shares marked with
+<tt class="literal">guest</tt> <tt class="literal">ok</tt>. The default is
+specified at compile time and is usually set to
+<tt class="literal">nobody</tt>.</p></div>
+<a name="INDEX-147"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>guest ok = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, doesn't need passwords for this
+share. Used with <tt class="literal">security = share</tt>. Synonym for
+<tt class="literal">public</tt>.</p></div>
+<a name="INDEX-148"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>guest only = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Forces users of a share to log on as the guest account. Requires
+<tt class="literal">guest</tt> <tt class="literal">ok</tt> or
+<tt class="literal">public</tt> to be YES. Also called
+<tt class="literal">only</tt> <tt class="literal">guest</tt>.</p></div>
+<a name="INDEX-149"/><a name="INDEX-150"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>hide dot files = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Treats files with names beginning with a dot as if they had the
+MS-DOS <a name="INDEX-150"/>hidden
+attribute set. The files are either not displayed on a Windows client
+or appear grayed-out, depending on the settings on the client.</p></div>
+<a name="INDEX-151"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>hide files = slash-separated list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: patterns, separated by <tt class="literal">/</tt>
+characters</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a list of file or directory names on which to set the
+MS-DOS hidden attribute. Names can contain <tt class="literal">?</tt> or
+<tt class="literal">*</tt> pattern characters and <tt class="literal">%</tt>
+variables. See also <tt class="literal">hide</tt> <tt class="literal">dot</tt>
+<tt class="literal">files</tt> and <tt class="literal">veto</tt>
+<tt class="literal">files</tt>.</p></div>
+<a name="INDEX-152"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>hide local users = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, hides Unix-specific dummy accounts
+(<tt class="literal">root</tt>, <tt class="literal">wheel</tt>,
+<tt class="literal">floppy</tt>, etc.) from clients.</p></div>
+<a name="INDEX-153"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>hide unreadable = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, hides all unreadable files.</p></div>
+<a name="INDEX-154"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>homedir map = name</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: NIS map name</p><p><b class="emphasis-bold">Default</b>: NONE</p><p>Used with <tt class="literal">nis</tt> <tt class="literal">homedir</tt> to locate
+a user's Unix home directory from Sun NIS (not
+NIS+).</p></div>
+<a name="INDEX-155"/><a name="INDEX-156"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>host msdfs = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p><a name="INDEX-156"/>If set to YES and Samba was
+configured with the <tt class="literal">--with-msdfs</tt> option, provides
+Microsoft Distributed filesystem (Dfs) service, allowing Dfs-capable
+clients to browse Dfs trees on the Samba server. See also
+<tt class="literal">msdfs root</tt>.</p></div>
+<a name="INDEX-157"/><a name="INDEX-158"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>hosts allow = host list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: list of hosts or networks</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a list of systems that can access the
+<a name="INDEX-158"/>share. If NULL, any system can access
+the share unless there is a <tt class="literal">hosts</tt>
+<tt class="literal">deny</tt> option. Synonym for <tt class="literal">allow</tt>
+<tt class="literal">hosts</tt>.</p></div>
+<a name="INDEX-159"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>hosts deny = host list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: list of hosts or networks</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a list of systems that cannot connect to the share. Synonym
+for <tt class="literal">deny</tt> <tt class="literal">hosts</tt>.</p></div>
+<a name="INDEX-160"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>hosts equiv = filename</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies the path to a file of trusted systems from which
+passwordless logons are allowed. Strongly discouraged because Windows
+NT/2000/XP users can always override the username&mdash;the only
+security in this scheme.</p></div>
+<a name="INDEX-161"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>include = filename</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Includes the named file in <em class="filename">smb.conf</em> at the line
+where it appears. This option accepts most variables, but not
+<tt class="literal">%u</tt> (user), <tt class="literal">%P</tt> (current
+share's <tt class="literal">root</tt> directory), or
+<tt class="literal">%S</tt> (current share's name) because
+they are not set at the time the file is read.</p></div>
+<a name="INDEX-162"/><a name="INDEX-163"/><a name="INDEX-164"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>inherit acls = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set, files and subdirectories are created with the same
+<a name="INDEX-163"/>ACLs
+as their parent directories. Directories are given Unix permissions
+of 0777 (full permissions) ensuring that the ACL on the directory
+will govern the actual permissions given to clients. Requires
+<a name="INDEX-164"/>POSIX ACL
+support to be provided on the Samba host system.</p></div>
+<a name="INDEX-165"/><a name="INDEX-166"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>inherit permissions = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set, files and subdirectories are created with the same
+<a name="INDEX-166"/>permissions as their parent
+directories. This allows Unix directory permissions to be propagated
+automatically to new files and subdirectories, especially in the
+<tt class="literal">[homes]</tt> share. This option overrides
+<tt class="literal">create</tt> <tt class="literal">mask</tt>,
+<tt class="literal">directory</tt> <tt class="literal">mask</tt>,
+<tt class="literal">force</tt> <tt class="literal">create</tt>
+<tt class="literal">mode</tt>, and <tt class="literal">force</tt>
+<tt class="literal">directory</tt> <tt class="literal">mode</tt>, but not
+<tt class="literal">map</tt> <tt class="literal">archive</tt>,
+<tt class="literal">map</tt> <tt class="literal">hidden</tt>, or
+<tt class="literal">map</tt> <tt class="literal">system</tt>. Samba never sets
+the <tt class="literal">setuid</tt> bit when creating a file or directory.</p></div>
+<a name="INDEX-167"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>interfaces = interface list</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: interface list</p><p><b class="emphasis-bold">Default</b>: NULL (all interfaces except 127.0.0.1)</p><p>Sets the interfaces to which Samba will respond. The default is the
+system's primary interface only. Recommended on
+multihomed systems or to override erroneous addresses and netmasks.
+Allows interface names such as <tt class="literal">eth0</tt>, DNS names,
+address/netmask pairs, and broadcast/netmask pairs. See also
+<tt class="literal">bind interfaces only</tt>.</p></div>
+<a name="INDEX-168"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>invalid users = user list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: user list</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a list of users not permitted access to the share.</p></div>
+<a name="INDEX-169"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>keepalive = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number of seconds</p><p><b class="emphasis-bold">Default</b>: 300</p><p>Sets the number of seconds between checks for a crashed client. The
+value of 0 causes no checks to be performed. Setting
+<tt class="literal">keepalive = 3600</tt> will turn on checks every hour. A
+value of 600 (every 10 minutes) is recommended if you want more
+frequent checks. See also <tt class="literal">socket</tt>
+<tt class="literal">options</tt> for another approach.</p></div>
+<a name="INDEX-170"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>kernel oplocks = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Breaks the oplock when a local Unix process or NFS operation accesses
+an oplocked file, thus preventing corruption. This works only on
+operating systems that support kernel-based oplocks, such as Linux
+2.4 and Irix. Avoid changing. See also <tt class="literal">oplocks</tt> and
+<tt class="literal">level2</tt> <tt class="literal">oplocks</tt>.</p></div>
+<a name="INDEX-171"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>lanman auth = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If set to YES, allows clients to use the (weak) LANMAN password hash
+used by Windows 95/98/Me. If set to NO, allows only the better NT1
+hash used by Windows NT/2000/XP.</p></div>
+<a name="INDEX-172"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>large readwrite = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO in Samba 2.2, YES in Samba 3.0</p><p>If set to YES, allows Windows 2000/XP to read and write 64KB at a
+time to improve performance. Requires Samba to be hosted by a 64-bit
+OS, such as Linux 2.4, Irix, or Solaris. Somewhat experimental.</p></div>
+<a name="INDEX-173"/><a name="INDEX-174"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ldap admin dn = string</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: Distinguished Name</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets the Distinguished Name used by Samba when contacting the LDAP
+server. Requires Samba to be configured with the
+<tt class="literal">--with-ldapsam</tt> configuration option. Experimental
+option added in Samba 2.2.3 and <a name="INDEX-174"/>obsolete in Samba 3.0.</p></div>
+<a name="INDEX-175"/><a name="INDEX-176"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ldap filter = string</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: LDAP search filter</p><p><b class="emphasis-bold">Default</b>: <tt class="literal">(&amp;(uid=%u)(objectclass=sambaAccount))</tt></p><p>Sets the LDAP search filter. Requires that Samba be configured with
+the <tt class="literal">--with-ldapsam</tt> configuration option.
+Experimental option added in Samba 2.2.3 and
+<a name="INDEX-176"/>obsolete in Samba 3.0.</p></div>
+<a name="INDEX-177"/><a name="INDEX-178"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ldap port = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: positive integer</p><p><b class="emphasis-bold">Default</b>: In Samba 2.2, 636 if <tt class="literal">ldap ssl = on</tt>;
+otherwise 389</p><p>Sets the TCP port number for contacting the LDAP server. Requires
+that Samba be configured with the <tt class="literal">--with-ldapsam</tt>
+configuration option. Experimental option added in Samba 2.2.3 and
+<a name="INDEX-178"/>obsolete
+starting with Samba 3.0. See also <tt class="literal">ldap ssl</tt>.</p></div>
+<a name="INDEX-179"/><a name="INDEX-180"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ldap server = value</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: fully qualified domain name</p><p><b class="emphasis-bold">Default</b>: localhost</p><p>Sets the domain name of the LDAP server. Requires that Samba be
+configured with the <tt class="literal">--with-ldapsam</tt> configuration
+option. Experimental option added in Samba 2.2.3 and
+<a name="INDEX-180"/>obsolete starting with Samba 3.0.</p></div>
+<a name="INDEX-181"/><a name="INDEX-182"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ldap ssl = value</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: ON, OFF, START TLS</p><p><b class="emphasis-bold">Default</b>: ON</p><p>Sets whether Samba uses SSL to contact the LDAP server. ON and OFF
+turn SSL encryption on or off. The START TLS setting causes Samba to
+use LDAPv3 StartTLS extended operation. Requires that Samba be
+configured with the <tt class="literal">--with-ldapsam</tt> configuration
+option. Experimental option added in Samba 2.2.3 and
+<a name="INDEX-182"/>obsolete
+in Samba 3.0.</p></div>
+<a name="INDEX-183"/><a name="INDEX-184"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ldap suffix = string</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: Distinguished Name</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets the base Distinguished Name to use for LDAP searches. Requires
+that Samba be configured with the <tt class="literal">--with-ldapsam</tt>
+configuration option. Experimental option added in Samba 2.2.3 and
+<a name="INDEX-184"/>obsolete in Samba 3.0.</p></div>
+<a name="INDEX-185"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>level2 oplocks = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Allows files to be cached read-only on the client when multiple
+clients have opened the file. This allows executables to be cached
+locally, improving performance.</p></div>
+<a name="INDEX-186"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>lm announce = value</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: AUTO, YES, NO</p><p><b class="emphasis-bold">Default</b>: AUTO</p><p>Produces OS/2 SMB broadcasts at an interval specified by the
+<tt class="literal">lm</tt> <tt class="literal">interval</tt> option. YES/NO
+turns them on/off unconditionally. AUTO causes the Samba server to
+wait for a LAN manager announcement from another client before
+sending one out. Required for OS/2 client browsing.</p></div>
+<a name="INDEX-187"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>lm interval = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number of seconds</p><p><b class="emphasis-bold">Default</b>: 60</p><p>Sets the time period, in seconds, between OS/2 SMB broadcast
+announcements.</p></div>
+<a name="INDEX-188"/><a name="INDEX-189"/><a name="INDEX-190"/><a name="INDEX-191"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>load printers = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Loads all printer names from the system's
+<em class="emphasis">printcap</em><a name="INDEX-189"/> file into the
+<a name="INDEX-190"/><a name="INDEX-191"/>browse
+list. Uses configuration options from the
+<tt class="literal">[printers]</tt> section.</p></div>
+<a name="INDEX-192"/><a name="INDEX-193"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>local master = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Allows Samba to participate in <a name="INDEX-193"/>elections for the local master
+browser. See also <tt class="literal">domain</tt> <tt class="literal">master</tt>
+and <tt class="literal">os</tt> <tt class="literal">level</tt>.</p></div>
+<a name="INDEX-194"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>lock dir = directory</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of directory</p><p><b class="emphasis-bold">Default</b>: <em class="emphasis">/usr/local/samba/var/locks</em></p><p>Synonym for <tt class="literal">lock</tt> <tt class="literal">directory</tt>.</p></div>
+<a name="INDEX-195"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>lock directory = directory</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of directory</p><p><b class="emphasis-bold">Default</b>: <em class="emphasis">/usr/local/samba/var/locks</em></p><p>Sets a directory in which to keep lock files. The directory must be
+writable by Samba and readable by everyone. Also called
+<tt class="literal">lock</tt> <tt class="literal">dir</tt>.</p></div>
+<a name="INDEX-196"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>lock spin count = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: positive integer</p><p><b class="emphasis-bold">Default</b>: 2</p><p>Sets the number of attempts to attain a byte range lock. See also
+<tt class="literal">lock spin time</tt>.</p></div>
+<a name="INDEX-197"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>lock spin time = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number of microseconds</p><p><b class="emphasis-bold">Default</b>: 10</p><p>Sets the number of microseconds between attempts to attain a lock.
+See also <tt class="literal">lock</tt> <tt class="literal">spin</tt>
+<tt class="literal">count</tt>.</p></div>
+<a name="INDEX-198"/><a name="INDEX-199"/><a name="INDEX-200"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>locking = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Performs <a name="INDEX-199"/><a name="INDEX-200"/>file locking. If set to NO, Samba
+accepts lock requests but won't actually lock
+resources. Turn off for read-only filesystems.</p></div>
+<a name="INDEX-201"/><a name="INDEX-202"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>log file = filename</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: varies</p><p>Sets the name and location of the <a name="INDEX-202"/>log file. Allows all <tt class="literal">%</tt>
+variables.</p></div>
+<a name="INDEX-203"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>log level = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number</p><p><b class="emphasis-bold">Default</b>: 0</p><p>Sets the logging level used. Values of 3 or more slow the system
+noticeably. Recommended value is 1. Synonym for
+<tt class="literal">debug</tt> <tt class="literal">level</tt>.</p></div>
+<a name="INDEX-204"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>logon drive = value</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: MS-DOS drive name</p><p><b class="emphasis-bold">Default</b>: Z:</p><p>Sets the drive to be used as a home directory for domain logons by
+Windows NT/2000/XP clients. See also <tt class="literal">logon</tt>
+<tt class="literal">home</tt>.</p></div>
+<a name="INDEX-205"/><a name="INDEX-206"/><a name="INDEX-207"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>logon home = directory</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: UNC of shared directory</p><p><b class="emphasis-bold">Default</b>: <em class="filename">\\ %N \ %U</em></p><p>Sets the home <a name="INDEX-206"/><a name="INDEX-207"/>directory of a Windows 95/98/Me or
+NT/2000/XP user. Allows <tt class="literal">NET</tt> <tt class="literal">USE</tt>
+<tt class="literal">H:/HOME</tt> from the command prompt if Samba is acting
+as a logon server. Append <tt class="literal">\profile</tt> or other
+directory to the value of this parameter if storing Windows 95/98/Me
+profiles in a subdirectory of the user's home
+directory. See <tt class="literal">logon path</tt> for Windows NT/2000/XP
+roaming profiles.</p></div>
+<a name="INDEX-208"/><a name="INDEX-209"/><a name="INDEX-210"/><a name="INDEX-211"/><a name="INDEX-212"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>logon path = directory</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: UNC of shared directory</p><p><b class="emphasis-bold">Default</b>: <em class="filename">\\ %N \  %U \ profile</em></p><p>Sets the path to the directory where Windows NT/2000/XP
+<a name="INDEX-209"/><a name="INDEX-210"/><a name="INDEX-211"/><a name="INDEX-212"/>roaming profiles are stored. See
+also <tt class="literal">logon home</tt> for Windows 95/98/Me roaming
+profiles.</p></div>
+<a name="INDEX-213"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>logon script = directory</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: UNC of shared file</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets the pathname (relative to the <tt class="literal">[netlogon]</tt>
+share) of an MS-DOS/NT command to run on the client at logon time.
+Allows all <tt class="literal">%</tt> variables.</p></div>
+<a name="INDEX-214"/><a name="INDEX-215"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>lppause command = command</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: varies</p><p>Sets the command to pause a <a name="INDEX-215"/>print job.
+Honors the <tt class="literal">%p</tt> (printer name) and
+<tt class="literal">%j</tt> (job number) variables.</p></div>
+<a name="INDEX-216"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>lpq cache time = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number of seconds</p><p><b class="emphasis-bold">Default</b>: 10</p><p>Sets how long to keep print queue status cached, in seconds.</p></div>
+<a name="INDEX-217"/><a name="INDEX-218"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>lpq command = command</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: varies</p><p>Sets the command used to get <a name="INDEX-218"/>printer status. Usually
+initialized to a default value by the <tt class="literal">printing</tt>
+option. Honors the <tt class="literal">%p</tt> (printer name) variable.</p></div>
+<a name="INDEX-219"/><a name="INDEX-220"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>lpresume command = command</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: varies</p><p>Sets the command to resume a paused <a name="INDEX-220"/>print job.
+Honors the <tt class="literal">%p</tt> (printer name) and
+<tt class="literal">%j</tt> ( job number) variables.</p></div>
+<a name="INDEX-221"/><a name="INDEX-222"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>lprm command = command</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: varies</p><p>Sets the command to delete a <a name="INDEX-222"/>print job.
+Usually initialized to a default value by the
+<tt class="literal">printing</tt> option. Honors the <tt class="literal">%p</tt>
+(printer name) and <tt class="literal">%j</tt> (job number) variables.</p></div>
+<a name="INDEX-223"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>machine password timeout = number</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number of seconds</p><p><b class="emphasis-bold">Default</b>: 604800 (1 week)</p><p>Sets the period between (NT domain) computer account password changes.</p></div>
+<a name="INDEX-224"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>magic output = filename</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: <em class="replaceable">command</em><em class="emphasis">.out</em></p><p>Sets the output file for the <tt class="literal">magic</tt>
+<tt class="literal">scripts</tt> option. Default is the command name,
+followed by the <em class="emphasis">.out</em> extension.</p></div>
+<a name="INDEX-225"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>magic script = filename</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets a filename for execution via a shell whenever the file is closed
+from the client, allowing clients to run commands on the server. The
+scripts will be deleted on completion, if permissions allow. Use is
+discouraged.</p></div>
+<a name="INDEX-226"/><a name="INDEX-227"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>mangle case = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p><a name="INDEX-227"/>Mangles a
+name if it is in mixed case.</p></div>
+<a name="INDEX-228"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>mangled map = map list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: list of to/from pairs</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets up a table of names to remap (e.g., <em class="emphasis">.html</em>
+to <em class="emphasis">.htm</em>).</p></div>
+<a name="INDEX-229"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>mangled names = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Sets Samba to abbreviate to the MS-DOS 8.3 style names that are too
+long or have unsupported characters.</p></div>
+<a name="INDEX-230"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>mangled stack = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number</p><p><b class="emphasis-bold">Default</b>: 50</p><p>Sets the size of the cache of recently mangled filenames.</p></div>
+<a name="INDEX-231"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>mangling char = character</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: character</p><p><b class="emphasis-bold">Default</b>: ~</p><p>Sets the unique mangling character used in all mangled names.</p></div>
+<a name="INDEX-232"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>mangling method = string</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: hash, hash2</p><p><b class="emphasis-bold">Default</b>: hash</p><p>Sets the algorithm used to mangle filenames. The
+<tt class="literal">hash2</tt> method is a newer method introduced in Samba
+2.2.x, and it creates different filenames than the
+<tt class="literal">hash</tt> method.</p></div>
+<a name="INDEX-233"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>map archive = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If YES, Samba sets the executable-by-user (0100) bit on Unix files if
+the MS-DOS archive attribute is set. If used, the
+<tt class="literal">create</tt> <tt class="literal">mask</tt> must contain the
+0100 bit.</p></div>
+<a name="INDEX-234"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>map hidden = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If YES, Samba sets the executable-by-other (0001) bit on Unix files
+if the MS-DOS hidden attribute is set. If used, the <tt class="literal">create
+mask</tt> option must contain the 0001 bit.</p></div>
+<a name="INDEX-235"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>map system = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If YES, Samba sets the executable-by-group (0010) bit on Unix files
+if the MS-DOS system attribute is set. If used, the
+<tt class="literal">create</tt> <tt class="literal">mask</tt> must contain the
+0010 bit.</p></div>
+<a name="INDEX-236"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>map to guest = value</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: Never, Bad User, Bad Password</p><p><b class="emphasis-bold">Default</b>:  Never</p><p>If set to Bad User, allows users without accounts on the Samba system
+to log in and be assigned the guest account. This option can be used
+as part of making public shares for anyone to use. If set to Bad
+Password, users who mistype their passwords will be logged in to the
+guest account instead of their own. Because no warning is given, the
+Bad Password value can be extremely confusing: we recommend against
+it. The default setting of Never prevents users without accounts from
+logging in.</p></div>
+<a name="INDEX-237"/><a name="INDEX-238"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>max connections = number</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number</p><p><b class="emphasis-bold">Default</b>: 0 (infinity)</p><p>Sets the maximum number of
+<a name="INDEX-238"/>share connections allowed from each
+client system.</p></div>
+<a name="INDEX-239"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>max disk size = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: size in MB</p><p><b class="emphasis-bold">Default</b>: 0 (no limit)</p><p>Sets the maximum disk size/free-space size (in megabytes) to return
+to the client. Some clients or applications can't
+understand large maximum disk sizes.</p></div>
+<a name="INDEX-240"/><a name="INDEX-241"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>max log size = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: size in KB</p><p><b class="emphasis-bold">Default</b>: 5000</p><p>Sets the size (in kilobytes) at which Samba will start a new
+<a name="INDEX-241"/>log file. The current log file will be
+renamed with a <em class="emphasis">.old</em> extension, replacing any
+existing file with that name.</p></div>
+<a name="INDEX-242"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>max mux = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number</p><p><b class="emphasis-bold">Default</b>: 50</p><p>Sets the number of simultaneous SMB operations that Samba clients can
+make. Avoid changing.</p></div>
+<a name="INDEX-243"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>max open files = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number</p><p><b class="emphasis-bold">Default</b>: 10000</p><p>Limits the number of files a Samba process will try to keep open at
+one time. Samba allows you to set this to less than the maximum
+imposed by the Unix host operating system. Avoid changing.</p></div>
+<a name="INDEX-244"/><a name="INDEX-245"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>max print jobs = number</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: positive integer</p><p><b class="emphasis-bold">Default</b>: 1000</p><p>Limits the number of jobs that can be in the queue for this
+<a name="INDEX-245"/>printer share at any one time. The printer
+will report <tt class="literal">out of space</tt> if the limit is exceeded.
+See also <tt class="literal">total print jobs</tt>.</p></div>
+<a name="INDEX-246"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>max protocol = name</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: CORE, COREPLUS, LANMAN1, LANMAN2, NT1</p><p><b class="emphasis-bold">Default</b>: NT1</p><p>If set, limits the negotiation to the protocol specified, or older.
+See <tt class="literal">min protocol</tt>. Avoid using.</p></div>
+<a name="INDEX-247"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>max smbd processes = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: integer</p><p><b class="emphasis-bold">Default</b>: 0 (no limit)</p><p>Limits the number of users who can connect to the server. Used to
+prevent degraded service under an overload, at the cost of refusing
+services entirely.</p></div>
+<a name="INDEX-248"/><a name="INDEX-249"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>max ttl = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number of seconds</p><p><b class="emphasis-bold">Default</b>: 259200 (3 days)</p><p>Sets the <a name="INDEX-249"/>time to live (TTL) of NetBIOS names in the
+<em class="emphasis">nmbd</em> WINS cache. Avoid changing.</p></div>
+<a name="INDEX-250"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>max wins ttl = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number of seconds</p><p><b class="emphasis-bold">Default</b>: 518400 (6 days)</p><p>Limits the TTL, in seconds, of a NetBIOS name in the
+<em class="emphasis">nmbd</em> WINS cache. Avoid changing. See also
+<tt class="literal">min wins ttl</tt>.</p></div>
+<a name="INDEX-251"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>max xmit = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: size in bytes</p><p><b class="emphasis-bold">Default</b>: 65535</p><p>Sets the maximum packet size negotiated by Samba. This is a tuning
+parameter for slow links and bugs in older clients. Values less than
+2048 are discouraged.</p></div>
+<a name="INDEX-252"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>message command = command</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets the command to run on the server when a WinPopup message arrives
+from a client. If it does not complete quickly, the command must end
+in <tt class="literal">&amp;</tt> to allow immediate return. Honors all
+<tt class="literal">%</tt> variables except <tt class="literal">%u</tt> (user)
+and supports the extra variables <tt class="literal">%s</tt> (filename the
+message is in), <tt class="literal">%t</tt> (destination system), and
+<tt class="literal">%f</tt> (from).</p></div>
+<a name="INDEX-253"/><a name="INDEX-254"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>min passwd length = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: integer</p><p><b class="emphasis-bold">Default</b>: 5</p><p><a name="INDEX-254"/>Synonym for <tt class="literal">min</tt>
+<tt class="literal">password</tt> <tt class="literal">length</tt>.</p></div>
+<a name="INDEX-255"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>min password length = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: integer</p><p><b class="emphasis-bold">Default</b>: 5</p><p>Sets the shortest Unix password allowed by Samba when updating a
+user's password on its system. Also called
+<tt class="literal">min</tt> <tt class="literal">passwd</tt>
+<tt class="literal">length</tt>.</p></div>
+<a name="INDEX-256"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>min print space = number</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: space in kilobytes</p><p><b class="emphasis-bold">Default</b>: 0 (unlimited)</p><p>Sets the minimum spool space required before accepting a print
+request.</p></div>
+<a name="INDEX-257"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>min protocol = name</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: CORE, COREPLUS, LANMAN1, LANMAN2, NT1</p><p><b class="emphasis-bold">Default</b>: CORE</p><p>If set, prevents use of old (less secure) protocols. Using NT1
+disables MS-DOS clients. See also <tt class="literal">lanman auth</tt>.</p></div>
+<a name="INDEX-258"/><a name="INDEX-259"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>min wins ttl = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number of seconds</p><p><b class="emphasis-bold">Default</b>: 21600 (6 hours)</p><p>Sets the minimum <a name="INDEX-259"/>TTL, in seconds, of a NetBIOS name in the
+<em class="emphasis">nmbd</em> WINS cache. Avoid changing.</p></div>
+<a name="INDEX-260"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>msdfs root = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Makes the share a Dfs <tt class="literal">root</tt>. Requires the
+<tt class="literal">--with-msdfs</tt> configure option. Any symbolic links
+of the form <tt class="literal">msdfs:server\share</tt> will be seen as Dfs
+links. See also <tt class="literal">host msdfs</tt>.</p></div>
+<a name="INDEX-261"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>name resolve order = list</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: lmhosts, wins, host, bcast</p><p><b class="emphasis-bold">Default</b>: lmhosts, host, wins, bcast</p><p>Sets the order of lookup when trying to get IP addresses from names.
+The host parameter carries out a regular name lookup using the
+server's normal sources:
+<em class="emphasis">/etc/hosts</em>, DNS, NIS, or a combination of these.</p></div>
+<a name="INDEX-262"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>netbios aliases = list</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: list of NetBIOS names</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Adds additional NetBIOS names by which the Samba server will
+advertise itself.</p></div>
+<a name="INDEX-263"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>netbios name = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: local hostname</p><p><b class="emphasis-bold">Default</b>: DNS name of system</p><p>Sets the NetBIOS name by which a Samba server is known, or the
+primary name if NetBIOS aliases exist. See also <tt class="literal">netbios
+aliases</tt>.</p></div>
+<a name="INDEX-264"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>netbios scope = string</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: string</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets the NetBIOS scope string, an early predecessor of workgroups.
+Samba will not communicate with a system with a different scope. This
+option is not recommended.</p></div>
+<a name="INDEX-265"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>nis homedir = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If YES, the <tt class="literal">homedir</tt> <tt class="literal">map</tt> is used
+to look up the server hosting the user's home
+directory and return it to the client. The client will contact that
+system to connect to the share. This avoids mounting from a system
+that doesn't actually have the directory, which
+would cause the data to be transmitted twice. The system with the
+home directories must be an SMB server.</p></div>
+<a name="INDEX-266"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>non unix account range = numeric range</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: range of positive integers</p><p><b class="emphasis-bold">Default</b>: NONE</p><p>Specifies a range of Unix UIDs for Samba to use for user accounts and
+computer accounts that are maintained outside of
+<em class="filename">/etc/passwd</em>. The UIDs in this range must not
+overlap those of regular Unix users in
+<em class="filename">/etc/passwd</em>. See also <tt class="literal">algorithmic rid
+base</tt>. New in Samba 3.0.</p></div>
+<a name="INDEX-267"/><a name="INDEX-268"/><a name="INDEX-269"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>nt acl support = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Causes the Samba server to map Unix
+<a name="INDEX-268"/><a name="INDEX-269"/>permissions to Windows NT
+ACLs.</p></div>
+<a name="INDEX-270"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>nt pipe support = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Allows turning off of NT-specific pipe calls. This is a
+developer/benchmarking option and might be removed in the future.
+Avoid changing.</p></div>
+<a name="INDEX-271"/><a name="INDEX-272"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>nt smb support = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If YES, allows the use of NT-specific SMBs. This is a
+developer/benchmarking option that is <a name="INDEX-272"/>obsolete in Samba 3.0. Avoid changing.</p></div>
+<a name="INDEX-273"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>nt status support = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If YES, allows the use of NT-specific status messages. This is a
+developer/benchmarking option and might be removed in the future.
+Avoid changing.</p></div>
+<a name="INDEX-274"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>null passwords = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If YES, allows access to accounts that have null passwords. Strongly
+discouraged.</p></div>
+<a name="INDEX-275"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>obey pam restrictions = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set, Samba will adhere to the PAM's account and
+session restrictions. Requires <tt class="literal">--with-pam</tt>
+configuration option.</p></div>
+<a name="INDEX-276"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>only guest = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Forces users of a share to log on as the guest account. Synonym for
+<tt class="literal">guest</tt> <tt class="literal">only</tt>. Requires
+<tt class="literal">guest</tt> <tt class="literal">ok</tt> or
+<tt class="literal">public</tt> to be YES.</p></div>
+<a name="INDEX-277"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>only user = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Requires that users of the share be in the list specified by the
+<tt class="literal">user</tt> option.</p></div>
+<a name="INDEX-278"/><a name="INDEX-279"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>oplock break wait time = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number</p><p><b class="emphasis-bold">Default</b>: 0</p><p><a name="INDEX-279"/>This is an advanced tuning parameter and
+is recommended only for experts who know how Samba handles oplocks.
+This option might need to be set if a Windows system fails to release
+an oplock in response to a break request from the Samba server. Due
+to bugs on some Windows systems, they might fail to respond if Samba
+responds too quickly; the default on this option can be lengthened in
+such cases.</p></div>
+<a name="INDEX-280"/><a name="INDEX-281"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>oplock contention limit = number</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number of milliseconds</p><p><b class="emphasis-bold">Default</b>:  2</p><p><a name="INDEX-281"/>This is an advanced tuning
+parameter and is recommended only for experts who know how Samba
+handles oplocks. It causes Samba to refuse to grant an oplock if the
+number of clients contending for a file exceeds the specified value.</p></div>
+<a name="INDEX-282"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>oplocks = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If YES, supports local caching of oplocked files on the client. This
+option is recommended because it improves performance by about 30%.
+See also <tt class="literal">fake</tt> <tt class="literal">oplocks</tt> and
+<tt class="literal">veto</tt> <tt class="literal">oplock</tt>
+<tt class="literal">files</tt>.</p></div>
+<a name="INDEX-283"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>os level = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: integer</p><p><b class="emphasis-bold">Default</b>: 20</p><p>Sets the candidacy of the server when electing a browse master. Used
+with the <tt class="literal">domain</tt> <tt class="literal">master</tt> or
+<tt class="literal">local</tt> <tt class="literal">master</tt> options. You can
+set a higher value than a competing operating system if you want
+Samba to win. Windows for Workgroups and Windows 95/98/Me use 1.
+Windows NT/2000/XP, when not acting as a PDC, use 16 and, when acting
+as a PDC, use 32. Warning: this can override non-Samba browse masters
+unexpectedly.</p></div>
+<a name="INDEX-284"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>os2 driver map = filename</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a file containing mappings of Windows NT printer driver
+names to OS/2 printer driver names.</p></div>
+<a name="INDEX-285"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>pam password change = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If YES, and if Samba is configured with
+<tt class="literal">--with-pam</tt>, PAM is allowed to handle password
+changes from clients, instead of using the program defined by the
+<tt class="literal">passwd</tt> <tt class="literal">program</tt> parameter.</p></div>
+<a name="INDEX-286"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>panic action = command</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets the command to run when Samba panics. Honors all
+<tt class="literal">%</tt> variables. For Samba developers and testers,
+<tt class="literal">/usr/bin/X11/xterm</tt> <tt class="literal">-display</tt>
+<tt class="literal">:0</tt> <tt class="literal">-e</tt> <tt class="literal">gdb</tt>
+<tt class="literal">/samba/bin/smbd</tt> <tt class="literal">%d</tt> is a
+possible value.</p></div>
+<a name="INDEX-287"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>passdb backend = list</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: smbpasswd, smbpasswd_nua, tdbsam, tdbsam_nua, plugin</p><p><b class="emphasis-bold">Default</b>: smbpasswd</p><p>Specifies methods Samba uses to store and retrieve passwords when
+using a method other than the Unix system's
+<em class="filename">/etc/passwd</em>. See also <tt class="literal">non unix account
+range</tt>. New in Samba 3.0.</p></div>
+<a name="INDEX-288"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>passwd chat = string</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: sequence of strings</p><p><b class="emphasis-bold">Default</b>: compiled-in value</p><p>Sets the chat strings used to change passwords on the server.
+Supports the variables <tt class="literal">%o</tt> (old password) and
+<tt class="literal">%n</tt> (new password) and allows the escapes
+<tt class="literal">\r</tt>, <tt class="literal">\n</tt>, <tt class="literal">\t</tt>,
+and <tt class="literal">\s</tt> (space) in the sequence. See also
+<tt class="literal">unix password sync</tt>, <tt class="literal">passwd
+program</tt>, <tt class="literal">passwd chat debug</tt>, and
+<tt class="literal">pam</tt> <tt class="literal">password change</tt>.</p></div>
+<a name="INDEX-289"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>passwd chat debug = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Logs an entire password chat, including passwords passed, with a log
+level of 100. For debugging only. See also <tt class="literal">passwd
+chat</tt>, <tt class="literal">pam password change</tt>, and
+<tt class="literal">passwd program</tt>.</p></div>
+<a name="INDEX-290"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>passwd program = command</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: <em class="filename">/bin/passwd</em></p><p>Sets the command used to change a user's password.
+Will be run as <tt class="literal">root</tt>. Supports
+<tt class="literal">%u</tt> (user). See also <tt class="literal">unix password
+sync</tt>.</p></div>
+<a name="INDEX-291"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>password level = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number</p><p><b class="emphasis-bold">Default</b>: 0</p><p>Specifies the number of uppercase-letter permutations used to match
+passwords. A workaround for clients that change passwords to a single
+case before sending them to the Samba server. Causes repeated login
+attempts with mixed-case passwords, which can trigger account
+lockouts. Required for Windows 95/98/Me, plain-text passwords, and
+mixed-case passwords. Try to avoid using.</p></div>
+<a name="INDEX-292"/><a name="INDEX-293"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>password server = list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: list of NetBIOS names</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a list of SMB servers that validate
+<a name="INDEX-293"/>passwords. Used with a Windows
+NT/2000 password server (PDC or BDC) and the
+<tt class="literal">security</tt> <tt class="literal">=</tt>
+<tt class="literal">server</tt> or <tt class="literal">security</tt>
+<tt class="literal">=</tt> <tt class="literal">domain</tt> configuration options.
+Caution: a Windows NT/2000 password server must allow logins from the
+Samba server. If set to <tt class="literal">*</tt>, Samba will look up the
+PDC by resolving the NetBIOS name WORKGROUP&lt;1C&gt;.</p></div>
+<a name="INDEX-294"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>path = directory</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of directory</p><p><b class="emphasis-bold">Default</b>: varies</p><p>Sets the path to the directory provided by a file share or used by a
+printer share. If the option is omitted, it is set automatically in
+the <tt class="literal">[homes]</tt> share to the user's
+home directory; otherwise, defaults to<em class="filename"> /tmp</em>.
+Honors the <tt class="literal">%u</tt> (user) and <tt class="literal">%m</tt>
+(machine) variables.</p></div>
+<a name="INDEX-295"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>pid directory = directory</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of directory</p><p><b class="emphasis-bold">Default</b>: <em class="filename">/usr/local/samba/var/locks</em></p><p>Sets the path to the directory where PID files are located.</p></div>
+<a name="INDEX-296"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>posix locking = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If set to YES, Samba will map file locks owned by SMB clients to
+POSIX locks. Avoid changing.</p></div>
+<a name="INDEX-297"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>postexec = command</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets a command to run as the user after disconnecting from the share.
+See also the <tt class="literal">preexec</tt>, <tt class="literal">root</tt>
+<tt class="literal">preexec</tt>, and <tt class="literal">root</tt>
+<tt class="literal">postexec</tt> options.</p></div>
+<a name="INDEX-298"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>postscript = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Forces a printer to recognize a file as PostScript by inserting
+<tt class="literal">%!</tt> as the first line. Works only if the printer is
+actually PostScript-compatible.</p></div>
+<a name="INDEX-299"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>preexec = command</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets a command to run as the user before connecting to the share.
+Synonym for <tt class="literal">exec</tt>. See also the
+<tt class="literal">postexec</tt>, <tt class="literal">root</tt>
+<tt class="literal">preexec</tt>, and <tt class="literal">root</tt>
+<tt class="literal">postexec</tt> options.</p></div>
+<a name="INDEX-300"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>preexec close = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>:  NO</p><p>If set, allows the <tt class="literal">preexec</tt> command to decide if
+the share can be accessed by the user. If the command returns a
+nonzero return code, the user is denied permission to connect.</p></div>
+<a name="INDEX-301"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>preferred master = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: auto</p><p>If YES, Samba is the preferred master browser. Causes Samba to call a
+browsing election when it comes online. See also <tt class="literal">os
+level</tt>.</p></div>
+<a name="INDEX-302"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>prefered master = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: auto</p><p>Synonym for <tt class="literal">preferred master</tt>.</p></div>
+<a name="INDEX-303"/><a name="INDEX-304"/><a name="INDEX-305"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>preload = service list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: list of shares</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a list of shares that always appears in
+<a name="INDEX-304"/><a name="INDEX-305"/>browse lists. Synonym for
+<tt class="literal">auto</tt> <tt class="literal">services</tt>. See also
+<tt class="literal">load printers</tt>.</p></div>
+<a name="INDEX-306"/><a name="INDEX-307"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>preserve case = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p><a name="INDEX-307"/>Leaves filenames in the case
+sent by the client. If NO, it forces filenames to the case specified
+by the <tt class="literal">default</tt> <tt class="literal">case</tt> option. See
+also <tt class="literal">short</tt> <tt class="literal">preserve</tt>
+<tt class="literal">case</tt>.</p></div>
+<a name="INDEX-308"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>printable = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Sets a share to be a print share. Required for all printers. Synonym
+for <tt class="literal">print</tt> <tt class="literal">ok</tt>.</p></div>
+<a name="INDEX-309"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>printcap name = filename</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: <em class="emphasis">/etc/printcap</em></p><p>Sets the path to the printer capabilities file used by the
+<tt class="literal">[printers]</tt> share. The default value changes to
+<em class="filename">/etc/qconfig</em> under AIX and
+<em class="filename">lpstat</em> on System V. Also called
+<tt class="literal">printcap</tt>.</p></div>
+<a name="INDEX-310"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>print command = command</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: varies</p><p>Sets the command used to send a spooled file to the printer. Usually
+initialized to a default value corresponding to the
+<tt class="literal">printing</tt> option. This option honors the
+<tt class="literal">%p</tt> (printer name), <tt class="literal">%s</tt> (spool
+file), and <tt class="literal">%f</tt> (spool file as a relative path)
+variables. The command must delete the spool file.</p></div>
+<a name="INDEX-311"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>printer = name</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: printer name</p><p><b class="emphasis-bold">Default</b>: lp</p><p>Sets the name of the Unix printer used by the share. Also called
+<tt class="literal">printer</tt> <tt class="literal">name</tt>.</p></div>
+<a name="INDEX-312"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>printer admin = user list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: user list</p><p><b class="emphasis-bold">Default</b>:  NULL</p><p>Specifies users who can administer a printer using the remote printer
+administration interface on a Windows system. The
+<tt class="literal">root</tt> user always has these privileges.</p></div>
+<a name="INDEX-313"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>printer driver = name</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: exact printer driver string used by Windows</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets the string to pass to Windows when asked which driver to use to
+prepare files for a printer share. Note that the value is
+case-sensitive. Part of pre-2.2 printing system. Deprecated.</p></div>
+<a name="INDEX-314"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>printer driver file = filename</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: <em class="emphasis">/usr/local/samba/printers/printers.def</em></p><p>Sets the location of a <em class="emphasis">msprint.def</em> file. Usable
+by Windows 95/98/Me. Part of pre-2.2 printing system. Deprecated.</p></div>
+<a name="INDEX-315"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>printer driver location = directory</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: UNC of shared directory</p><p><b class="emphasis-bold">Default</b>: <em class="filename">\\ server\ PRINTER$</em></p><p>Sets the location of the driver for a particular printer. The value
+is the pathname of the share that stores the printer driver files.
+Part of pre-2.2 printing system. Deprecated.</p></div>
+<a name="INDEX-316"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>printer name = name</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Synonym for <tt class="literal">printer</tt>.</p></div>
+<a name="INDEX-317"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>printing = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: bsd, sysv, hpux, aix, qnx, plp, softq, lprng, cups</p><p><b class="emphasis-bold">Default</b>: bsd</p><p>Sets the printing style to a value other than that in which
+you've compiled. This sets initial values of at
+least <tt class="literal">print</tt> <tt class="literal">command</tt> ,
+<tt class="literal">lpq</tt> <tt class="literal">command</tt> , and
+<tt class="literal">lprm</tt> <tt class="literal">command</tt>.</p></div>
+<a name="INDEX-318"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>print ok = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Synonym for <tt class="literal">printable</tt>.</p></div>
+<a name="INDEX-319"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>private directory = directory</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of directory</p><p><b class="emphasis-bold">Default</b>: <em class="filename">/usr/local/samba/private</em></p><p>Specifies the directory used for storing security-sensitive files
+such as <em class="filename">smbpasswd</em> and
+<em class="filename">secrets.tdb</em>. New in Samba 3.0.</p></div>
+<a name="INDEX-320"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>protocol = name</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: NT1, LANMAN2, LANMAN1, COREPLUS, CORE</p><p><b class="emphasis-bold">Default</b>: NT1</p><p>Synonym for <tt class="literal">max protocol</tt>.</p></div>
+<a name="INDEX-321"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>public = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If YES, passwords are not needed for this share. Also called
+<tt class="literal">guest</tt> <tt class="literal">ok</tt>.</p></div>
+<a name="INDEX-322"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>queuepause command = command</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: full path to script</p><p><b class="emphasis-bold">Default</b>: varies</p><p>Sets the command used to pause a print queue. Usually initialized to
+a default value by the <tt class="literal">printing</tt> option.</p></div>
+<a name="INDEX-323"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>queueresume command = command</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: full path to script</p><p><b class="emphasis-bold">Default</b>: varies</p><p>Sets the command used to resume a print queue. Usually initialized to
+a default value by the <tt class="literal">printing</tt> option.</p></div>
+<a name="INDEX-324"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>read bmpx = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, supports the &quot;Read Block
+Multiplex&quot; message. Avoid changing.</p></div>
+<a name="INDEX-325"/><a name="INDEX-326"/><a name="INDEX-327"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>read list = list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: list of user and/or group names</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a list of <a name="INDEX-326"/><a name="INDEX-327"/>users given read-only access
+to a writable share.</p></div>
+<a name="INDEX-328"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>read only = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Sets a share to read-only. Antonym of <tt class="literal">writable</tt>,
+<tt class="literal">writeable</tt>, and <tt class="literal">write ok</tt>.</p></div>
+<a name="INDEX-329"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>read raw = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Allows clients to read data using a 64K packet size. Recommended.</p></div>
+<a name="INDEX-330"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>read size = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: positive integer</p><p><b class="emphasis-bold">Default</b>: 16384</p><p>Allows disk reads and writes to overlap network reads and writes. A
+tuning parameter. Do not set larger than the default.</p></div>
+<a name="INDEX-331"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>realm = string</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: Kerberos realm name</p><p><b class="emphasis-bold">Default</b>: NONE</p><p>Specifies the realm name for Kerberos 5 authentication. Requires the
+<tt class="literal">--with-krb5</tt> configure option. New in Samba 3.0.</p></div>
+<a name="INDEX-332"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>remote announce = remote list</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: list of remote addresses</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Adds workgroups to the list on which the Samba server will announce
+itself. Specified as an IP address and optional workgroup (for
+instance, 192.168.220.215/SIMPLE) with multiple entries separated by
+spaces. Addresses can be the specific address of the browse master on
+a subnet or on directed broadcasts (i.e., ###.###.###.255). The
+server will appear on those workgroups' browse
+lists. Does not require WINS.</p></div>
+<a name="INDEX-333"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>remote browse sync = list</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: IP addresses</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Perform browse list synchronization with other Samba local master
+browsers. Addresses can be specific addresses or directed broadcasts
+(i.e., ###.###.###.255). The latter causes Samba to locate the local
+master browser on that subnet.</p></div>
+<a name="INDEX-334"/><a name="INDEX-335"/><a name="INDEX-336"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>restrict anonymous = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p><a name="INDEX-335"/><a name="INDEX-336"/>Denies access to users who do not
+supply a username. This is disabled by default because when the Samba
+server acts as the domain's PDC, the option can keep
+a client from revalidating its computer account when someone new logs
+in. Use of the option is recommended only when all clients are
+Windows NT/2000/XP systems.</p></div>
+<a name="INDEX-337"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>root = directory</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of directory</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Synonym for <tt class="literal">root</tt> <tt class="literal">directory</tt>.</p></div>
+<a name="INDEX-338"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>root dir = directory</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of directory</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Synonym for <tt class="literal">root</tt> <tt class="literal">directory</tt>.</p></div>
+<a name="INDEX-339"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>root directory = directory</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of directory</p><p><b class="emphasis-bold">Default</b>: /</p><p>Specifies a directory to <em class="emphasis">chroot( )</em> before
+starting daemons. Prevents any access outside that directory tree.
+See also the <tt class="literal">wide</tt> <tt class="literal">links</tt>
+configuration option. Also called <tt class="literal">root</tt> and
+<tt class="literal">root</tt> <tt class="literal">dir</tt>.</p></div>
+<a name="INDEX-340"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>root postexec = command</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets a command to run as <tt class="literal">root</tt> after disconnecting
+from the share. See also the <tt class="literal">preexec</tt>,
+<tt class="literal">postexec</tt>, and <tt class="literal">root</tt>
+<tt class="literal">preexec</tt> configuration options. Runs after the
+user's <tt class="literal">postexec</tt> command. Use with
+caution.</p></div>
+<a name="INDEX-341"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>root preexec = command</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets a command to run as <tt class="literal">root</tt> before connecting to
+the share. See also the <tt class="literal">preexec</tt>,
+<tt class="literal">postexec</tt>, and <tt class="literal">root</tt>
+<tt class="literal">postexec</tt> configuration options. Runs before the
+user's <tt class="literal">preexec</tt> command. Use with
+caution.</p></div>
+<a name="INDEX-342"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>root preexec close = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>:  NO</p><p>If set, allows the <tt class="literal">root</tt> <tt class="literal">preexec</tt>
+command to decide if the share can be accessed by the user. If the
+command returns a nonzero return code, the user will be denied
+permission to connect.</p></div>
+<a name="INDEX-343"/><a name="INDEX-344"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>security = value</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: share, user, server, domain</p><p><b class="emphasis-bold">Default</b>: user</p><p>Sets the client
+<a name="INDEX-344"/>authentication method. If
+<tt class="literal">security</tt> <tt class="literal">=</tt>
+<tt class="literal">share</tt>, services are password-protected, available
+to everyone who knows the password. If <tt class="literal">security</tt>
+<tt class="literal">=</tt> <tt class="literal">user</tt>, users have accounts and
+passwords, and are required to authenticate with the server before
+accessing services. If <tt class="literal">security</tt>
+<tt class="literal">=</tt> <tt class="literal">server</tt>, users have accounts
+and passwords as with <tt class="literal">security = user</tt>, and a
+separate system authenticates them for Samba. If
+<tt class="literal">security</tt> <tt class="literal">=</tt>
+<tt class="literal">domain</tt>, Windows NT domain authentication is
+implemented using a Windows NT/2000 or other Samba server to validate
+accounts. See also the <tt class="literal">password server</tt> and
+<tt class="literal">encrypted</tt> <tt class="literal">passwords</tt>
+configuration options.</p></div>
+<a name="INDEX-345"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>security mask = value</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: octal value from 0 to 0777</p><p><b class="emphasis-bold">Default</b>:  0777</p><p>Controls which permission bits can be changed if a user on a Windows
+NT/2000/XP system edits the Unix permissions of files on the Samba
+server using the Windows system's ACL editing dialog
+box. Any bit that is set in the mask can be changed by the user; any
+bit that is clear remains the same on the file even if the user tries
+to change it. Requires <tt class="literal">nt</tt> <tt class="literal">acl</tt>
+<tt class="literal">support</tt> <tt class="literal">=</tt>
+<tt class="literal">YES</tt>. Note that some rarely used bits map to the
+DOS system, hidden, and archive bits in the file attributes in a
+nonintuitive way.</p></div>
+<a name="INDEX-346"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>server string = string</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: string</p><p><b class="emphasis-bold">Default</b>: Samba <tt class="literal">%v</tt></p><p>Sets the name that corresponds to the Samba server in browse lists.
+Honors the <tt class="literal">%v</tt> (Samba version number) and
+<tt class="literal">%h</tt> (hostname) variables.</p></div>
+<a name="INDEX-347"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>set directory = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Allows the DEC Pathworks client to use the <em class="emphasis">set
+dir</em> command.</p></div>
+<a name="INDEX-348"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>share modes = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Directs Samba to support Windows-style whole-file (deny mode) locks.
+Do not change.</p></div>
+<a name="INDEX-349"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>short preserve case = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If set to YES, leaves mangled 8.3-style filenames in the case sent by
+the client. If NO, forces the case to that specified by the
+<tt class="literal">default</tt> <tt class="literal">case</tt> option. See also
+<tt class="literal">preserve</tt> <tt class="literal">case</tt>.</p></div>
+<a name="INDEX-350"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>show add printer wizard = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If set, tells clients that the Add Printer Wizard can be used to add
+a Samba printer from Windows NT/2000/XP clients. See also
+<tt class="literal">add printer command</tt>, <tt class="literal">delete
+printer</tt> <tt class="literal">comamnd</tt>, and <tt class="literal">printer
+admin</tt>.</p></div>
+<a name="INDEX-351"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>shutdown script = command</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: command</p><p><b class="emphasis-bold">Default</b>: NONE</p><p>Specifies a command that initiates a system shutdown. The command is
+run with the UID of the connected user. The <tt class="literal">%m</tt>
+(message), <tt class="literal">%t</tt> (delay time), <tt class="literal">%r</tt>
+(reboot), and <tt class="literal">%f</tt> (force) options are supported.
+See also <tt class="literal">abort shutdown script</tt>. New in Samba 3.0.</p></div>
+<a name="INDEX-352"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>smb passwd file = filename</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: <em class="filename">/usr/local/samba/private/smbpasswd</em></p><p>Overrides the compiled-in path to the encrypted password file. See
+also <tt class="literal">encrypted</tt> <tt class="literal">passwords</tt> and
+<tt class="literal">private dir</tt>.</p></div>
+<a name="INDEX-353"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>socket address = value</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: IP address</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets the address on which to listen for connections. Default is to
+listen to all addresses.</p></div>
+<a name="INDEX-354"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>socket options = list</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: socket option list</p><p><b class="emphasis-bold">Default</b>: TCP_NODELAY</p><p>Sets OS-specific socket options. SO_KEEPALIVE makes TCP check clients
+every four hours to see if they are still accessible. TCP_NODELAY
+sends even tiny packets to keep delay low. Both are recommended
+wherever the operating system supports them.</p></div>
+<a name="INDEX-355"/><a name="INDEX-356"/><a name="INDEX-357"/><a name="INDEX-358"/><a name="INDEX-359"/><a name="INDEX-360"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>source environment = filename</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Causes Samba to read a list of <a name="INDEX-356"/>environment variables from a file upon
+startup. This can be useful when setting up Samba in a
+<a name="INDEX-357"/><a name="INDEX-358"/><a name="INDEX-359"/><a name="INDEX-360"/>clustered environment. The
+filename can begin with a &quot;|&quot;
+(pipe) character, in which case it causes Samba to run the file as a
+command to obtain the variables.</p><p>The file must be owned by <tt class="literal">root</tt> and must not be
+world-writable. If the filename begins with a
+&quot;|&quot; character, it must point to a
+command that is neither world-writable nor resides in a
+world-writable directory.</p><p>The data should be in the form of lines such as
+SAMBA_NETBIOS_NAME=<em class="replaceable">myhostname</em>. This value
+will then be available in the <em class="filename">smb.conf</em> files as
+%$SAMBA_NETBIOS_NAME.</p></div>
+<a name="INDEX-361"/><a name="INDEX-362"/><a name="INDEX-363"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ssl = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>:  NO</p><p><a name="INDEX-362"/><a name="INDEX-363"/>Makes
+Samba use SSL for data exchange with some or all hosts. Requires
+<tt class="literal">--with-ssl</tt> configure option.Obsolete starting with
+Samba 3.0.</p></div>
+<a name="INDEX-364"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ssl CA certDir = directory</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of directory</p><p><b class="emphasis-bold">Default</b>: <em class="filename">/usr/local/ssl/certs</em></p><p>Specifies a directory containing a file for each Certification
+Authority (CA) that the Samba server trusts so that Samba can verify
+client certificates. Part of SSL support. Requires
+<tt class="literal">--with-ssl</tt> configure option. Obsolete starting
+with Samba 3.0.</p></div>
+<a name="INDEX-365"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ssl CA certFile = filename</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: <em class="filename">/usr/local/ssl/certs/trustedCAs.pem</em></p><p>Specifies a file that contains information for each CA that the Samba
+server trusts so that Samba can verify client certificates. Part of
+SSL support. Requires <tt class="literal">--with-ssl</tt> configure option.
+Obsolete starting with Samba 3.0.</p></div>
+<a name="INDEX-366"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ssl ciphers = list</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: list of ciphers</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies which ciphers should be offered during SSL negotiation. Not
+recommended. Requires <tt class="literal">--with-ssl</tt> configure option.
+Obsolete starting with Samba 3.0.</p></div>
+<a name="INDEX-367"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ssl client cert = filename</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: <em class="filename">/usr/local/ssl/certs/smbclient.pem</em></p><p>Specifies a file containing the server's SSL
+certificate, for use by <em class="emphasis">smbclient</em> if
+certificates are required in this environment. Requires
+<tt class="literal">--with-ssl</tt> configure option. Obsolete starting
+with Samba 3.0.</p></div>
+<a name="INDEX-368"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ssl client key = filename</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: <em class="filename">/usr/local/ssl/private/smbclient.pem</em></p><p>Specifies a file containing the server's private SSL
+key, for use by <em class="emphasis">smbclient</em>. Requires
+<tt class="literal">--with-ssl</tt> configure option. Obsolete starting
+with Samba 3.0.</p></div>
+<a name="INDEX-369"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ssl compatibility = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Determines whether SSLeay should be configured for bug compatibility
+with other SSL implementations. Not recommended. Requires
+<tt class="literal">--with-ssl</tt> configure option. Obsolete starting
+with Samba 3.0.</p></div>
+<a name="INDEX-370"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ssl hosts = host list</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: list of hosts or networks</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Requires that SSL be used with the hosts listed. By default, if the
+<tt class="literal">ssl</tt> option is set, the server requires SSL with
+all hosts. Requires <tt class="literal">--with-ssl</tt> configure option.
+Obsolete starting with Samba 3.0.</p></div>
+<a name="INDEX-371"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ssl hosts resign = host list</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: list of hosts or networks</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Suppresses the use of SSL with the hosts listed. By default, if the
+<tt class="literal">ssl</tt> option is set, the server requires SSL with
+all hosts. Requires <tt class="literal">--with-ssl</tt> configure option.
+Obsolete starting with Samba 3.0.</p></div>
+<a name="INDEX-372"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ssl require clientcert = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Requires clients to use certificates when SSL is in use. This option
+is recommended if SSL is used. Requires <tt class="literal">--with-ssl</tt>
+configure option. Obsolete starting with Samba 3.0.</p></div>
+<a name="INDEX-373"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ssl require servercert = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>When SSL is in use, <em class="emphasis">smbclient</em> requires servers
+to use certificates. This option is recommended if SSL is used.
+Requires <tt class="literal">--with-ssl</tt> configure option. Obsolete
+starting with Samba 3.0.</p></div>
+<a name="INDEX-374"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ssl server cert = filename</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a file containing the server's SSL
+certificate. Requires <tt class="literal">--with-ssl</tt> configure option.
+Obsolete starting with Samba 3.0.</p></div>
+<a name="INDEX-375"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ssl server key = filename</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a file containing the server's private SSL
+key. If no file is specified and SSL is in use, the server looks up
+its key in its server certificate. Requires
+<tt class="literal">--with-ssl</tt> configure option. Obsolete starting
+with Samba 3.0.</p></div>
+<a name="INDEX-376"/><a name="INDEX-377"/><a name="INDEX-378"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>ssl version = string</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: &quot;ssl2&quot;,
+&quot;ssl3&quot;,
+&quot;ssl2or3&quot;,
+&quot;tls1&quot;</p><p><b class="emphasis-bold">Default</b>: &quot;ssl2or3&quot;</p><p>Defines which versions of the SSL protocol the server can use:
+Version 2 only (&quot;ssl2&quot;), Version 3
+only (&quot;ssl3&quot;), Version 2 or 3
+dynamically negotiated (&quot;ssl2or3&quot;),
+or Transport Layer Security
+(&quot;tls1&quot;). Requires
+<tt class="literal">--with-ssl</tt> configure option. Obsolete starting
+with Samba 3.0.<a name="INDEX-377"/><a name="INDEX-378"/></p></div>
+<a name="INDEX-379"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>stat cache = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Makes the Samba server cache client names for faster resolution.
+Should not be changed.</p></div>
+<a name="INDEX-380"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>stat cache size = number </i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number</p><p><b class="emphasis-bold">Default</b>: 50</p><p>Determines the number of client names cached for faster resolution.
+Should not be changed.</p></div>
+<a name="INDEX-381"/><a name="INDEX-382"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>status = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If set to YES, logs connections to a file (or shared memory)
+accessible to <em class="filename">smbstatus</em>.
+<a name="INDEX-382"/>Obsolete
+starting with Samba 3.0.</p></div>
+<a name="INDEX-383"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>strict allocate = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, allocates all disk blocks when creating or extending
+the size of files, instead of using the normal sparse file allocation
+used on Unix. This slows the server, but results in behavior that
+matches that of Windows and helps Samba correctly report
+&quot;out of quota&quot; messages.</p></div>
+<a name="INDEX-384"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>strict locking = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, checks locks on every access, not just on demand and
+at open time. Not recommended.</p></div>
+<a name="INDEX-385"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>strict sync = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, Samba synchronizes to disk whenever the client sets
+the sync bit in a packet. If set to NO, Samba flushes data to disk
+whenever buffers fill. Defaults to NO because Windows 98 Explorer
+sets the bit (incorrectly) in all packets.</p></div>
+<a name="INDEX-386"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>strip dot = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Removes trailing dots from filenames. Dysfunctional in Samba 2.2; use
+<tt class="literal">mangled</tt> <tt class="literal">map</tt> instead.</p></div>
+<a name="INDEX-387"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>sync always = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, Samba forces the data to disk through <em class="emphasis">fsync</em>
+(3) after every write. Avoid except to debug crashing
+servers.</p></div>
+<a name="INDEX-388"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>syslog = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number</p><p><b class="emphasis-bold">Default</b>: 1</p><p>Sets the level of Samba log messages to send to
+<em class="filename">syslog</em>. Higher is more verbose. The
+<em class="filename">syslog.conf</em> file must have suitable logging
+enabled.</p></div>
+<a name="INDEX-389"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>syslog only = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, logs only to <em class="emphasis">syslog</em> instead of
+the standard Samba log files.</p></div>
+<a name="INDEX-390"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>template homedir = path</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: full path to directory</p><p><b class="emphasis-bold">Default</b>: /home/<tt class="literal">%D</tt>/<tt class="literal">%U</tt></p><p>Sets the home directory for Unix login sessions for users
+authenticated through winbind. <tt class="literal">%D</tt> will be replaced
+with user's domain name; <tt class="literal">%U</tt> by
+the username.</p></div>
+<a name="INDEX-391"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>template shell = filename</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: full path to shell</p><p><b class="emphasis-bold">Default</b>: <em class="filename">/bin/false</em></p><p>Sets the shell for Unix login sessions for users authenticated
+through winbind. The default value prevents all Windows domain user
+logins.</p></div>
+<a name="INDEX-392"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>time offset = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number of minutes</p><p><b class="emphasis-bold">Default</b>: 0</p><p>Sets the number of minutes to add to the system time-zone
+calculation. Provided to fix a client daylight-savings bug. Not
+recommended.</p></div>
+<a name="INDEX-393"/><a name="INDEX-394"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>time server = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, <em class="emphasis">nmbd</em><a name="INDEX-394"/>
+advertises itself as a provider of SMB time service to clients. This
+option only affects whether the time service is advertised. It does
+not enable or disable time service.</p></div>
+<a name="INDEX-395"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>timestamp logs = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Synonym for <tt class="literal">debug</tt> <tt class="literal">timestamp</tt>.</p></div>
+<a name="INDEX-396"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>total print jobs = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number</p><p><b class="emphasis-bold">Default</b>: 0 (no limit)</p><p>Limits total number of current print jobs on server. See also
+<tt class="literal">max print jobs</tt>.</p></div>
+<a name="INDEX-397"/><a name="INDEX-398"/><a name="INDEX-399"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>unix extensions = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, supports
+<a name="INDEX-398"/>CIFS Unix extensions, providing
+better filesystem support for Unix clients. <a name="INDEX-399"/>Obsolete in Samba 3.0, which always
+offers support.</p></div>
+<a name="INDEX-400"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>unix password sync = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, attempts to change the user's Unix
+password whenever the user changes her SMB password. Used to ease
+synchronization of Unix and Microsoft password databases. See also
+<tt class="literal">password program</tt> and <tt class="literal">passwd</tt>
+<tt class="literal">chat</tt>.</p></div>
+<a name="INDEX-401"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>update encrypted = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Updates the encrypted password file when a user logs on with an
+unencrypted password. Provided to ease conversion from unencrypted to
+encrypted passwords.</p></div>
+<a name="INDEX-402"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>use client driver = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>Used for avoiding <tt class="literal">Access Denied; Unable to connect</tt>
+messages when connecting to a Samba printer from Windows NT/2000/XP
+clients. Necessary only when the client has a local printer driver
+for the Samba printer.</p></div>
+<a name="INDEX-403"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>use mmap = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: varies</p><p>Tells Samba whether the <em class="emphasis">mmap( )</em> system call
+works correctly on the Samba host. Default is automatically set
+correctly. Do not change.</p></div>
+<a name="INDEX-404"/><a name="INDEX-405"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>use rhosts = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, users' <em class="filename">~/.rhosts</em>
+files will be used to identify systems from which users can connect
+without providing a password. Discouraged. <a name="INDEX-405"/>Obsolete
+in Samba 3.0.</p></div>
+<a name="INDEX-406"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>use sendfile = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If yes, Samba will perform some data transfers for exclusively
+oplocked files using the <em class="emphasis">sendfile( )</em> system
+call, which results in significant performance improvements. This is
+available if Samba has been configured with the
+<tt class="literal">--with-sendfile-support</tt> option. This is an
+experimental option and is new in Samba 2.2.5.</p></div>
+<a name="INDEX-407"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>user = user list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: user list</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Synonym for <tt class="literal">username</tt>.</p></div>
+<a name="INDEX-408"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>username = user list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: user list</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets a list of users that are tried when logging on with share-level
+security in effect. Also called <tt class="literal">user</tt> or
+<tt class="literal">users</tt>. Discouraged. Use <tt class="literal">NET</tt>
+<tt class="literal">USE</tt>
+<tt class="literal">\\</tt><em class="replaceable">server</em><tt class="literal">\</tt><em class="replaceable">share
+</em><tt class="literal">%</tt><em class="replaceable">user</em>
+from the client instead.</p></div>
+<a name="INDEX-409"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>username level = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number</p><p><b class="emphasis-bold">Default</b>: 0</p><p>Specifies the number of uppercase-letter permutations allowed to
+match Unix usernames. A workaround for Windows'
+single-case usernames. Use is discouraged.</p></div>
+<a name="INDEX-410"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>username map = filename</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of file</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Names a file of Unix-to-Windows name pairs; used to map different
+spellings of account names and Windows usernames longer than eight
+characters.</p></div>
+<a name="INDEX-411"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>users = user list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: user list</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Synonym for <tt class="literal">username</tt>.</p></div>
+<a name="INDEX-412"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>utmp = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>This is available if Samba has been configured with the
+<tt class="literal">--with-utmp</tt> option. If set, Samba adds
+<em class="emphasis">utmp</em>/<em class="emphasis">utmpx</em> records whenever
+a connection is made to a Samba server. Sites can use this option to
+record each connection to a Samba share as a system login.</p></div>
+<a name="INDEX-413"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>utmp directory = directory</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: name of directory</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>This is available if Samba has been configured with the
+<tt class="literal">--with-utmp</tt> option. If this option and
+<tt class="literal">utmp</tt> are set, Samba will look in the specified
+directory rather than the default system directory for
+<em class="filename">utmp</em>/<em class="filename">utmpx</em> files.</p></div>
+<a name="INDEX-414"/><a name="INDEX-415"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>valid chars = list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: list of numeric values</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Adds national characters to a character set map. See also
+<tt class="literal">client</tt> <tt class="literal">code</tt>
+<tt class="literal">page</tt>. <a name="INDEX-415"/>Obsolete in Samba 3.0.</p></div>
+<a name="INDEX-416"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>valid users = user list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: user list</p><p><b class="emphasis-bold">Default</b>: NULL (allows everyone)</p><p>Specifies a list of users that can connect to a share. See also
+<tt class="literal">invalid users</tt>.</p></div>
+<a name="INDEX-417"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>veto files = slash-separated list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: slash-separated list of filenames</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a list of files that the client will not see when listing a
+directory's contents. See also
+<tt class="literal">delete</tt> <tt class="literal">veto</tt>
+<tt class="literal">files</tt> and <tt class="literal">hide files</tt>.</p></div>
+<a name="INDEX-418"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>veto oplock files = slash-separated list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: slash-separated list of filenames</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a list of files not to oplock (and cache on clients). See
+also <tt class="literal">oplocks</tt> and <tt class="literal">fake</tt>
+<tt class="literal">oplocks</tt>.</p></div>
+<a name="INDEX-419"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>vfs object = filename</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: full path to shared library</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies the shared library to use for Samba's
+Virtual File System (VFS). Requires the <tt class="literal">--with-vfs</tt>
+configure option.</p></div>
+<a name="INDEX-420"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>vfs options = string</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: space-separated list of options</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies parameters to the VFS. Requires the
+<tt class="literal">--with-vfs</tt> configure option. See <tt class="literal">vfs
+object</tt>.</p></div>
+<a name="INDEX-421"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>volume = string</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: share name</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets the volume label of a disk share. Especially useful with shared
+CD-ROMs.</p></div>
+<a name="INDEX-422"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>wide links = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If set, Samba follows symlinks out of the disk share. See also the
+<tt class="literal">root</tt> <tt class="literal">dir</tt> and
+<tt class="literal">follow</tt> <tt class="literal">symlinks</tt> options.</p></div>
+<a name="INDEX-423"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>winbind cache time = number</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: number of seconds</p><p><b class="emphasis-bold">Default</b>: 15</p><p>Sets the amount of time that the <em class="emphasis">winbindd</em> daemon
+caches user and group information.</p></div>
+<a name="INDEX-424"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>winbind enum users = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES/NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If set to NO, enumeration of users is suppressed by winbind.
+Discouraged.</p></div>
+<a name="INDEX-425"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>winbind enum groups = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES/NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>If set to NO, enumeration of groups is suppressed by winbind.
+Discouraged.</p></div>
+<a name="INDEX-426"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>winbind gid = numeric range</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: integer-integer</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies the group ID range winbind uses for Windows NT domain users
+connecting to Samba.</p></div>
+<a name="INDEX-427"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>winbind separator = character</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: ASCII character</p><p><b class="emphasis-bold">Default</b>: \</p><p>Specifies the character winbind uses to separate a domain name and
+username.</p></div>
+<a name="INDEX-428"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>winbind uid = numeric range</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: integer-integer</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies the user ID range winbind will use for Windows NT domain
+users connecting to Samba.</p></div>
+<a name="INDEX-429"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>wins hook = command</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: full path to script</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a command to run whenever the WINS server updates its
+database. Allows WINS to be synchronized with DNS or other services.
+The command is passed one of the arguments <tt class="literal">add</tt>,
+<tt class="literal">delete</tt>, or <tt class="literal">refresh</tt>, followed by
+the NetBIOS name, the name type (two hexadecimal digits), the TTL in
+seconds, and the IP addresses corresponding to the NetBIOS name.
+Requires <tt class="literal">wins</tt> <tt class="literal">service</tt>
+<tt class="literal">=</tt> <tt class="literal">YES</tt>.</p></div>
+<a name="INDEX-430"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>wins proxy = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, <em class="emphasis">nmbd</em> proxies resolution requests
+to WINS servers on behalf of old clients, which use broadcasts. The
+WINS server is typically on another subnet.</p></div>
+<a name="INDEX-431"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>wins server = value</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: hostname or IP address</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Sets the DNS name or IP address of the WINS server.</p></div>
+<a name="INDEX-432"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>wins support = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: NO</p><p>If set to YES, activates the WINS service. The
+<tt class="literal">wins</tt> <tt class="literal">server</tt> option must not be
+set if <tt class="literal">wins</tt> <tt class="literal">support</tt>
+<tt class="literal">=</tt> <tt class="literal">YES</tt>.</p></div>
+<a name="INDEX-433"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>workgroup = name</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: workgroup name</p><p><b class="emphasis-bold">Default</b>: compiled-in</p><p>Sets the workgroup or domain to which the Samba server belongs.
+Overrides the compiled-in default of WORKGROUP. Choosing a name other
+than WORKGROUP is highly recommended.</p></div>
+<a name="INDEX-434"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>writable = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Antonym for <tt class="literal">read</tt> <tt class="literal">only</tt>;
+<tt class="literal">writeable</tt> and <tt class="literal">write</tt>
+<tt class="literal">ok</tt> are synonyms.</p></div>
+<a name="INDEX-435"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>writeable = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Antonym for <tt class="literal">read</tt> <tt class="literal">only</tt>;
+<tt class="literal">writable</tt> and <tt class="literal">write</tt>
+<tt class="literal">ok</tt> are synonyms.</p></div>
+<a name="INDEX-436"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>write cache size = number</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: decimal number of bytes</p><p><b class="emphasis-bold">Default</b>: 0 (disabled)</p><p>Allocates a write buffer of the specified size in which Samba
+accumulates data before a write to disk. This option can be used to
+ensure that each write has the optimal size for a given filesystem.
+It is typically used with RAID drives, which have a preferred write
+size, and with systems that have large memory and slow disks.</p></div>
+<a name="INDEX-437"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>write list = user list</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: user list</p><p><b class="emphasis-bold">Default</b>: NULL</p><p>Specifies a list of users that are given read/write access to a
+read-only share. See also <tt class="literal">read</tt>
+<tt class="literal">list</tt>.</p></div>
+<a name="INDEX-438"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>write ok = boolean</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Synonym for <tt class="literal">writable</tt>.</p></div>
+<a name="INDEX-439"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>write raw = boolean</i></b></font></td><td align="right"><i>[global]
+</i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p><b class="emphasis-bold">Allowable values</b>: YES, NO</p><p><b class="emphasis-bold">Default</b>: YES</p><p>Allows fast-streaming writes over TCP using 64KB buffers. Recommended.</p></div>
+
+
+
+<div class="sect1"><a name="samba2-APP-B-SECT-2"/>
+
+<h2 class="head1">Glossary of Configuration Value Types</h2>
+
+<dl>
+<dt><b><a name="INDEX-440"/><em class="emphasis">boolean</em></b></dt>
+<dd>
+<p>One of two values, either YES or NO.</p>
+</dd>
+
+
+
+<dt><b>character</b></dt>
+<dd>
+<p>A single ASCII character.</p>
+</dd>
+
+
+
+<dt><b>command</b></dt>
+<dd>
+<p>A Unix script or compiled program, with an absolute path specified
+for the executable and parameters.</p>
+</dd>
+
+
+
+<dt><b>directory</b></dt>
+<dd>
+<p>An absolute path specification to a directory. For example:</p>
+
+<blockquote><pre class="code">/usr/local/samba/lib</pre></blockquote>
+</dd>
+
+</dl>
+
+<dl>
+<dt><b>filename</b></dt>
+<dd>
+<p>An absolute path specification to a file. For example:</p>
+
+<blockquote><pre class="code">/etc/printcap</pre></blockquote>
+</dd>
+
+
+<dt><b>host list</b></dt>
+<dd>
+<p>A list of hosts. Allows IP addresses, address masks, domain names,
+ALL, and EXCEPT.</p>
+</dd>
+
+
+
+<dt><b>interface list</b></dt>
+<dd>
+<p>A list of interfaces, in either address/netmask or address/n-bits
+format. For example:</p>
+
+
+<blockquote><pre class="code">192.168.2.10/255.255.255.0, 192.168.2.10/24</pre></blockquote>
+</dd>
+
+
+<dt><b>map list</b></dt>
+<dd>
+<p>A list of filename remapping strings such as
+<tt class="literal">(*.html</tt> <tt class="literal">*.htm)</tt>.</p>
+</dd>
+
+
+
+<dt><b>name</b></dt>
+<dd>
+<p>A single name of a type of object, as specified in the
+option's description.</p>
+</dd>
+
+
+
+<dt><b>number</b></dt>
+<dd>
+<p>A positive integer.</p>
+</dd>
+
+
+
+<dt><b>numeric range</b></dt>
+<dd>
+<p>Two numbers separated by a dash, specifying a minimum and a maximum
+value. For example:</p>
+
+
+<blockquote><pre class="code">100-250</pre></blockquote>
+</dd>
+
+
+<dt><b>remote list</b></dt>
+<dd>
+<p>A list of subnet-broadcast-address/workgroup pairs. For example:</p>
+
+<blockquote><pre class="code">192.168.2.255/SERVERS 192.168.4.255/STAFF</pre></blockquote>
+</dd>
+
+
+<dt><b>service (share) list</b></dt>
+<dd>
+<p>A list of service (share) names, without the enclosing parentheses.</p>
+</dd>
+
+
+
+<dt><b>slash-separated list</b></dt>
+<dd>
+<p>A list of filenames, separated by
+&quot;/&quot; characters to allow embedded
+spaces. For example:</p>
+
+
+<blockquote><pre class="code">/.*/My Documents/*.doc/</pre></blockquote>
+</dd>
+
+
+<dt><b>string</b></dt>
+<dd>
+<p>One line of arbitrary text.</p>
+</dd>
+
+
+
+<dt><b>user list</b></dt>
+<dd>
+<p>A list of usernames and/or group names.
+<tt class="literal">@</tt><em class="replaceable">group_name</em> includes
+whomever is in the NIS netgroup
+<em class="replaceable">group_name</em>, if one exists, or otherwise
+whomever is in the Unix group <em class="replaceable">group_name</em>.
+In addition,
+<tt class="literal">+</tt><em class="replaceable">group_name</em> is a Unix
+group, <tt class="literal">&amp;</tt><em class="replaceable">group_name</em>
+is an NIS netgroup, and <tt class="literal">&amp;+</tt> and
+<tt class="literal">+&amp;</tt> cause an ordered search of both Unix and
+NIS groups.</p>
+</dd>
+
+
+
+<dt><b>value</b></dt>
+<dd>
+<p>A value of some miscellaneous type, as specified in the
+option's description.<a name="INDEX-441"/></p>
+</dd>
+
+</dl>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-APP-B-SECT-3"/>
+
+<h2 class="head1">Configuration File Variables</h2>
+
+<p><a href="appb.html#samba2-APP-B-TABLE-1">Table B-1</a> lists the Samba configuration file
+variables.</p>
+
+<a name="samba2-APP-B-TABLE-1"/><h4 class="head4">Table B-1. Configuration file variables</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Name</p>
+</th>
+<th>
+<p>Meaning</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">%a</tt></p>
+</td>
+<td>
+<p>Client's architecture (Samba, WfWg, WinNT, Win95, or
+UNKNOWN)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%d</tt></p>
+</td>
+<td>
+<p>Current server process's process ID</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%D</tt></p>
+</td>
+<td>
+<p>User's Windows NT Domain</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%f</tt></p>
+</td>
+<td>
+<p>Printer spool file as a relative path (printing only)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%f</tt></p>
+</td>
+<td>
+<p>User from which a message was sent (messages only)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%G</tt></p>
+</td>
+<td>
+<p>Primary group name of <tt class="literal">%U</tt> (requested username)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%g</tt></p>
+</td>
+<td>
+<p>Primary group name of <tt class="literal">%u</tt> (actual username)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%H</tt></p>
+</td>
+<td>
+<p>Home directory of <tt class="literal">%u</tt> (actual username)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%h</tt></p>
+</td>
+<td>
+<p>Samba server's (Internet) hostname</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%I</tt></p>
+</td>
+<td>
+<p>Client's IP address</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%j</tt></p>
+</td>
+<td>
+<p>Print job number (printing only)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%L</tt></p>
+</td>
+<td>
+<p>Samba server's NetBIOS name (virtual servers have
+multiple names)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%M</tt></p>
+</td>
+<td>
+<p>Client's (Internet) hostname</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%m</tt></p>
+</td>
+<td>
+<p>Client's NetBIOS name</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%N</tt></p>
+</td>
+<td>
+<p>Name of the NIS home directory server (without NIS, same as
+<tt class="literal">%L</tt>)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%n</tt></p>
+</td>
+<td>
+<p>New password (password change only)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%o</tt></p>
+</td>
+<td>
+<p>Old password (password change only)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%P</tt></p>
+</td>
+<td>
+<p>Current share's root directory (actual)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%p</tt></p>
+</td>
+<td>
+<p>Current share's root directory (in an NIS homedir
+map)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%p</tt></p>
+</td>
+<td>
+<p>Print filename (printing only)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%R</tt></p>
+</td>
+<td>
+<p>Protocol level in use (CORE, COREPLUS, LANMAN1, LANMAN2, or NT1)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%S</tt></p>
+</td>
+<td>
+<p>Current share's name</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%s</tt></p>
+</td>
+<td>
+<p>Name of the file in which the message resides (messages only)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%s</tt></p>
+</td>
+<td>
+<p>Printer spool filename (printing only)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%T</tt></p>
+</td>
+<td>
+<p>Current date and time</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%t</tt></p>
+</td>
+<td>
+<p>Destination system (messages only)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%U</tt></p>
+</td>
+<td>
+<p>Requested username for current share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%u</tt></p>
+</td>
+<td>
+<p>Current share's username</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%v</tt></p>
+</td>
+<td>
+<p>Samba version</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>%$<em class="replaceable">name</em></p>
+</td>
+<td>
+<p>Value of environment variable <em class="replaceable">name</em></p>
+</td>
+</tr>
+
+</table>
+
+
+</div>
+
+
+<hr/><h4 class="head4"><a href="toc.html">TOC</a></h4>
+
+</body></html>
diff --git a/docs/htmldocs/using_samba/appc.html b/docs/htmldocs/using_samba/appc.html
new file mode 100644
index 0000000000..22ec5a5115
--- /dev/null
+++ b/docs/htmldocs/using_samba/appc.html
@@ -0,0 +1,4534 @@
+<html>
+<body bgcolor="#ffffff">
+
+<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
+hspace="10" align="left" />
+
+<h1 class="head0">Appendix C. Summary of Samba Daemons and Commands</h1>
+
+
+<p>This appendix is a reference listing of command-line options and
+other information to help you use the programs that come with the
+Samba distribution.</p>
+
+
+
+<div class="sect1"><a name="samba2-APP-C-SECT-1"/>
+
+<h2 class="head1">Samba Daemons</h2>
+
+<p>The following sections provide information about the command-line
+parameters for <em class="emphasis">smbd</em>, <em class="emphasis">nmbd</em>,
+and <em class="emphasis">winbindd</em>.</p>
+
+</div>
+
+
+<a name="INDEX-1"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>smbd</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>The <em class="emphasis">smbd</em> program provides
+Samba's file and printer services, using one TCP/IP
+stream and one daemon per client. It is controlled from
+<em class="filename">/usr/local/samba/lib/smb.conf</em>, the default
+configuration file, which can be overridden by command-line options.</p><p>The configuration file is automatically reevaluated every minute. If
+it has changed, most new options are immediately effective. You can
+force Samba to reload the configuration file immediately by sending a
+SIGHUP signal to <em class="emphasis">smbd</em>. Reloading the
+configuration file does not affect any clients that are already
+connected. To escape this condition, a client would need to
+disconnect and reconnect, or the server itself would have to be
+restarted, forcing all clients to reconnect.</p>
+<div class="sect1"><a name="appc-5-fm2xml"/>
+
+<h4 class="refsect1">Other Signals</h4>
+<p>To shut down an <em class="emphasis">smbd</em> process, send it the
+termination signal SIGTERM (15), which allows it to die gracefully,
+instead of a SIGKILL (9). With Samba versions prior to 2.2, the
+debugging level could be raised or lowered using SIGUSR1 or SIGUSR2.
+This is no longer supported. Use <em class="emphasis">smbcontrol</em>
+instead.</p>
+
+</div>
+
+<div class="sect1"><a name="appc-6-fm2xml"/>
+
+<h4 class="refsect1">Command synopsis</h4>
+
+<blockquote><pre class="code">smbd <em class="replaceable">[options]</em></pre></blockquote>
+
+
+</div>
+
+<div class="sect1"><a name="appc-7-fm2xml"/>
+
+<h4 class="refsect1">Options</h4>
+
+<dl>
+<dt><b><tt class="literal">-a</tt></b></dt>
+<dd>
+<p>Causes each new connection to the Samba server to append all logging
+messages to the log file. This option is the opposite of
+<tt class="literal">-o</tt> and is the default.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-D</tt></b></dt>
+<dd>
+<p>Runs the <em class="emphasis">smbd</em> program as a daemon. This is the
+recommended way to use <em class="emphasis">smbd</em>. It is also the
+default action when <em class="emphasis">smbd</em> is run from an
+interactive command line. In addition, <em class="emphasis">smbd</em> can
+be run from <em class="emphasis">inetd</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-d</tt> <em class="replaceable">debug_level</em></b></dt>
+<dd>
+<p>Sets the debug (sometimes called logging) level. The level can range
+from 0 to 10. Specifying the value on the command line overrides the
+value specified in the <em class="filename">smb.conf</em> file. Debug
+level 0 logs only the most important messages; level 1 is normal;
+levels 3 and above are primarily for debugging and slow
+<em class="emphasis">smbd</em> considerably.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-h</tt> </b></dt>
+<dd>
+<p>Prints usage information for the <em class="emphasis">smbd</em> command.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-i</tt></b></dt>
+<dd>
+<p>Runs <em class="emphasis">smbd</em> interactively, rather than as a
+daemon. This option is used to override the default daemon mode when
+<em class="emphasis">smbd</em> is run from the command line.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-l</tt> <em class="replaceable">log_ directory</em></b></dt>
+<dd>
+<p>Sends the log messages to somewhere other than the location compiled
+into the executable or specified in the <em class="filename">smb.conf</em>
+file. The default is often
+<em class="filename">/usr/local/samba/var/</em>,
+<em class="filename">/usr/samba/var/</em>, or
+<em class="filename">/var/log/</em>. The log file is placed in the
+specified directory and named <em class="filename">log.smbd</em>. If the
+directory does not exist, Samba's compiled-in
+default will be used.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-O</tt> <em class="replaceable">socket_options</em></b></dt>
+<dd>
+<p>Sets the TCP/IP socket options, using the same parameters as the
+<tt class="literal">socket options</tt> configuration option. Often used
+for performance tuning and testing.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-o</tt></b></dt>
+<dd>
+<p>Causes log files to be overwritten when opened (the opposite of
+<tt class="literal">-a</tt>). Using this option saves you from hunting for
+the right log entries if you are performing a series of tests and
+inspecting the log file each time.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-p</tt> <em class="replaceable">port_number</em></b></dt>
+<dd>
+<p>Sets the TCP/IP port number from which the server will accept
+requests. All Microsoft clients send to the default port of 139,
+except for Windows 2000/XP, which can use port 445 for SMB
+networking, without the NetBIOS protocol layer.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-P</tt></b></dt>
+<dd>
+<p>Causes <em class="emphasis">smbd</em> to run in
+&quot;passive&quot; mode, in which it just
+listens, and does not transmit any network traffic. This is useful
+only for debugging by developers.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-s</tt> <em class="replaceable">configuration_ file</em></b></dt>
+<dd>
+<p>Specifies the location of the Samba configuration file. Although the
+file defaults to <em class="filename">/usr/local/samba/lib/smb.conf</em>,
+you can override it on the command line. Typically used for
+debugging.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-v</tt></b></dt>
+<dd>
+<p>Prints the current version of Samba.</p>
+</dd>
+
+</dl>
+
+
+</div>
+</div>
+
+<a name="INDEX-2"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>nmbd</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>The <em class="emphasis">nmbd</em> program is Samba's
+NetBIOS name service and browsing daemon. It replies to NetBIOS over
+TCP/IP (also called NetBT or NBT) name-service requests broadcast
+from SMB clients, and optionally to Microsoft's
+Windows Internet Name Service (WINS) requests. Both are versions of
+the name-to-address lookup required by SMB clients. The broadcast
+version uses UDP broadcast on the local subnet only, while WINS uses
+TCP, which can be routed. If running as a WINS server,
+<em class="emphasis">nmbd</em> keeps a current name and address database
+in the file <em class="filename">/usr/local/samba/var/locks/wins.dat</em>.</p><p>An active <em class="emphasis">nmbd</em> daemon also responds to browsing
+protocol requests used by the Windows Network Neighborhood. This
+protocol provides a dynamic directory of servers, as well as the
+disks and printers that the servers are providing. As with WINS, this
+was initially done by making UDP broadcasts on the local subnet. With
+the addition of the local master browser to the network architecture,
+it is done by making TCP connections to a server. If
+<em class="emphasis">nmbd</em> is acting as a local master browser, it
+stores the browsing database in the file
+<em class="filename">/usr/local/samba/var/locks/browse.dat</em>.</p><p>Some clients (especially older ones) cannot use the WINS protocol. To
+support these clients, <em class="emphasis">nmbd</em> can act as a WINS
+proxy, accepting broadcast requests from the non-WINS clients,
+contacting a WINS server on their behalf, and returning the WINS
+server's response to them.</p>
+<div class="sect1"><a name="appc-9-fm2xml"/>
+
+<h4 class="refsect1">Signals</h4>
+<p>Like <em class="emphasis">smbd</em>, the <em class="emphasis">nmbd</em> program
+responds to several Unix signals. Sending <em class="emphasis">nmbd</em> a
+SIGHUP signal causes it to dump the names it knows about to the
+<em class="filename">/usr/local/samba/var/locks/namelist.debug</em> file.
+To shut down an <em class="emphasis">nmbd</em> process and allow it to die
+gracefully, send it a SIGTERM (15) signal, rather than a SIGKILL (9).
+With Samba versions prior to 2.2, the debugging level could be raised
+or lowered using SIGUSR1 or SIGUSR2. This is no longer supported. Use
+<em class="emphasis">smbcontrol</em> instead.</p>
+
+</div>
+
+<div class="sect1"><a name="appc-10-fm2xml"/>
+
+<h4 class="refsect1">Command synopsis</h4>
+
+<blockquote><pre class="code">nmbd <em class="replaceable">[options]</em></pre></blockquote>
+
+
+</div>
+
+<div class="sect1"><a name="appc-11-fm2xml"/>
+
+<h4 class="refsect1">Options</h4>
+
+<dl>
+<dt><b><tt class="literal">-a</tt></b></dt>
+<dd>
+<p>Causes each new connection to the Samba server to append all logging
+messages to the log file. This option is the opposite of
+<tt class="literal">-o</tt> and is the default.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-d</tt> <em class="replaceable">debug_level</em></b></dt>
+<dd>
+<p>Sets the debug (sometimes called logging) level. The level can range
+from 0 to 10. Specifying the value on the command line overrides the
+value specified in the <em class="filename">smb.conf</em> file. Debug
+level 0 logs only the most important messages; level 1 is normal;
+levels 3 and above are primarily for debugging and slow
+<em class="emphasis">nmbd</em> considerably.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-D</tt></b></dt>
+<dd>
+<p>Instructs the <em class="emphasis">nmbd</em> program to run as a daemon.
+This is the recommended way to use <em class="emphasis">nmbd</em> and is
+the default when <em class="emphasis">nmbd</em> is run from an interactive
+shell. In addition, <em class="emphasis">nmbd</em> can be run from
+<em class="emphasis">inetd</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-h</tt> </b></dt>
+<dd>
+<p>Prints usage information for the <em class="emphasis">nmbd</em> command.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-H</tt> <em class="replaceable">lmhosts_  file</em></b></dt>
+<dd>
+<p>Specifies the location of the <em class="emphasis">lmhosts</em> file for
+name resolution. This file is used only to resolve names for the
+local server, and not to answer queries from remote systems. The
+compiled-in default is commonly
+<em class="filename">/usr/local/samba/lib/lmhosts</em>,
+<em class="filename">/usr/samba/lib/lmhosts</em>, or
+<em class="filename">/etc/lmhosts</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-i</tt></b></dt>
+<dd>
+<p>Runs <em class="emphasis">nmbd</em> interactively, rather than as a
+daemon. This option is used to override the default daemon mode when
+<em class="emphasis">nmbd</em> is run from the command line.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-l</tt> <em class="replaceable">log_ file</em></b></dt>
+<dd>
+<p>Sends the log messages to somewhere other than the location compiled
+into the executable or specified in the <em class="filename">smb.conf</em>
+file. The default is often
+<em class="filename">/usr/local/samba/var/log.nmbd</em>,
+<em class="emphasis">/usr/samba/var/log.nmbd</em>, or <em class="emphasis">/var/log
+/log.nmbd</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-n</tt> <em class="replaceable">NetBIOS_name</em></b></dt>
+<dd>
+<p>Allows you to override the NetBIOS name by which the daemon
+advertises itself. Specifying this option on the command line
+overrides the <tt class="literal">netbios name</tt> option in the Samba
+configuration file.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-O</tt> <em class="replaceable">socket_options</em></b></dt>
+<dd>
+<p>Sets the TCP/IP socket options, using the same parameters as the
+<tt class="literal">socket options</tt> configuration option. Often used
+for performance tuning and testing.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-o</tt></b></dt>
+<dd>
+<p>Causes log files to be overwritten when opened (the opposite of
+<tt class="literal">-a</tt>). This option saves you from hunting for the
+right log entries if you are performing a series of tests and
+inspecting the log file each time.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-p</tt> <em class="replaceable">port_number</em></b></dt>
+<dd>
+<p>Sets the UDP port number from which the server accepts requests.
+Currently, all Microsoft clients use only the default port, 137.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-s</tt> <em class="replaceable">configuration_ file</em></b></dt>
+<dd>
+<p>Specifies the location of the Samba configuration file. Although the
+file defaults to <em class="filename">/usr/local/samba/lib/smb.conf</em>,
+you can override it here on the command line. Typically used for
+debugging.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-v</tt></b></dt>
+<dd>
+<p>Prints the current version of Samba.</p>
+</dd>
+
+</dl>
+
+
+</div>
+</div>
+
+<a name="INDEX-3"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>winbindd</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>The <em class="emphasis">winbindd</em> daemon is part of the winbind
+service and is used to allow Unix systems to obtain user and group
+information from a Windows NT/2000 server. Winbind maps Windows
+relative IDs (RIDs) to Unix UIDs and GIDs and allows accounts stored
+on the Windows server to be used for Unix authentication. Its purpose
+is to ease integration of Microsoft and Unix networks when a
+preexisting Windows domain controller is set up to handle user and
+computer accounts.</p><p>The daemon is accessed by users via the name service switch and PAM.
+The name service switch calls a library
+(<em class="filename">/lib/libnss_winbind.so</em>), which calls the
+daemon, which in turn calls the Windows NT/2000 server using
+Microsoft RPC. The PAM module for winbind can call the daemon
+similarly, allowing users whose accounts are stored on the Windows
+server to log in to the Unix system and run an interactive shell,
+FTP, or any other program that authenticates users through PAM.</p><p>The winbind subsystem is currently available only for the Linux
+operating system and a few other systems that use shared libraries,
+nsswitch and PAM.</p>
+<div class="sect1"><a name="appc-13-fm2xml"/>
+
+<h4 class="refsect1">Command synopsis</h4>
+
+<blockquote><pre class="code">winbindd <em class="replaceable">[options]</em></pre></blockquote>
+
+
+</div>
+
+<div class="sect1"><a name="appc-14-fm2xml"/>
+
+<h4 class="refsect1">Options</h4>
+
+<dl>
+<dt><b><tt class="literal">-d</tt> <em class="replaceable">debuglevel</em></b></dt>
+<dd>
+<p>Sets the debug (sometimes called logging) level. The level can range
+from 0 to 10. Specifying the value on the command line overrides the
+value specified in the <em class="filename">smb.conf</em> file. Debug
+level 0 logs only the most important messages; level 1 is normal;
+levels 3 and above are primarily for debugging.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-i</tt></b></dt>
+<dd>
+<p>Runs <em class="emphasis">winbindd</em> interactively. This option is used
+to override the default, which is for winbindd to detach and run as a
+daemon.</p>
+</dd>
+
+</dl>
+
+</div>
+</div>
+
+
+
+
+
+<div class="sect1"><a name="samba2-APP-C-SECT-2"/>
+
+<h2 class="head1">Samba Distribution Programs</h2>
+
+<p>This section lists the command-line options and subcommands provided
+by each nondaemon program in the Samba distribution.</p>
+
+</div>
+
+
+
+<a name="INDEX-4"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>findsmb</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>This Perl script reports information about systems on the subnet that
+respond to SMB name-query requests. The report includes the IP
+address, NetBIOS name, workgroup/domain, and operating system of each
+system.</p>
+<div class="sect1"><a name="appc-17-fm2xml"/>
+
+<h4 class="refsect1">Command synopsis</h4>
+
+<blockquote><pre class="code">findsmb <em class="replaceable">[subnet_broadcast_address]</em></pre></blockquote>
+<p>If a different subnet's broadcast address is
+provided, it will find SMB servers on that subnet. If no subnet
+broadcast address is supplied, <em class="emphasis">findsmb</em> will look
+on the local subnet.</p>
+
+<p>The output from <em class="emphasis">findsmb</em> looks like this:</p>
+<blockquote><pre class="code">$ <tt class="userinput"><b>findsmb</b></tt>
+                                *=DMB
+                                +=LMB
+IP ADDR         NETBIOS NAME     WORKGROUP/OS/VERSION
+---------------------------------------------------------------------
+172.16.1.1      TOLTEC         *[METRAN] [Unix] [Samba 2.2.6]
+172.16.1.3      MIXTEC         +[METRAN] [Unix] [Samba 2.2.6]
+172.16.1.4      ZAPOTEC         [METRAN] [Windows 5.0] [Windows 2000 LAN Manager]
+172.16.1.5      HUASTEC         [       METRAN        ]
+172.16.1.6      MAYA            [       METRAN        ]
+172.16.1.7      OLMEC           [METRAN] [Windows 5.1] [Windows 2000 LAN Manager]
+172.16.1.10     UTE             [       METRAN        ]
+172.16.1.13     DINE            [METRAN] [Windows NT 4.0] [NT LAN Manager 4.0]</pre></blockquote>
+<p>The system with an asterisk (<tt class="literal">*</tt>) in front of its
+workgroup name is the domain master browser for the workgroup/domain,
+and the system with a plus sign (+) preceding its workgroup name is
+the local master browser.</p>
+
+<p>The <em class="emphasis">findsmb</em> command was introduced during the
+development of Samba 2.2 and is installed by default in Samba
+Versions 2.2.5 and later.</p>
+
+</div>
+</div>
+
+<a name="INDEX-5"/><a name="INDEX-6"/><a name="INDEX-7"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>make_smbcodepage</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>This program is part of the
+<a name="INDEX-6"/>internationalization features of
+Samba 2.2 and is obsolete in Samba 3.0, which supports
+<a name="INDEX-7"/>Unicode
+automatically. The <em class="emphasis">make_smbcodepage</em> program
+compiles a binary codepage file from a text-format codepage
+definition. It can also perform the reverse operation, decompiling a
+binary codepage file into a text version. Examples of text-format
+codepage files can be found in the Samba distribution in the
+<em class="filename">source/codepages</em> directory. After Samba has been
+installed, examples of binary codepages can be found in the directory
+<em class="filename">/usr/local/samba/lib/codepages</em>.</p>
+<div class="sect1"><a name="appc-19-fm2xml"/>
+
+<h4 class="refsect1">Command synopsis</h4>
+
+<blockquote><pre class="code">make_smbcodepage <em class="replaceable">c|d codepage_number input_file output_file</em></pre></blockquote>
+<p>For the first argument, use <tt class="literal">c</tt> to compile a
+codepage and <tt class="literal">d</tt> to decompile a codepage file. The
+<em class="replaceable">codepage_number</em> argument is the number of
+the codepage being processed (e.g., 850). The
+<em class="replaceable">input_file</em> and
+<em class="replaceable">output_file</em> are the text- and
+binary-format codepages, with the types dependent on the operation
+(compiling or decompiling) that is being performed.</p>
+
+</div>
+</div>
+
+<a name="INDEX-8"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>make_unicodemap</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>This program is part of the internationalization features of Samba
+2.2 and is obsolete in Samba 3.0, which supports Unicode
+automatically. The <em class="emphasis">make_unicodemap</em> command
+compiles binary Unicode maps from text files, so Samba can display
+non-ASCII characters in file and directory names via the Unicode
+international alphabets. Examples of input mapping files can be found
+in the directory <em class="filename">source/codepages</em> in the Samba
+source distribution.</p>
+<div class="sect1"><a name="appc-21-fm2xml"/>
+
+<h4 class="refsect1">Command synopsis</h4>
+
+<blockquote><pre class="code">make_unicodemap <em class="replaceable">codepage_number inputfile outputfile</em></pre></blockquote>
+<p>The input file is an ASCII map; the output file is a binary file
+loadable by Samba. The codepage is the number of the DOS codepage
+(e.g., 850) for the map.</p>
+
+</div>
+</div>
+
+<a name="INDEX-9"/><a name="INDEX-10"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>net</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>The <em class="emphasis">net</em> command, new to Samba 3.0, is a program
+with a syntax similar to the MS-DOS/Windows command of the same name.
+It is used for performing various administrative functions related to
+Windows networking, which can be executed either locally or on a
+remote system.</p>
+<div class="sect1"><a name="appc-23-fm2xml"/>
+
+<h4 class="refsect1">Command synopsis</h4>
+
+<blockquote><pre class="code">net <em class="replaceable">[method] function [misc_options] [target_options]</em></pre></blockquote>
+<p>The <em class="replaceable">function</em> argument is made up of one or
+more space-separated words. In Windows terminology, it is sometimes
+referred to as a function with options. Here we list every function
+in its complete form, including multiple words.</p>
+
+<p>By default, the action is performed on the local system. The
+<em class="replaceable">target_options</em> argument can be used to
+specify a remote system (either by hostname or IP address), a domain,
+or a workgroup.</p>
+
+<p>Depending on the function, the <em class="replaceable">method</em>
+argument can be optional, required, or disallowed. It specifies one
+of three methods for performing the operation specified by the rest
+of the command. It can be <tt class="literal">ads</tt> (Active Directory),
+<tt class="literal">rpc</tt> (Microsoft's DCE/RPC), or
+<tt class="literal">rap</tt> (Microsoft's original SMB
+remote procedure call). To determine which methods (if any) can be
+used with a function, the <tt class="literal">net help ads</tt>,
+<tt class="literal">net help rap</tt>, and <tt class="literal">net help rpc</tt>
+commands can be used to list the functions for each method.</p>
+
+</div>
+
+<div class="sect1"><a name="appc-24-fm2xml"/>
+
+<h4 class="refsect1">Miscellaneous options</h4>
+
+<dl>
+<dt><b><tt class="literal">-d</tt> <em class="replaceable">level</em></b></dt>
+<dt><b><tt class="literal">--debug=l</tt><em class="replaceable">evel</em></b></dt>
+<dd>
+<p>Sets the debug (sometimes called logging) level. The level can range
+from 0 to 10.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-l</tt></b></dt>
+<dt><b><tt class="literal">--long</tt></b></dt>
+<dd>
+<p><tt class="literal">S</tt>pecifies the long listing mode. This is provided
+for functions that print informational listings.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-n</tt> <em class="replaceable">name</em></b></dt>
+<dt><b><tt class="literal">--myname</tt><em class="emphasis">=</em><em class="replaceable">name</em></b></dt>
+<dd>
+<p>Specifies the NetBIOS name for the client.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-p</tt> <em class="replaceable">port</em></b></dt>
+<dt><b><tt class="literal">--port</tt><em class="emphasis">=</em><em class="replaceable">port</em></b></dt>
+<dd>
+<p>Specifies the port number to use.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-s</tt> <em class="replaceable">filename</em></b></dt>
+<dt><b><tt class="literal">--conf</tt><em class="emphasis">=</em><em class="replaceable">filename</em></b></dt>
+<dd>
+<p>Specifies the name of the Samba configuration file, overriding the
+compiled-in default.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-U</tt> <em class="replaceable">username[</em><tt class="literal">%</tt><em class="replaceable">password]</em></b></dt>
+<dt><b><tt class="literal">--user</tt><em class="emphasis">=</em><em class="replaceable">username[</em><tt class="literal">%</tt><em class="replaceable">password]</em></b></dt>
+<dd>
+<p>Specifies the username and, optionally, the password to use for
+functions that require authentication.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-W</tt> <em class="replaceable">name</em></b></dt>
+<dt><b><tt class="literal">--myworkgroup</tt>=<em class="replaceable">name</em></b></dt>
+<dd>
+<p>Specifies the name of the client's workgroup,
+overriding the definition of the <tt class="literal">workgroup</tt>
+parameter in the Samba configuration file.</p>
+</dd>
+
+</dl>
+
+
+</div>
+
+<div class="sect1"><a name="appc-25-fm2xml"/>
+
+<h4 class="refsect1">Target options</h4>
+
+<dl>
+<dt><b><tt class="literal">-S</tt> <em class="replaceable">hostname</em></b></dt>
+<dd>
+<p>Specifies the remote system using a hostname or NetBIOS name.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-I</tt> <em class="replaceable">ip_address</em></b></dt>
+<dd>
+<p>Specifies the remote system using its IP address.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-w</tt> <em class="replaceable">workgroup</em></b></dt>
+<dd>
+<p>Specifies the name of the target domain or workgroup.</p>
+</dd>
+
+</dl>
+
+
+</div>
+
+<div class="sect1"><a name="appc-26-fm2xml"/>
+
+<h4 class="refsect1">Functions</h4>
+
+<dl>
+<dt><b><tt class="literal">abortshutdown</tt></b></dt>
+<dd>
+<p>See the <tt class="literal">rpc</tt> <tt class="literal">abortshutdown</tt>
+function.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">ads</tt> <tt class="literal">info</tt></b></dt>
+<dd>
+<p>Prints information about the Active Directory server. The method
+(<tt class="literal">ads</tt>) must be specified to differentiate this
+function from the <tt class="literal">rpc info</tt> function.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">ads</tt> <tt class="literal">join</tt> <em class="replaceable">OU</em></b></dt>
+<dd>
+<p>Joins the local system to the Active Directory realm (organizational
+unit) specified by OU. The method (<tt class="literal">ads</tt>) must be
+specified to differentiate this function from the <tt class="literal">rpc
+join</tt> function.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">ads</tt> <tt class="literal">leave</tt></b></dt>
+<dd>
+<p>Removes the local system from the Active Directory realm.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">ads password</tt> <em class="replaceable">username</em><tt class="literal">@</tt><em class="replaceable">REALM</em> <tt class="literal">-U</tt><em class="replaceable">admin_username</em><tt class="literal">@</tt><em class="replaceable">REALM</em><tt class="literal">%admin_</tt><em class="replaceable">password</em></b></dt>
+<dd>
+<p>Changes the Active Directory password for the user specified by
+<em class="replaceable">username</em><tt class="literal">@</tt><em class="replaceable">REALM</em>.
+The administrative account authentication information is specified
+with the <tt class="literal">-U</tt> option. The Active Directory realm
+must be supplied in all uppercase.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">ads printer info</tt> <em class="replaceable">[printer] [server]</em></b></dt>
+<dd>
+<p>Prints information on the specified printer on the specified server.
+The <em class="replaceable">printer</em> argument defaults to an
+asterisk (<tt class="literal">*</tt>), meaning all printers, and the
+<em class="replaceable">server</em> argument defaults to
+<tt class="literal">localhost</tt>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">ads printer publish</tt> <em class="replaceable">printer_name</em></b></dt>
+<dd>
+<p>Publishes the specified printer in Active Directory.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">ads printer remove</tt> <em class="replaceable">printer_name</em></b></dt>
+<dd>
+<p>Removes the specified printer from Active Directory.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">ads search</tt> <em class="replaceable">expr attrib</em></b></dt>
+<dd>
+<p>Performs a raw Active Directory search, using the standard LDAP
+search expression and attributes specified by the
+<em class="replaceable">expr</em> and <em class="replaceable">attrib</em>
+arguments, respectively.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">ads status</tt></b></dt>
+<dd>
+<p>Prints details about the Active Directory computer account of the
+system.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">change localhost pass</tt></b></dt>
+<dd>
+<p>Changes the Active Directory password for the local
+system's computer trust account.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">domain</tt></b></dt>
+<dd>
+<p>Lists the domains or workgroups on the network.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">file</tt></b></dt>
+<dd>
+<p>Lists open files on the server.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">file close</tt> <em class="replaceable">file_id</em></b></dt>
+<dd>
+<p>Closes the specified file.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">file info</tt> <em class="replaceable">file_id</em></b></dt>
+<dd>
+<p>Prints information about the specified file, which must be open.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">file user</tt> <em class="replaceable">username</em></b></dt>
+<dd>
+<p>Lists all files opened on the server by the user specified by
+<em class="replaceable">username</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">group add</tt> <em class="replaceable">group_name</em></b></dt>
+<dd>
+<p>Adds the specified group. This function accepts the miscellaneous
+option <tt class="literal">-C</tt> <em class="replaceable">comment</em>
+(which can also be specified as <tt class="literal">-
+-comment=</tt><em class="replaceable">string</em>) to set the
+descriptive comment for the group.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">group delete</tt> <em class="replaceable">group_name</em></b></dt>
+<dd>
+<p>Deletes the specified group.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">groupmember add</tt> <em class="replaceable">group_name username</em></b></dt>
+<dd>
+<p>Adds the user specified by <em class="replaceable">username</em> to the
+group specified by <em class="replaceable">group_name</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">groupmember delete</tt> <em class="replaceable">group_name username</em></b></dt>
+<dd>
+<p>Deletes the user specified by <em class="replaceable">username</em>
+from the group specified by <em class="replaceable">group_name</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">groupmember list</tt> <em class="replaceable">group_name</em></b></dt>
+<dd>
+<p>Lists the users who are members of the specified group.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">help</tt></b></dt>
+<dd>
+<p>Prints a help message for the <em class="emphasis">net</em> command.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">help</tt> <em class="replaceable">method</em></b></dt>
+<dd>
+<p>Prints a help message for <em class="replaceable">method</em>, which
+can be <tt class="literal">ads</tt>, <tt class="literal">rap</tt>, or
+<tt class="literal">rpc</tt>. This lists the functions that can use the
+method, along with a brief description.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">help</tt> <em class="replaceable">function</em></b></dt>
+<dd>
+<p>Prints a help message for the specified function, which can be more
+than one word.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">info</tt></b></dt>
+<dd>
+<p>Must be preceded by a method. See the <tt class="literal">ads</tt>
+<tt class="literal">info</tt> and <tt class="literal">rpc</tt>
+<tt class="literal">info</tt> functions.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">join</tt></b></dt>
+<dd>
+<p>Joins the computer to a Windows NT domain or Active Directory realm.
+If the method argument is not specified, a check is made to determine
+if Active Directory is in use, and if so, <tt class="literal">ads join</tt>
+is performed. Otherwise, <tt class="literal">rpc join</tt> is run. See also
+the <tt class="literal">ads join</tt> and <tt class="literal">rpc join</tt>
+functions.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">leave</tt></b></dt>
+<dd>
+<p>Must be preceded by a method. See the <tt class="literal">ads</tt>
+<tt class="literal">leave</tt> function.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">lookup dc</tt> <em class="replaceable">[domain]</em></b></dt>
+<dd>
+<p>Prints the IP address of the specified domain's
+domain controllers. The domain defaults to the value of the
+<tt class="literal">workgroup</tt> parameter in the Samba configuration
+file.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">lookup host</tt> <em class="replaceable">hostname [type]</em></b></dt>
+<dd>
+<p>Prints the IP address of the specified host.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">lookup kdc</tt> <em class="replaceable">[realm]</em></b></dt>
+<dd>
+<p>Prints the IP address of the specified realm's
+Kerberos domain controller. If <em class="replaceable">realm</em> is
+not specified, it defaults to the value of the
+<tt class="literal">realm</tt> parameter in the Samba configuration file.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">lookup ldap</tt> <em class="replaceable">[domain]</em></b></dt>
+<dd>
+<p>Prints the IP address of the specified domain's LDAP
+server. If <em class="replaceable">domain</em> is not specified, it
+defaults to the value of the <tt class="literal">workgroup</tt> parameter
+in the Samba configuration file.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">lookup master</tt> <em class="replaceable">[domain]</em></b></dt>
+<dd>
+<p>Prints the IP address of the master browser of the specified domain
+or workgroup. If <em class="replaceable">domain</em> is not specified,
+it defaults to the value of the <tt class="literal">workgroup</tt>
+parameter in the Samba configuration file.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">password</tt> <em class="replaceable">username old_password new_password</em></b></dt>
+<dd>
+<p>Changes the password for the user specified by the
+<em class="replaceable">username</em> argument. The
+user's old and new passwords are provided in plain
+text as part of the command. Be careful regarding security issues.
+See also the <tt class="literal">ads password</tt> function.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">printer info</tt></b></dt>
+<dd>
+<p>See the <tt class="literal">ads printer info</tt> function.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">printer publish</tt></b></dt>
+<dd>
+<p>See the <tt class="literal">ads printer publish</tt> function.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">printer remove</tt></b></dt>
+<dd>
+<p>See the <tt class="literal">ads printer remove</tt> function.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">printq</tt></b></dt>
+<dd>
+<p>Prints information (including the job IDs) about printer queues on
+the server.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">printq delete</tt> <em class="replaceable">queue_name</em></b></dt>
+<dd>
+<p>Deletes the specified printer queue. The
+<tt class="literal">-j</tt>
+<em class="replaceable">job_id</em> (which can also be
+specified as
+<tt class="literal">--jobid</tt><em class="emphasis">=</em><em class="replaceable">job_id</em>
+) option may be used to specify the job ID of the queue.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">rpc abortshutdown</tt></b></dt>
+<dd>
+<p>Aborts the shutdown of a remote server.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">rpc info</tt></b></dt>
+<dd>
+<p>Prints information about the server's domain. The
+method (<tt class="literal">rpc</tt>) must be specified to differentiate
+this function from the <tt class="literal">ads</tt> <tt class="literal">info</tt>
+function.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">rpc join</tt> </b></dt>
+<dd>
+<p>Joins a computer to a Windows NT domain. If the <tt class="literal">-U</tt>
+<em class="replaceable">username</em><tt class="literal">%</tt><em class="replaceable">password</em>
+option is included, the specified username and password will be used
+as the administrative account required for authenticating with the
+PDC. If the <tt class="literal">-U</tt> option is not included, this
+function can be used only to join the computer to the domain after
+the computer account has been created using the Server Manager. The
+method (<tt class="literal">rpc</tt>) must be specified to differentiate
+this function from the <tt class="literal">ads</tt> <tt class="literal">join</tt>
+function.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">rpc shutdown</tt></b></dt>
+<dd>
+<p>Shuts down a server. This function accepts the <tt class="literal">-r</tt>,
+<tt class="literal">-f</tt>, <tt class="literal">-t</tt>, and
+<tt class="literal">-c</tt> miscellaneous options. The
+<tt class="literal">-r</tt> option (which can also be specified as
+<tt class="literal">--reboot</tt>) requests that the system reboot after
+shutting down. The <tt class="literal">-f</tt> option (which can also be
+specified as <tt class="literal">--force</tt>) forces a shutdown. The
+<tt class="literal">-t</tt> <em class="replaceable">timeout</em> option
+(which can also be specified as <tt class="literal">-
+-timeout=</tt><em class="replaceable">number</em>) specifies the
+number of seconds to wait before shutting down, and the
+<tt class="literal">-c</tt> <em class="replaceable">comment</em> option
+(which can also be specified as <tt class="literal">-
+-comment=</tt><em class="replaceable">string</em>) can be used to
+specify a message to the client user. On Windows, the comment appears
+in the Message area in the System Shutdown dialog box.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">rpc trustdom add</tt> <em class="replaceable">domain_name</em></b></dt>
+<dd>
+<p>Adds an account for the trust relationship with the specified Windows
+NT domain.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">rpc trustdom establish</tt> <em class="replaceable">domain_name</em></b></dt>
+<dd>
+<p>Establishes a trust relationship with the specified Windows NT domain.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">rpc trustdom revoke</tt> <em class="replaceable">domain_name</em></b></dt>
+<dd>
+<p>Revokes the trust relationship with the specified Windows NT domain.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">search</tt></b></dt>
+<dd>
+<p>See the <tt class="literal">ads search</tt> function.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">server</tt></b></dt>
+<dd>
+<p>Lists servers in the domain or workgroup, which defaults to the value
+of the <tt class="literal">workgroup</tt> parameter in the Samba
+configuration file.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">session</tt></b></dt>
+<dd>
+<p>Lists clients with open sessions to the server.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">session delete NetBIOS_</tt><em class="replaceable">name</em></b></dt>
+<dd>
+<p>Closes the session to the server from the specified client. A synonym
+is <tt class="literal">session</tt> <tt class="literal">close</tt>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">session close</tt></b></dt>
+<dd>
+<p>A synonym for <tt class="literal">session delete</tt>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">share</tt></b></dt>
+<dd>
+<p>Lists the shares offered by the server. When a Windows 95/98/Me
+server is the target system, it might be necessary to specify the
+method as <tt class="literal">rap</tt> for this to work properly.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">share add</tt> <em class="replaceable">share_name</em><tt class="literal">=</tt><em class="replaceable">server_path</em></b></dt>
+<dd>
+<p>Adds a share on the target server. The name of the share and the
+folder to be shared are specified by the
+<em class="replaceable">share_name</em><tt class="literal">=</tt><em class="replaceable">server_path</em>
+argument, with <em class="replaceable">server_path</em> the Windows
+directory name, with spaces and other special characters (if any)
+quoted and with the backslashes escaped (e.g.,
+&quot;<tt class="literal">data=C:\\Documents</tt> <tt class="literal">and</tt>
+<tt class="literal">Settings\\jay\\Desktop\\data</tt>&quot;). The
+<tt class="literal">-C</tt> <em class="replaceable">comment</em> option
+(which can also be specified as <tt class="literal">-
+-comment=</tt><em class="replaceable">string</em>) can be used to
+define a description for the share. The <tt class="literal">-M</tt>
+<em class="replaceable">number</em> option (which can also be specified
+as <tt class="literal">--maxusers=</tt><em class="replaceable">number</em>)
+can be used to set the maximum number of users that can connect to
+the share. The method (<tt class="literal">rap</tt> or
+<tt class="literal">rpc</tt>) might need to be specified for this function
+to work. The regular folder icon cannot change into a
+&quot;shared folder&quot; icon in Windows
+Explorer until the display is refreshed.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">share delete</tt> <em class="replaceable">share_name</em></b></dt>
+<dd>
+<p>Deletes a share from the target server. The
+<em class="replaceable">share_name</em> argument is simply the name of
+the share on the target server, not a UNC. The method
+(<tt class="literal">rap</tt> or <tt class="literal">rpc</tt>) might need to be
+specified for this function to work. The &quot;shared
+folder&quot; icon in Windows Explorer cannot change back
+to the regular folder icon until the display is refreshed.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">shutdown</tt></b></dt>
+<dd>
+<p>See the <tt class="literal">rpc shutdown</tt> function.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">status</tt></b></dt>
+<dd>
+<p>See the <tt class="literal">ads status</tt> function.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">time</tt></b></dt>
+<dd>
+<p>Displays the system time&mdash;in Unix <em class="emphasis">date</em>
+command format&mdash;on the target system.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">time set</tt></b></dt>
+<dd>
+<p>Sets the local system's hardware clock using the
+time obtained from the operating system.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">time system</tt></b></dt>
+<dd>
+<p>Sets the time on the local system using the time obtained from the
+remote system.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">time zone</tt></b></dt>
+<dd>
+<p>Prints the time zone (in hours from GMT) in use on the system.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">trustdom add</tt></b></dt>
+<dd>
+<p>See the <tt class="literal">rpc trustdom add</tt> function.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">trustdom establish</tt></b></dt>
+<dd>
+<p>See the <tt class="literal">rpc trustdom establish</tt> function.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">trustdom revoke</tt></b></dt>
+<dd>
+<p>See the <tt class="literal">rpc trustdom revoke</tt> function.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">user</tt></b></dt>
+<dd>
+<p>Lists user accounts. The method can be specified as
+<tt class="literal">ads</tt>, <tt class="literal">rap</tt>, or
+<tt class="literal">rpc</tt>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">user add</tt> <em class="replaceable">username [password]</em></b></dt>
+<dd>
+<p>Adds a user account for the user specified by
+<em class="replaceable">username</em>. The <tt class="literal">-c</tt>
+<em class="replaceable">comment</em> option (which can also be
+specified as <tt class="literal">-
+-comment=</tt><em class="replaceable">string</em>) can be used to
+set a comment for the account. The <tt class="literal">-F</tt>
+<em class="replaceable">user_flags</em> option can be used to set flags
+(specified in numeric format) for the account. The method can be
+specified as <tt class="literal">ads</tt>, <tt class="literal">rap</tt>, or
+<tt class="literal">rpc</tt>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">user delete</tt> <em class="replaceable">username</em></b></dt>
+<dd>
+<p>Deletes the specified user's account. The method can
+be specified as <tt class="literal">ads</tt>, <tt class="literal">rap</tt>, or
+<tt class="literal">rpc</tt>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">user info</tt> <em class="replaceable">username</em></b></dt>
+<dd>
+<p>Lists the domain groups to which the specified user belongs. The
+method can be specified as <tt class="literal">ads</tt>,
+<tt class="literal">rap</tt>, or <tt class="literal">rpc</tt>. <a name="INDEX-10"/></p>
+</dd>
+
+</dl>
+
+
+</div>
+</div>
+
+<a name="INDEX-11"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>nmblookup</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>The <em class="emphasis">nmblookup</em> program is a client program that
+allows command-line access to NetBIOS name service for resolving
+NetBIOS computer names into IP addresses. The program works by
+broadcasting its queries on the local subnet until a machine with the
+specified name responds. You can think of it as a Windows analog of
+<em class="emphasis">nslookup</em> or <em class="emphasis">dig</em>. This is
+useful for looking up regular computer names, as well as
+special-purpose names, such as _ _MSBROWSE_ _ . If you wish to query
+for a particular type of NetBIOS name, add the NetBIOS type to the
+end of the name, using the format
+<em class="replaceable">netbios_name</em><tt class="literal">#&lt;</tt><em class="replaceable">dd</em><tt class="literal">&gt;</tt>.</p>
+<div class="sect1"><a name="appc-28-fm2xml"/>
+
+<h4 class="refsect1">Command synopsis</h4>
+
+<blockquote><pre class="code">nmblookup <em class="replaceable">[options] netbios_name</em></pre></blockquote>
+
+
+</div>
+
+<div class="sect1"><a name="appc-29-fm2xml"/>
+
+<h4 class="refsect1">Options</h4>
+
+<dl>
+<dt><b><tt class="literal">-A</tt></b></dt>
+<dd>
+<p>Interprets <em class="replaceable">netbios_name</em> as an IP address
+and does a node status query on it.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-B</tt> <em class="replaceable">broadcast_address</em></b></dt>
+<dd>
+<p>Sends the query to the given broadcast address. The default is to
+send the query to the broadcast address of the primary network
+interface.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-d</tt> <em class="replaceable">debug_level</em></b></dt>
+<dd>
+<p>Sets the debug (sometimes called logging) level. The level can range
+from 0 to 10. Debug level 0 logs only the most important messages.
+Level 1 is normal; levels 3 and above are primarily used by
+developers for debugging the <em class="emphasis">nmblookup</em> program
+itself and slow the program considerably.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-f</tt></b></dt>
+<dd>
+<p>Prints the flags in the packet headers.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-h</tt></b></dt>
+<dd>
+<p>Prints command-line usage information for the program.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-i</tt> <em class="replaceable">scope</em></b></dt>
+<dd>
+<p>Sets a NetBIOS scope identifier. NetBIOS scope is a rarely used
+precursor to workgroups.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-M</tt></b></dt>
+<dd>
+<p>Searches for a local master browser by looking up
+<em class="replaceable">netbios_name</em><tt class="literal">&lt;1d&gt;</tt>.
+If <em class="replaceable">netbios_name</em> is specified as a dash
+(<tt class="literal">-</tt>), a lookup is done on the special name _
+_MSBROWSE_ _ .</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-R</tt></b></dt>
+<dd>
+<p>Sets the &quot;recursion desired&quot; bit in
+the packet. This causes the system that responds to try a WINS lookup
+and return the address and any other information the WINS server has
+saved.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-r</tt></b></dt>
+<dd>
+<p>Uses the <tt class="literal">root</tt> port of 137. This option exists as a
+bug workaround for Windows 95. This option might require the user to
+be superuser.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-S</tt></b></dt>
+<dd>
+<p>Performs a node status query once the name query has returned an IP
+address. This returns all the resource types that the system knows
+about, including their numeric attributes. For example:</p>
+
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>nmblookup -S toltec</b></tt>
+querying toltec on 172.16.1.255
+172.16.1.1 toltec&lt;00&gt;
+Looking up status of 172.16.1.1
+    TOLTEC          &lt;00&gt; -         M &lt;ACTIVE&gt;
+    TOLTEC          &lt;03&gt; -         M &lt;ACTIVE&gt;
+    TOLTEC          &lt;20&gt; -         M &lt;ACTIVE&gt;
+    ..__MSBROWSE__. &lt;01&gt; - &lt;GROUP&gt; M &lt;ACTIVE&gt;
+    METRAN          &lt;00&gt; - &lt;GROUP&gt; M &lt;ACTIVE&gt;
+    METRAN          &lt;1b&gt; -         M &lt;ACTIVE&gt;
+    METRAN          &lt;1c&gt; - &lt;GROUP&gt; M &lt;ACTIVE&gt;
+    METRAN          &lt;1d&gt; -         M &lt;ACTIVE&gt;
+    METRAN          &lt;1e&gt; - &lt;GROUP&gt; M &lt;ACTIVE&gt;</pre></blockquote>
+</dd>
+
+
+<dt><b><tt class="literal">-s</tt> <em class="replaceable">configuration_ file</em></b></dt>
+<dd>
+<p>Specifies the location of the Samba configuration file. Although the
+file defaults to <em class="filename">/usr/local/samba/lib/smb.conf</em>,
+you can override it here on the command line. Normally used for
+debugging.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-T</tt></b></dt>
+<dd>
+<p>Translates IP addresses into resolved names.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-U</tt> <em class="replaceable">unicast_address</em></b></dt>
+<dd>
+<p>Performs a unicast query to the specified address. Used with
+<tt class="literal">-R</tt> to query WINS servers.</p>
+</dd>
+
+</dl>
+
+
+<p>Note that <em class="emphasis">nmblookup</em> has no option for setting
+the workgroup. You can get around this by putting
+<tt class="literal">workgroup</tt> <tt class="literal">=</tt>
+<em class="replaceable">workgroup_name</em> in a file and passing it to
+<em class="emphasis">nmblookup</em> with the
+<tt class="literal">-s</tt> option.</p>
+
+</div>
+</div>
+
+<a name="INDEX-12"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>pdbedit</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>This program, new to Samba 3.0, can be used to manage accounts that
+are held in a SAM database. The implementation of the database can be
+any of the types supported by Samba, including the
+<em class="filename">smbpasswd</em> file, LDAP, NIS+ and the
+<em class="filename">tdb</em> database library. The user must be the
+superuser to use this tool.</p>
+<div class="sect1"><a name="appc-31-fm2xml"/>
+
+<h4 class="refsect1">Command synopsis</h4>
+
+<blockquote><pre class="code">pdbedit <em class="replaceable">[options]</em></pre></blockquote>
+
+
+</div>
+
+<div class="sect1"><a name="appc-32-fm2xml"/>
+
+<h4 class="refsect1">Options</h4>
+
+<dl>
+<dt><b><tt class="literal">-a</tt></b></dt>
+<dd>
+<p>Adds the user specified by the <tt class="literal">-u</tt> option to the
+SAM database. The command issues a prompt for the
+user's password.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-d</tt> <em class="replaceable">drive_letter</em></b></dt>
+<dd>
+<p>Sets the Windows drive letter to which to map the
+user's home directory. The drive letter should be
+specified as a letter followed by a colon&mdash;e.g.,
+<tt class="literal">H</tt>:.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-D</tt> <em class="replaceable">debug_level</em></b></dt>
+<dd>
+<p>Sets the debug (sometimes called logging) level. The level can range
+from 0 to 10. Debug level 0 logs only the most important messages.
+Level 1 is normal, and levels 3 and above are primarily for
+debugging.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-e</tt> <em class="replaceable">pwdb_backend</em></b></dt>
+<dd>
+<p>Exports the user account database to another format, written to the
+specified location. Used for migrating from one type of account
+database to another. The <em class="replaceable">pwdb_backend</em>
+argument is specified in the format of a database type, followed by a
+colon, then the location of the database. For example, to export the
+existing account database to an <em class="filename">smbpasswd</em>
+database in the file
+<em class="filename">/usr/local/samba/private/smbpw</em>,
+<em class="replaceable">pwdb_backend</em> would be specified as
+<tt class="literal">smbpasswd:/usr/local/samba/private/smbpw</tt>. The
+allowable database types are <tt class="literal">smbpasswd</tt>,
+<tt class="literal">smbpasswd nua</tt>, <tt class="literal">tdbsam</tt>,
+<tt class="literal">tdbsam nua</tt>, <tt class="literal">ldapsam</tt>,
+<tt class="literal">ldapsam_nua</tt>, and <tt class="literal">plugin</tt>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-f</tt> <em class="replaceable">full_name</em></b></dt>
+<dd>
+<p>Sets the full name of the user specified with the
+<tt class="literal">-u</tt> option.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-h</tt> <em class="replaceable">unc</em></b></dt>
+<dd>
+<p>Sets the home directory path (as a UNC) for the user specified with
+the <tt class="literal">-u</tt> option.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-i</tt> <em class="replaceable">pwdb_backend</em></b></dt>
+<dd>
+<p>Specifies a password database backend from which to retrieve account
+information, overriding the one specified by the <tt class="literal">passdb
+backend</tt> parameter in the Samba configuration file. This,
+along with the <tt class="literal">-e</tt> option, is useful for migrating
+user accounts from one type of account database to another. See the
+<tt class="literal">-e</tt> option regarding how to specify the
+<em class="replaceable">pwdb_backend</em> argument.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-l</tt></b></dt>
+<dd>
+<p>Lists the user accounts in the database. See also the
+<tt class="literal">-v</tt> option.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-m</tt></b></dt>
+<dd>
+<p>Indicates that the account is a computer account rather than a user
+account. Used only with the <tt class="literal">-a</tt> option when
+creating the account. In this case, the <tt class="literal">-u</tt> option
+specifies the computer name rather than a username.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-p</tt> <em class="replaceable">unc</em></b></dt>
+<dd>
+<p>Sets the directory in which the user's profile is
+kept. The directory is specified as a UNC.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-s</tt> <em class="replaceable">unc</em></b></dt>
+<dd>
+<p>Specifies the UNC of the user's logon script.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-u</tt> <em class="replaceable">username</em></b></dt>
+<dd>
+<p>Specifies the username of the account to add (with the
+<tt class="literal">-a</tt> option), delete (with the <tt class="literal">-x</tt>
+option), or modify.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-v</tt></b></dt>
+<dd>
+<p>Selects verbose mode when listing accounts with the
+<tt class="literal">-l</tt> option. The account fields will be printed.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-w</tt></b></dt>
+<dd>
+<p>Selects the <tt class="literal">smbpasswd</tt> listing mode, for use with
+the <tt class="literal">-l</tt> option, which prints information in the
+same format as it would appear in an <em class="filename">smbpasswd</em>
+file.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-x</tt></b></dt>
+<dd>
+<p>Deletes the user (specified with the <tt class="literal">-u</tt> option)
+from the account database.</p>
+</dd>
+
+</dl>
+
+
+</div>
+</div>
+
+<a name="INDEX-13"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>rpcclient</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>This is a program for issuing administrative commands that are
+implemented using Microsoft RPCs. It provides access to the RPCs that
+Windows administrative GUIs use for system management. The
+<em class="emphasis">rpcclient</em> command is mainly for use by advanced
+users who understand the RPCs. More information on these can be found
+in Microsoft's Platform Software Development Kit
+(SDK), available for download from the Microsoft web site at
+<a href="http://www.microsoft.com">http://www.microsoft.com</a>.</p><p>You can run a single <em class="emphasis">rpcclient</em> command by using
+the <tt class="literal">-c command string</tt> option, or interactively
+with <em class="emphasis">rpcclient</em> prompting for commands.</p>
+<div class="sect1"><a name="appc-34-fm2xml"/>
+
+<h4 class="refsect1">Command Synopsis</h4>
+
+<p>rpcclient <em class="replaceable">server [options]</em></p>
+
+
+</div>
+
+<div class="sect1"><a name="appc-35-fm2xml"/>
+
+<h4 class="refsect1">Options</h4>
+
+<dl>
+<dt><b><tt class="literal">-A</tt> <em class="replaceable">filename</em></b></dt>
+<dd>
+<p>Specifies a file from which to read the authentication values used in
+the connection. The format of the file is as follows:</p>
+
+<blockquote><pre class="code">username = <em class="replaceable">value</em>
+password = <em class="replaceable">value</em>
+domain   = <em class="replaceable">value</em></pre></blockquote>
+
+<p>This option is used to avoid password prompts or to have the password
+appear in plain text inside scripts. The permissions on the file
+should be very restrictive (0600, for example) to prevent access from
+unwanted users.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-c</tt> <em class="replaceable">command_string</em></b></dt>
+<dd>
+<p>Executes a sequence of semicolon-separated commands. Commands are
+listed in the following section.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-d</tt> <em class="replaceable">debuglevel</em></b></dt>
+<dd>
+<p>Sets the debug (sometimes called logging) level. The level can range
+from 0 to 10. Specifying the value on the command line overrides the
+value specified in the <em class="filename">smb.conf</em> file. Debug
+level 0 logs only the most important messages; level 1 is normal;
+levels 3 and above are primarily for debugging and slow the program
+considerably.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-h</tt></b></dt>
+<dd>
+<p>Prints a summary of options.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-l</tt> <em class="replaceable">logbasename</em></b></dt>
+<dd>
+<p>Sets the filename for log/debug files. The extension
+<em class="filename">.client</em> is appended to the filename.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-N</tt></b></dt>
+<dd>
+<p>Does not prompt for a password. This is used when Samba is configured
+for share-mode security and a service with no password is being
+accessed.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-s</tt> <em class="replaceable">filename</em></b></dt>
+<dd>
+<p>Specifies the location of the Samba configuration file, which by
+default is usually
+<em class="filename">/usr/local/samba/lib/smb.conf</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-U</tt> <em class="replaceable">username[</em><tt class="literal">%</tt><em class="replaceable">password]</em></b></dt>
+<dd>
+<p>Sets the SMB username or username and password to use. Be careful
+when specifying the password with
+<tt class="literal">%</tt><em class="replaceable">password</em>; this is a
+major security risk. If
+<tt class="literal">%</tt><em class="replaceable">password</em> is not
+specified, the user will be prompted for the password, which will not
+be echoed. Normally the user is set from the USER or LOGNAME
+environment variable. The <tt class="literal">-U</tt> option by itself
+means to use the guest account. See also <tt class="literal">-A</tt>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-W</tt> <em class="replaceable">domain</em></b></dt>
+<dd>
+<p>Sets the domain, overriding the <tt class="literal">workgroup</tt>
+parameter in the Samba configuration file. If the domain is the
+server's NetBIOS name, it causes the client to log
+on using the server's local SAM database rather than
+the SAM of the domain.</p>
+</dd>
+
+</dl>
+
+
+</div>
+</div>
+
+<a name="INDEX-14"/><a name="INDEX-15"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>rpcclient commands</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>Aside from a few miscellaneous commands, the
+<em class="emphasis">rpclient</em> commands fall into three groups:
+LSARPC, SAMR, and SPOOLSS. The function names mentioned in some of
+the commands are those documented in the Microsoft Platform SDK.</p>
+<div class="sect1"><a name="appc-37-fm2xml"/>
+
+<h4 class="refsect1">General commands</h4>
+
+<dl>
+<dt><b><tt class="literal">debuglevel</tt> <em class="replaceable">level</em></b></dt>
+<dd>
+<p>Sets the debugging level to <em class="replaceable">level</em>. With no
+argument, the current debugging level is printed.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">help</tt></b></dt>
+<dd>
+<p>Prints help on the commands.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">quit</tt></b></dt>
+<dd>
+<p>Exits <em class="emphasis">rpcclient</em>. A synonym is
+<tt class="literal">exit</tt>.</p>
+</dd>
+
+</dl>
+
+
+</div>
+
+<div class="sect1"><a name="appc-38-fm2xml"/>
+
+<h4 class="refsect1">Local Security Authority Remote Procedure Calls (LSARPC) commands</h4>
+
+<dl>
+<dt><b><tt class="literal">enumprivs</tt></b></dt>
+<dd>
+<p>Lists the types of privileges known to this domain.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">enumtrust</tt></b></dt>
+<dd>
+<p>Lists the domains trusted by this domain.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">getdispname</tt> <em class="replaceable">priv_name</em></b></dt>
+<dd>
+<p>Prints information on the privilege named
+<em class="replaceable">priv_name</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">lookupsids</tt> <em class="replaceable">name</em></b></dt>
+<dd>
+<p>Finds a name that corresponds to a security identifier (SID).</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">lookupnames</tt> <em class="replaceable">sid</em></b></dt>
+<dd>
+<p>Finds the SID for one or more names.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">lsaquery</tt></b></dt>
+<dd>
+<p>Queries the LSA object.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">lsaenumsid</tt></b></dt>
+<dd>
+<p>Lists SIDs for the local LSA.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">lsaquerysecobj</tt></b></dt>
+<dd>
+<p>Prints information on security objects for the LSA.</p>
+</dd>
+
+</dl>
+
+
+</div>
+
+<div class="sect1"><a name="appc-39-fm2xml"/>
+
+<h4 class="refsect1">Security Access Manager RPC (SAMR) commands</h4>
+
+<dl>
+<dt><b><tt class="literal">createdomuser</tt> <em class="replaceable">username</em></b></dt>
+<dd>
+<p>Adds a new user in the domain.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">deletedomuser</tt> <em class="replaceable">username</em></b></dt>
+<dd>
+<p>Removes a user from the domain.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">enumalsgroups</tt> <em class="replaceable">type</em></b></dt>
+<dd>
+<p>Lists alias groups in the domain, along with their group RIDs. The
+<em class="replaceable">type</em> argument can be either
+<tt class="literal">builtin</tt>, to list Windows built-in groups such as
+<tt class="literal">Administrators</tt> and <tt class="literal">Power</tt>
+<tt class="literal">Users</tt>, or <tt class="literal">domain</tt>, to list
+groups in the domain. See also the
+<em class="emphasis">queryuseraliases</em> command.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">enumdomgroups</tt></b></dt>
+<dd>
+<p>Lists the groups in the domain, along with their group RIDs.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">queryaliasmem</tt> <em class="replaceable">user_rid</em></b></dt>
+<dd>
+<p>Prints information regarding alias membership. See also the
+<em class="emphasis">queryuseraliases</em> command.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">querydispinfo</tt></b></dt>
+<dd>
+<p>Prints out the account database. The information printed includes the
+RID, username, and full name of each user. The RID is printed in
+hexadecimal notation and can be used in this form for commands that
+take a RID as an argument.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">querydominfo</tt></b></dt>
+<dd>
+<p>Prints information regarding the domain. This includes the name of
+the domain, as well as the number of users, groups, and aliases.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">querygroup</tt> <em class="replaceable">group_rid</em></b></dt>
+<dd>
+<p>Given a group RID, prints the group name, description, number of
+members, and group description.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">queryuser</tt> <em class="replaceable">user_rid</em></b></dt>
+<dd>
+<p>Given a user RID, prints the corresponding username, full name, and
+other information pertaining to the user.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">queryuseraliases</tt> <em class="replaceable">type</em> <em class="replaceable">user_rid</em></b></dt>
+<dd>
+<p>Prints aliases for the user. The <em class="replaceable">type</em>
+argument can be either <tt class="literal">builtin</tt> or
+<tt class="literal">domain</tt>. Aliases are used with the Windows
+messaging service and act like usernames, but they can be attached to
+a computer rather than a user. This allows messages intended for a
+user to be sent to a computer on which the user is either not logged
+on, or logged on under another username.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">queryusergroups</tt> <em class="replaceable">user_rid</em></b></dt>
+<dd>
+<p>Prints information on each group inhabited by the user.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">querygroupmem</tt> <em class="replaceable">group_rid</em></b></dt>
+<dd>
+<p>Prints the RID and attributes for each member of the group.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">samlookupnames</tt> <em class="replaceable">type username</em></b></dt>
+<dd>
+<p>Looks up the <em class="replaceable">username</em> in the SAM database
+and prints its associated RID. The <em class="replaceable">type</em>
+argument can be either <tt class="literal">builtin</tt>, to look up
+built-in Windows usernames, or <tt class="literal">domain</tt>, to look up
+names in the domain.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">samlookuprids</tt> <em class="replaceable">type rid</em></b></dt>
+<dd>
+<p>Looks up <em class="replaceable">rid</em> in the SAM database and
+prints its associated group or username. The
+<em class="replaceable">type</em> argument can be either
+<tt class="literal">builtin</tt>, to look up built-in Windows usernames, or
+<tt class="literal">domain</tt>, to look up names in the domain. The RID
+argument can be given in either 0xDDD hexadecimal notation or
+decimal.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">samquerysecobj</tt></b></dt>
+<dd>
+<p>Prints information on security objects (such as ACLs) in the SAM
+database.</p>
+</dd>
+
+</dl>
+
+
+</div>
+
+<div class="sect1"><a name="appc-40-fm2xml"/>
+
+<h4 class="refsect1">Windows NT/2000/XP Printing Services (SPOOLSS) commands</h4>
+
+<dl>
+<dt><b><tt class="literal">adddriver</tt> <em class="replaceable">arch config_file</em> </b></dt>
+<dd>
+<p>Adds a printer driver to the server. The driver files must already
+exist in the directory returned by <em class="emphasis">getdriverdir</em>.
+The <em class="replaceable">arch</em> argument can be one of
+<tt class="literal">Windows 4.0</tt> for Windows 95/98/Me, or
+<tt class="literal">Windows NT x86</tt>, <tt class="literal">Windows NT
+PowerPC</tt>, <tt class="literal">Windows Alpha_AXP</tt>, and
+<tt class="literal">Windows NT R4000</tt>. Others might be introduced in
+the future.</p>
+
+
+<p>The <em class="replaceable">config_file</em> should contain:</p>
+
+<blockquote><pre class="code">Long Printer Name:\
+Driver File Name:\
+Data File Name:\
+Config File Name:\
+Help File Name:\
+NULL:\
+Default Data Type:\</pre></blockquote>
+
+<p>followed by a comma-separated list of files. Any empty fields should
+contain the string <tt class="literal">NULL</tt>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">addprinter</tt> <em class="replaceable">printername sharename drivername port</em> </b></dt>
+<dd>
+<p>Adds a printer on the remote server as
+<em class="replaceable">sharename</em>. The printer driver must already
+be installed on the server with <em class="emphasis">adddriver</em>, and
+the port must be a valid port name returned by
+<em class="emphasis">enumports</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">deldriver</tt> <em class="replaceable">drivername</em></b></dt>
+<dd>
+<p>Deletes a printer driver (for all architectures) from the
+server's list of printer drivers.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">enumports</tt> <em class="replaceable">[level]</em></b></dt>
+<dd>
+<p>Prints information regarding the printer ports on the server. The
+<em class="replaceable">level</em> argument can be <tt class="literal">1</tt>
+or <tt class="literal">2</tt>. Level 1 is the default and prints out only
+the Port Name. Information level 2 is the Port Name, Monitor Name,
+Description, and Port Type.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">enumdrivers</tt> <em class="replaceable">[level]</em> </b></dt>
+<dd>
+<p>Lists all the printer drivers on the system. The
+<em class="replaceable">level</em> argument specifies the information
+level. Level 1 is the default and prints the Driver Name(s). Level 2
+prints the Version, Driver Name, Architecture, Driver Path, Data
+File, and Config File. Level 3 prints the contents of Level 2, plus
+the Help File, one or more Dependent Files, Monitor Name, and Default
+Data Type.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">enumprinters</tt> <em class="replaceable">[level]</em></b></dt>
+<dd>
+<p>Lists all installed printers, regardless of whether they are shared.
+The <em class="replaceable">level</em> argument specifies the
+information level. Level 1 is the default, and prints Flags, Name,
+Description, and Comment. Level 2 prints the Server Name, Printer
+Name, Share Name, Port Name, Driver Name, Comment, Location,
+Separator File, Print Processor, Data Type, Parameters, Attributes,
+Priority, Default Priority, Start Time, Until Time, Status, Current
+Jobs, Average PPM (pages per minute), and a Security Descriptor.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">getdriver</tt> <em class="replaceable">[level] printername</em></b></dt>
+<dd>
+<p>Prints the printer driver information for the given printer. The
+<em class="replaceable">level</em> argument specifies the information
+level.</p>
+
+
+<p>Level 1 is the default, and prints the Driver Name. Level 2 prints
+the Version, Driver Name, Architecture, Driver Path, Data File, and
+Config File. Level 3 prints the contents of level 2, plus the Help
+File, one or more Dependent Files, Monitor Name, and Default Data
+Type.</p>
+</dd>
+
+
+<dt><b><tt class="literal">getdriverdir</tt> <em class="replaceable">arch</em></b></dt>
+<dd>
+<p>Retrieves the share name and directory for storing printer driver
+files for a given architecture. Possible values for
+<em class="replaceable">arch</em> are &quot;<tt class="literal">Windows</tt>
+<tt class="literal">4.0</tt>&quot; for Windows 95/98/Me,
+&quot;<tt class="literal">Windows</tt> <tt class="literal">NT</tt>
+<tt class="literal">x86</tt>&quot; for Windows NT on Intel,
+&quot;<tt class="literal">Windows</tt> <tt class="literal">NT</tt>
+<tt class="literal">PowerPC</tt>&quot; for Windows NT on PowerPC,
+&quot;<tt class="literal">Windows</tt> <tt class="literal">Alpha</tt>
+<tt class="literal">AXP</tt>&quot; for Windows NT on Alpha, and
+&quot;<tt class="literal">Windows</tt> <tt class="literal">NT</tt>
+<tt class="literal">R4000</tt>&quot; for Windows NT on MIPS. Include the quote
+marks in the command.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">getprinter</tt> <em class="replaceable">printername</em></b></dt>
+<dd>
+<p>Prints the current printer information. The
+<em class="replaceable">level</em> argument specifies the information
+level.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">openprinter</tt> <em class="replaceable">printername</em></b></dt>
+<dd>
+<p>Attempts to open and close a specified printer and reports whether it
+was successful.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">setdriver</tt> <em class="replaceable">printername drivername</em></b></dt>
+<dd>
+<p>Unconditionally updates the printer driver used by an installed
+printer. Both the printer and printer driver must already be
+correctly installed on the print server.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">setprinter</tt> <em class="replaceable">printername comment</em></b></dt>
+<dd>
+<p>Assigns a comment string to a printer.<a name="INDEX-15"/></p>
+</dd>
+
+</dl>
+
+
+</div>
+</div>
+
+<a name="INDEX-16"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>smbcacls</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>This program provides a way of modifying Windows NT ACLs on files and
+directories shared by the Samba server.</p>
+<div class="sect1"><a name="appc-42-fm2xml"/>
+
+<h4 class="refsect1">Command synopsis</h4>
+
+<blockquote><pre class="code">smbcacls //<em class="replaceable">server</em>/<em class="replaceable">share filename</em> <em class="replaceable">[options]</em></pre></blockquote>
+
+
+</div>
+
+<div class="sect1"><a name="appc-43-fm2xml"/>
+
+<h4 class="refsect1">Options</h4>
+
+<dl>
+<dt><b><tt class="literal">-A</tt> <em class="replaceable">acls</em></b></dt>
+<dd>
+<p>Adds one or more ACLs to the file or directory. Any ACLs already
+existing for the file or directory are unchanged.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-M</tt> <em class="replaceable">acls</em></b></dt>
+<dd>
+<p>Modifies the <em class="replaceable">mask</em> of the ACLs specified.
+Refer to the following section, &quot;Specifying
+ACLs,&quot; for details.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-D</tt> <em class="replaceable">acls</em></b></dt>
+<dd>
+<p>Deletes the specified ACLs.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-S</tt> <em class="replaceable">acls</em></b></dt>
+<dd>
+<p>Sets the specified ACLs, deleting any ACLs previously set on the file
+or directory. The ACLs must contain at least a revision, type, owner,
+and group.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-U</tt> <em class="replaceable">username</em></b></dt>
+<dd>
+<p>Sets the username used to connect to the specified service. The user
+is prompted for a password unless the argument is specified as
+<em class="replaceable">username</em><tt class="literal">%</tt><em class="replaceable">password</em>.
+(Specifying the password on the command line is a security risk.) If
+<tt class="literal">-U</tt>
+<em class="replaceable">domain</em><tt class="literal">\\</tt><em class="replaceable">username</em>
+is specified, the specified domain or workgroup will be used in place
+of the one specified in the <em class="filename">smb.conf</em> file.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-C</tt> <em class="replaceable">username</em></b></dt>
+<dd>
+<p>Changes the owner of the file or directory. This is a shortcut for
+<tt class="literal">-M</tt>
+<tt class="literal">OWNER</tt>:<em class="replaceable">username</em>. The
+<em class="replaceable">username</em> argument can be given as a
+username or a SID in the form
+<tt class="literal">S-1-</tt><em class="replaceable">N-N-D-D-D-R</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-G</tt> <em class="replaceable">groupname</em></b></dt>
+<dd>
+<p>Changes the group of the file or directory. This is a shortcut for
+<tt class="literal">-M</tt>
+<tt class="literal">GROUP</tt>:<em class="replaceable">groupname</em>. The
+<em class="replaceable">groupname</em> argument can be given as a group
+name or a SID in the form
+<tt class="literal">S-1-</tt><em class="replaceable">N-N-D-D-D-R</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-n</tt></b></dt>
+<dd>
+<p>Causes all ACL information to be displayed in numeric format rather
+than in readable strings.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-h</tt></b></dt>
+<dd>
+<p>Prints a help message.</p>
+</dd>
+
+</dl>
+
+
+</div>
+
+<div class="sect1"><a name="appc-44-fm2xml"/>
+
+<h4 class="refsect1">Specifying ACLs</h4>
+<p>In the previous options, the same format is always used when
+specifying ACLs. An ACL is made up of one or more Access Control
+Entries (ACEs), separated by either commas or escaped newlines. An
+ACE can be one of the following:</p>
+
+<blockquote class="simplelist">
+
+<p><tt class="literal">REVISION</tt>:<em class="replaceable">revision_number</em></p>
+
+
+
+
+<p><tt class="literal">OWNER</tt>:<em class="replaceable">username_or_SID</em></p>
+
+
+
+
+<p><tt class="literal">GROUP</tt>:<em class="replaceable">group_name_or_SID</em></p>
+
+
+
+
+<p><tt class="literal">ACL</tt>:<em class="replaceable">name_or_SID</em>:<em class="replaceable">type</em>/<em class="replaceable">flags</em>/<em class="replaceable">mask</em></p>
+
+</blockquote>
+
+
+<p>The <em class="replaceable">revision_number</em> should always be 1.
+The <tt class="literal">OWNER</tt> and <tt class="literal">GROUP</tt> entries can
+be used to set the owner and group for the file or directory. The
+names can be the textual ones or SIDs in the form
+<tt class="literal">S-1-</tt><em class="replaceable">N</em><tt class="literal">-</tt><em class="replaceable">N</em><tt class="literal">-</tt><em class="replaceable">D</em><tt class="literal">-</tt><em class="replaceable">D-D-R</em>.</p>
+
+<p>The <tt class="literal">ACL</tt> entry specifies what access rights to
+apply to the file or directory. The
+<em class="replaceable">name_or_SID</em> field specifies to which user
+or group the permissions apply and can be supplied either as a
+textual name or a SID. An ACE can be used to either allow or deny
+access. The <em class="replaceable">type</em> field is set to
+<tt class="literal">1</tt> to specify a permission to be allowed or
+<tt class="literal">0</tt> for specifying a permission to deny. The
+<em class="replaceable">mask</em> field is the name of the permission
+and is one of the following:</p>
+
+<dl>
+<dt><b><tt class="literal">R</tt></b></dt>
+<dd>
+<p>Read access.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">W</tt></b></dt>
+<dd>
+<p>Write access.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">X</tt></b></dt>
+<dd>
+<p>Execute permission.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">D</tt></b></dt>
+<dd>
+<p>Permission to delete.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">P</tt></b></dt>
+<dd>
+<p>Change permissions on the object.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">O</tt></b></dt>
+<dd>
+<p>Take ownership.</p>
+</dd>
+
+</dl>
+
+
+<p>The following combined permissions can also be specified:</p>
+
+<dl>
+<dt><b><tt class="literal">READ</tt></b></dt>
+<dd>
+<p>Equivalent to RX permissions</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">CHANGE</tt></b></dt>
+<dd>
+<p>Equivalent to RWXD permissions</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">FULL</tt></b></dt>
+<dd>
+<p>Equivalent to RWXDPO permissions</p>
+</dd>
+
+</dl>
+
+
+<p>The <em class="replaceable">flags</em> field is for specifying how
+objects in directories are to inherit their default permissions from
+their parent directory. For files, <em class="replaceable">flags</em>
+is normally set to <tt class="literal">0</tt>. For directories,
+<em class="replaceable">flags</em> is usually set to either
+<tt class="literal">9</tt> or <tt class="literal">2</tt>.</p>
+
+</div>
+</div>
+
+<a name="INDEX-17"/><a name="INDEX-18"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>smbclient</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>The <em class="emphasis">smbclient</em> program is the
+&quot;Swiss army knife&quot; of the Samba
+suite. Initially developed as a testing tool, it has become a command
+shell capable of acting as a general-purpose Unix client, with a
+command set very similar to that of <em class="emphasis">ftp</em>. It
+offers the following set of functions:</p><ul><li>
+<p>Interactive file transfer, similar to <em class="emphasis">ftp</em></p>
+</li>
+<li>
+<p>Interactive printing to shared SMB printers</p>
+</li>
+<li>
+<p>Interactive tar format archiving</p>
+</li>
+<li>
+<p>Sending messages on the SMB network</p>
+</li>
+<li>
+<p>Batch mode tar format archiving</p>
+</li>
+<li>
+<p>&quot;What services do you have?&quot;
+querying</p>
+</li>
+<li>
+<p>Debugging</p>
+</li></ul>
+<div class="sect1"><a name="appc-45-fm2xml"/>
+
+<h4 class="refsect1">Command synopsis</h4>
+
+<blockquote><pre class="code">smbclient //<em class="replaceable">server</em>/<em class="replaceable">share</em> <em class="replaceable">[ password] [options]</em></pre></blockquote>
+<p>It is possible to run <em class="emphasis">smbclient</em>
+noninteractively, for use in scripts, by specifying the
+<tt class="literal">-c</tt> option along with a list of commands to
+execute. Otherwise, <em class="emphasis">smbclient</em> runs in
+interactive mode, prompting for commands such as this:</p>
+
+<blockquote><pre class="code">smb:\&gt;</pre></blockquote>
+<p>The backslash in the prompt is replaced by the current directory
+within the share as you change your working directory with
+<em class="emphasis">smbclient</em>'s
+<em class="emphasis">cd</em> command.</p>
+
+</div>
+
+<div class="sect1"><a name="appc-46-fm2xml"/>
+
+<h4 class="refsect1">Options</h4>
+
+<dl>
+<dt><b><tt class="literal">-A</tt> <em class="replaceable">authfile</em></b></dt>
+<dd>
+<p>Specifies a file from which to read the username and password used
+for the connection. The format of the file is as follows:</p>
+
+
+<blockquote><pre class="code">username = <em class="replaceable">value</em>
+password = <em class="replaceable">value</em>
+domain   = <em class="replaceable">value</em></pre></blockquote>
+
+<p>This is to avoid having the password prompted for or have it appear
+in plain text in scripts. The permissions on the file should be very
+restrictive (0600, for example) to prevent access by unwanted users.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-b</tt> <em class="replaceable">buffer_size</em></b></dt>
+<dd>
+<p>Sets the size of the buffer used when transferring files. It defaults
+to 65520 bytes and can be changed as a tuning measure. Generally it
+should be quite large or set to match the size of the buffer on the
+remote system. It can be set smaller to work around Windows bugs:
+some Windows 98 systems work best with a buffer size of 1200.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-B</tt> <em class="replaceable">IP_addr</em></b></dt>
+<dd>
+<p>Sets the broadcast address.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-c</tt> <em class="replaceable">command_string</em> </b></dt>
+<dd>
+<p>Passes a command string to the <em class="emphasis">smbclient</em> command
+interpreter. The argument consists of a semicolon-separated list of
+commands to be executed.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">-d</em> <em class="replaceable">debug_level</em></b></dt>
+<dd>
+<p>Sets the debug (logging) level, from 0 to 10, with A for all.
+Overrides the value in <em class="filename">smb.conf</em>. Debug level 0
+logs only the most important messages; level 1 is normal; debug
+levels 3 and above are for debugging and slow
+<em class="emphasis">smbclient</em> considerably.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-D</tt> <em class="replaceable">init_dir</em></b></dt>
+<dd>
+<p>Upon starting up, causes <em class="emphasis">smbclient</em> to change its
+working directory to <em class="replaceable">init_dir</em> on the
+remote host.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-E</tt></b></dt>
+<dd>
+<p>Sends output from commands to <em class="emphasis">stderr</em> instead of
+<em class="emphasis">stdout</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-h</tt></b></dt>
+<dd>
+<p>Prints the command-line help information (usage) for
+<em class="emphasis">smbclient</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-I</tt> <em class="replaceable">IP_address</em></b></dt>
+<dd>
+<p>Sets the IP address of the server to which the client connects.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-i</tt> <em class="replaceable">scope</em></b></dt>
+<dd>
+<p>Sets a NetBIOS scope identifier.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-l</tt> <em class="replaceable">log_ file</em></b></dt>
+<dd>
+<p>Sends the log messages to <em class="replaceable">log_file</em> rather
+than to the log file specified in the Samba configuration file or the
+compiled-in default.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-L</tt> <em class="replaceable">server</em></b></dt>
+<dd>
+<p>Lists services (shares) offered by the server. This can be used as a
+quick way to test an SMB server to see if it is working. If there is
+a name-service problem, use the <tt class="literal">-I</tt> option to
+specify the server.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-M</tt> <em class="replaceable">NetBIOS_name</em></b></dt>
+<dd>
+<p>Allows you to send messages using the Windows messaging protocol.
+Once a connection is established, you can type your message, pressing
+Ctrl-D to end. The <tt class="literal">-U</tt> and <tt class="literal">-I</tt>
+options can be used to control the
+&quot;From&quot; and
+&quot;To&quot; parts of the message.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-N</tt></b></dt>
+<dd>
+<p>Suppresses the password prompt. Useful when using share mode security
+and accessing a service that has no password.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-n</tt> <em class="replaceable">NetBIOS_name</em></b></dt>
+<dd>
+<p>Allows you to override the NetBIOS name by which
+<em class="emphasis">smbclient</em> will advertise itself.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-O</tt> <em class="replaceable">socket_options</em></b></dt>
+<dd>
+<p>Sets the TCP/IP socket options using the same parameters as the
+<tt class="literal">socket options</tt> configuration option. Often used
+for performance tuning and testing.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-p</tt> <em class="replaceable">port_number</em></b></dt>
+<dd>
+<p>Sets the port number with which <em class="emphasis">smbclient</em> will
+connect.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-R</tt> <em class="replaceable">resolve_order</em></b></dt>
+<dd>
+<p>Sets the resolve order of the name servers. This option is similar to
+the <tt class="literal">resolve</tt> <tt class="literal">order</tt> configuration
+option and can take any of the four parameters
+<tt class="literal">lmhosts</tt>, <tt class="literal">host</tt>,
+<tt class="literal">wins</tt>, and <tt class="literal">bcast</tt>, in any order.
+If more than one is specified, the argument is specified as a
+space-separated list. This option can be used to test name service by
+specifying only the name service to be tested.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-s</tt> <em class="replaceable">filename</em></b></dt>
+<dd>
+<p>Specifies the location of the Samba configuration file. Used for
+debugging.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-t</tt> <em class="replaceable">terminal_code</em></b></dt>
+<dd>
+<p>Sets the terminal code for Asian languages.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-T</tt> <em class="replaceable">command_string tarfile</em></b></dt>
+<dd>
+<p>Runs the tar archiver, which is <em class="emphasis">gtar</em> compatible.
+The tar file that is written to or read from is specified by
+<em class="replaceable">tarfile</em>. The two main commands are
+<tt class="literal">c</tt> (create) and <tt class="literal">x</tt> (extract),
+which can be followed by any of these:</p>
+
+<dl>
+<dt><b><tt class="literal">a</tt></b></dt>
+<dd>
+<p>Resets the archive attribute on files after they have been saved. See
+also the <tt class="literal">g</tt> option.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">b</tt> <em class="replaceable">size</em></b></dt>
+<dd>
+<p>Sets the block size for writing the tar file, in 512-byte units.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">g</tt></b></dt>
+<dd>
+<p>Backs up only files that have their archive bit set. See also the
+<tt class="literal">a</tt> option.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">I</tt> <em class="replaceable">filename</em></b></dt>
+<dd>
+<p>Includes files and directories. This is the default, so specifying
+this is redundant. To perform pattern matching, see also the
+<tt class="literal">r</tt> option.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">N</tt> <em class="replaceable">filename</em></b></dt>
+<dd>
+<p>Backs up only those files newer than <em class="replaceable">file</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">q</tt></b></dt>
+<dd>
+<p>Suppresses diagnostics.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">r</tt></b></dt>
+<dd>
+<p>Performs regular expression matching, which can be used along with
+the <tt class="literal">I</tt> or <tt class="literal">E</tt> option to include or
+exclude files.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">X</tt> <em class="replaceable">filename</em></b></dt>
+<dd>
+<p>Excludes files and directories.</p>
+</dd>
+
+</dl>
+</dd>
+
+
+
+<dt><b><tt class="literal">-U</tt> <em class="replaceable">username</em></b></dt>
+<dd>
+<p>Sets the username and, optionally, the password used for
+authentication when connecting to the share.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-W</tt> <em class="replaceable">workgroup</em></b></dt>
+<dd>
+<p>Specifies the workgroup/domain in which
+<em class="emphasis">smbclient</em> will claim to be a member.</p>
+</dd>
+
+</dl>
+
+
+</div>
+
+<div class="sect1"><a name="appc-47-fm2xml"/>
+
+<h4 class="refsect1">smbclient commands</h4>
+
+<dl>
+<dt><b><tt class="literal">help</tt> <em class="replaceable">[smbclient_command]</em></b></dt>
+<dd>
+<p>With no command specified, prints a list of available commands. If a
+command is specified as an argument, a brief help message will be
+printed for it.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">!</tt> <em class="replaceable">[shell_command]</em></b></dt>
+<dd>
+<p>Shell escape. With no command specified, runs a Unix shell. If a
+command is specified, runs the command in a Unix shell.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">altname</tt> <em class="replaceable">filename</em></b></dt>
+<dd>
+<p>Causes <em class="emphasis">smbclient</em> to request from the server and
+then print the old-style, 8.3-format filename for the specified file.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">cancel</tt> <em class="replaceable">print_jobid [...]</em></b></dt>
+<dd>
+<p>Causes <em class="emphasis">smbclient</em> to request the server to cancel
+one or more print jobs, as specified by the numeric job IDs provided
+as arguments. See also the <em class="emphasis">queue</em> command, which
+prints job IDs.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">chmod</tt> <em class="replaceable">filename octal_mode</em></b></dt>
+<dd>
+<p>Requests that the server change the Unix file permissions on
+<em class="replaceable">filename</em> to
+<em class="replaceable">octal_mode</em>, specified in octal numeric
+format. Works only if the server supports Unix CIFS extensions.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">chown</tt> <em class="replaceable">filename UID GID</em></b></dt>
+<dd>
+<p>Requests that the server change the owner and group of the file
+specified by <em class="replaceable">filename</em> to those provided as
+decimal numeric arguments <em class="replaceable">UID</em> and
+<em class="replaceable">GID</em>. Works only if the server supports
+Unix CIFS extensions.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">cd</tt> <em class="replaceable">[directory]</em></b></dt>
+<dd>
+<p>With no argument, prints the current working directory on the remote
+system. If a directory name is supplied as an argument, changes the
+working directory on the remote system to that specified.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">del</tt> <em class="replaceable">filename</em></b></dt>
+<dd>
+<p>Requests that the server delete one or more files, as specified by
+the argument, from the current working directory. The argument can be
+a filename globbing pattern using the * and ? characters.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">dir</tt> [<em class="replaceable">filename]</em></b></dt>
+<dd>
+<p>With no arguments, prints a list of files and directories in the
+working directory on the server. If an argument is provided, only
+files and directories whose names match the argument will be listed.
+The argument can be a filename globbing pattern using the * and ?
+characters.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">exit</tt></b></dt>
+<dd>
+<p>Quits the <em class="emphasis">smbclient</em> program after terminating
+the SMB connection to the server.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">get</tt> <em class="replaceable">remote_file [local_file]</em></b></dt>
+<dd>
+<p>Copies the file specified by <em class="replaceable">remote_file</em>
+from the server to the local system. If no
+<em class="replaceable">local_file</em> argument is specified,
+<em class="emphasis">smbclient</em> will name the local file the same as
+it is named on the server. If <em class="replaceable">local_file</em>
+is specified, it will be used as the name of the local copy. See also
+the <em class="emphasis">lowercase</em> command.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">help</tt> <em class="replaceable">[command]</em></b></dt>
+<dd>
+<p>A synonym for the <em class="emphasis">?</em> command.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">lcd</tt> <em class="replaceable">[directory]</em></b></dt>
+<dd>
+<p>If no argument is provided, prints the name of
+<em class="emphasis">smbclient</em>'s working directory
+on the local system. If a directory name is provided as an argument,
+changes <em class="emphasis">smbclient</em>'s working
+directory to the directory specified.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">link</tt> <em class="replaceable">link_name filename</em></b></dt>
+<dd>
+<p>Requests that the server create a hard link to
+<em class="replaceable">filename</em> and name it
+<em class="replaceable">link_name</em>. This command works only if the
+server supports Unix CIFS extensions.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">lowercase</tt></b></dt>
+<dd>
+<p>Toggles the boolean lowercasing setting. When this setting is on,
+names of files copied from the server with the
+<em class="emphasis">get</em> and <em class="emphasis">mget</em> commands will
+be changed to all lowercase. This is mainly used for accessing
+servers that report filenames in all uppercase only.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">ls</tt> <em class="replaceable">[filename]</em></b></dt>
+<dd>
+<p>A synonym for <em class="emphasis">dir</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">mask</tt> <em class="replaceable">[globbing_pattern]</em></b></dt>
+<dd>
+<p>Sets the filename globbing pattern for use with the
+<em class="emphasis">mget</em> and <em class="emphasis">mput</em> commands when
+recursion is turned on. (When recursion is off, the setting has no
+effect.) Both <em class="emphasis">mget</em> and <em class="emphasis">mput</em>
+accept a globbing pattern as arguments; however, those patterns apply
+only to the current directory. This command specifies the pattern
+used for all subdirectories that are recursively traversed. The
+pattern stays in effect until it is changed with another
+<em class="emphasis">mask</em> command. To return the setting to its
+original default, specify a
+<em class="replaceable">globbing_pattern</em> of an asterisk
+(<tt class="literal">*</tt>), which matches all files. See also the
+<em class="emphasis">mget</em>, <em class="emphasis">mput</em>, and
+<em class="emphasis">recurse</em> commands.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">mdir</tt> <em class="replaceable">directory</em></b></dt>
+<dd>
+<p>A synonym for the <em class="emphasis">mkdir</em> command.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">mget</tt> <em class="replaceable">pattern</em></b></dt>
+<dd>
+<p>When recursion is turned off, copies files matching the file-globbing
+pattern, as specified by the argument, from the current working
+directory on the server to the local system. When recursion is on,
+the <em class="replaceable">pattern</em> argument is used to match
+directories in the current working directory, and the pattern
+specified by the <em class="emphasis">mask</em> command is used for
+matching files within each directory and all subdirectories. See also
+the <em class="emphasis">lowercase</em>, <em class="emphasis">mask</em>, and
+<em class="emphasis">recurse</em> commands.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">print</tt> <em class="replaceable">filename</em></b></dt>
+<dd>
+<p>Prints the specified file. This requires that
+<em class="emphasis">smbclient</em> be connected to a print share. See
+also the <em class="emphasis">printmode</em> command.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">printmode</tt> <em class="replaceable">mode</em></b></dt>
+<dd>
+<p>Sets the mode that is used by the <em class="emphasis">print</em> command.
+The mode can be either <tt class="literal">text</tt>, for printing text
+files such as the ASCII files commonly found on Unix, or
+<tt class="literal">graphics</tt>, for printing binary files.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">prompt</tt></b></dt>
+<dd>
+<p>Toggles the prompting mode. When prompting is on (the default), the
+<em class="emphasis">mget</em> and <em class="emphasis">mput</em> commands will
+interactively prompt the user for permission to transfer each file.
+The user can answer either <tt class="literal">y</tt> (yes) or
+<tt class="literal">n</tt> (no), followed by a newline, to this prompt.
+When prompting is off, all the files will be transferred with no
+prompts issued.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">put</tt> <em class="replaceable">local_file [remote_file]</em></b></dt>
+<dd>
+<p>Copies the file specified by <em class="replaceable">local_file</em>
+from the local to the remote system. If no
+<em class="replaceable">remote_file</em> argument is specified,
+<em class="emphasis">smbclient</em> will name the remote file the same as
+it is named on the local system. If
+<em class="replaceable">remote_file</em> is specified, it will be used
+as the name of the remote copy. See also the
+<em class="emphasis">lowercase</em> command.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">queue</tt></b></dt>
+<dd>
+<p>Prints information on the print queue on the server. This requires
+that <em class="emphasis">smbclient</em> is connected to a print share.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">quit</tt></b></dt>
+<dd>
+<p>A synonym for <em class="emphasis">exit</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">rd</tt> <em class="replaceable">directory</em></b></dt>
+<dd>
+<p>A synonym for <em class="emphasis">rmdir</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">recurse</tt></b></dt>
+<dd>
+<p>Toggles the recursion mode, which affects the
+<em class="emphasis">mget</em> and <em class="emphasis">mput</em> commands.
+When recursion is off (the default), the <em class="emphasis">mget</em>
+and <em class="emphasis">mput</em> commands will copy only files from the
+current working directory that match the file-globbing pattern
+specified as an argument to the command, and the pattern set by the
+<em class="emphasis">mask</em> command is ignored. When recursion is
+turned on, the <em class="emphasis">mget</em> and
+<em class="emphasis">mput</em> commands recursively traverse any
+directories that match the pattern specified as the argument to the
+command, and the pattern set by the <em class="emphasis">mask</em> command
+is used to match files in those directories.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">rm</tt> <em class="replaceable">filename</em></b></dt>
+<dd>
+<p>A synonym for <em class="emphasis">del</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">rmdir</tt> <em class="replaceable">directory</em></b></dt>
+<dd>
+<p>Requests that the server remove the specified directory.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">setmode</tt> <em class="replaceable">filename attributes</em></b></dt>
+<dd>
+<p>Requests that the server assign the specified MS-DOS file attributes
+on the specified file. The <em class="replaceable">attributes</em>
+argument has the format of a leading plus sign (<tt class="literal">+</tt>)
+or minus sign (<tt class="literal">-</tt>) either to set or to unset the
+attribute(s), respectively, followed by one or more of the characters
+<tt class="literal">r</tt> (read), <tt class="literal">s</tt> (system),
+<tt class="literal">h</tt> (hidden), or <tt class="literal">a</tt> (archive).</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">symlink</tt> <em class="replaceable">link_name filename</em></b></dt>
+<dd>
+<p>Requests that the server create a symbolic link named
+<em class="replaceable">link_name</em> to
+<em class="replaceable">filename</em>. This command works only if the
+server supports Unix CIFS extensions. The server will not create a
+link that refers to a file not in the share to which
+<em class="emphasis">smbclient</em> is connected.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">tar</tt> <em class="replaceable">cmd_str</em></b></dt>
+<dd>
+<p>Performs an archiving operation using the tar format. This is the
+interactive form of the <tt class="literal">-T</tt> command-line operation,
+and the <em class="replaceable">cmd_str</em> argument is specified in
+the same manner. See also the <em class="emphasis">tarmode</em> command.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">blocksize</tt> <em class="replaceable">size</em></b></dt>
+<dd>
+<p>Sets the block size, in units of 512 bytes, for files written by the
+<em class="emphasis">tar</em> command.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">tarmode</tt> <em class="replaceable">mode ...</em></b></dt>
+<dd>
+<p>Specifies how the <em class="emphasis">tar</em> command performs its
+archiving, including how it handles the archive attribute on files.
+Multiple <em class="replaceable">mode</em> arguments can be provided,
+chosen from the following:</p>
+
+<dl>
+<dt><b><tt class="literal">full</tt></b></dt>
+<dd>
+<p>All files will be included, regardless of whether their
+<tt class="literal">archive</tt> attribute is set. This is the default.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">inc</tt></b></dt>
+<dd>
+<p>Only files that have the <tt class="literal">archive</tt> attribute set
+will be included in the backup.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">reset</tt></b></dt>
+<dd>
+<p>The <tt class="literal">archive</tt> attribute will be unset by
+<em class="emphasis">tar</em> after the file is included in the archive.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">noreset</tt></b></dt>
+<dd>
+<p>The <tt class="literal">archive</tt> attribute will be left unchanged. This
+is the default.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">system</tt></b></dt>
+<dd>
+<p>Files with the <tt class="literal">system</tt> attribute set will be
+included in the archive. This is the default.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">nosystem</tt></b></dt>
+<dd>
+<p>Files with the <tt class="literal">system</tt> attribute set will not be
+included in the archive.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">hidden</tt></b></dt>
+<dd>
+<p>Files with the <tt class="literal">hidden</tt> attribute set will be
+included in the archive. This is the default.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">nohidden</tt></b></dt>
+<dd>
+<p>Files with the <tt class="literal">hidden</tt> attribute set will not be
+included in the archive.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">verbose</tt></b></dt>
+<dd>
+<p>As files are included in the archive (when creating the archive) or
+are read from the archive (when extracting it), the name of each file
+will be printed. This is the default.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">noverbose</tt></b></dt>
+<dd>
+<p>This turns verbose mode off, causing <em class="emphasis">tar</em> to
+perform its work quietly.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">quiet</tt></b></dt>
+<dd>
+<p>An antonym for the <tt class="literal">verbose</tt> mode. When quiet is on,
+verbose is off, and vice versa.<a name="INDEX-18"/></p>
+</dd>
+
+</dl>
+</dd>
+
+</dl>
+
+
+</div>
+</div>
+
+<a name="INDEX-19"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>smbcontrol</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>The <em class="emphasis">smbcontrol</em> command sends control messages to
+running <em class="emphasis">smbd</em> or <em class="emphasis">nmbd</em>
+processes.</p>
+<div class="sect1"><a name="appc-49-fm2xml"/>
+
+<h4 class="refsect1">Command synopsis</h4>
+
+<blockquote><pre class="code">smbcontrol -i<em class="replaceable"> [options]</em></pre></blockquote>
+<p>or:</p>
+
+<blockquote><pre class="code">smbcontrol <em class="replaceable">[options] process message-type [parameters]</em></pre></blockquote>
+
+
+</div>
+
+<div class="sect1"><a name="appc-50-fm2xml"/>
+
+<h4 class="refsect1">Options</h4>
+
+<dl>
+<dt><b><tt class="literal">-i</tt></b></dt>
+<dd>
+<p>Runs <em class="emphasis">smbcontrol</em> interactively, executing
+commands until a blank line or &quot;q&quot;
+is read. The user must have superuser privileges.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-s</tt> <em class="replaceable">filename</em></b></dt>
+<dd>
+<p>Specifies the location of the Samba configuration file.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-d</tt> <em class="replaceable">debuglevel</em></b></dt>
+<dd>
+<p>Sets the debugging level for logging. The debug level can be set from
+to 10.</p>
+</dd>
+
+</dl>
+
+
+<p>Whether <em class="emphasis">smbcontrol</em> commands are issued in
+interactive mode or from the command line, the commands are in the
+same format. Each command has up to three parts:</p>
+
+<dl>
+<dt><b><em class="replaceable">process</em></b></dt>
+<dd>
+<p>Specifies the process or group of processes to which to send the
+message. If <em class="replaceable">process</em> is
+<tt class="literal">smbd</tt>, all <em class="emphasis">smbd</em> processes will
+receive the message. If <em class="replaceable">process</em> is
+<tt class="literal">nmbd</tt>, only the main <em class="emphasis">nmbd</em>
+process (identified by Samba's
+<em class="filename">nmbd.pid</em> file) receives the message. If
+<em class="replaceable">process</em> is the numeric PID of a running
+process on the system, that process will receive the message.</p>
+</dd>
+
+
+
+<dt><b><em class="replaceable">message-type</em></b></dt>
+<dd>
+<p>Specifies the type of message that is sent. For more information, see
+<a href="appc.html#appc-51-fm2xml">smbcontrol message
+types</a> that follows.</p>
+</dd>
+
+
+
+<dt><b><em class="replaceable">parameters</em></b></dt>
+<dd>
+<p>Specifies additional parameters required by some messages.</p>
+</dd>
+
+</dl>
+
+
+</div>
+
+<div class="sect1"><a name="appc-51-fm2xml"/>
+
+<h4 class="refsect1">smbcontrol message types</h4>
+
+<dl>
+<dt><b><tt class="literal">close-share</tt> <em class="replaceable">share_name</em></b></dt>
+<dd>
+<p>Closes the connection to a share or shares. If
+<em class="replaceable">share_name</em> is specified as an asterisk
+(<tt class="literal">*</tt>), connections to all shares will be closed. To
+close a single connection, <em class="replaceable">share_name</em> is
+given as the name of a share, as specified in the Samba configuration
+file, not including the enclosing brackets. Warning: no message is
+printed if there is an error in specifying
+<em class="replaceable">share_name</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">debug</tt> <em class="replaceable">num</em></b></dt>
+<dd>
+<p>Sets the debugging level. The <em class="replaceable">num</em>
+parameter specifies the level, which can be from 0 to 10.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">debuglevel</tt></b></dt>
+<dd>
+<p>Prints the current debugging level.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">force-election</tt></b></dt>
+<dd>
+<p>Can be used only with <em class="emphasis">nmbd</em>, telling it to force
+a master browser election.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">ping</tt> <em class="replaceable">number</em></b></dt>
+<dd>
+<p>Sends <em class="emphasis">number</em> of pings and reports when they
+receive a reply or timeout. Used for connectivity testing.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">profile</tt> <em class="replaceable">mode</em></b></dt>
+<dd>
+<p>Controls profiling statistics collection. If
+<em class="replaceable">mode</em> is <tt class="literal">on</tt>, profile
+statistics will be collected. If <em class="replaceable">mode</em> is
+<tt class="literal">off</tt>, collection of statistics is turned off. If
+<em class="replaceable">mode</em> is specified as
+<tt class="literal">count</tt>, only counting statistics are collected (and
+not timing statistics). If <em class="replaceable">mode</em> is
+<tt class="literal">flush</tt>, the data set is cleared (initialized).</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">profilelevel</tt></b></dt>
+<dd>
+<p>Prints the current profiling level.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">printer-notify</tt> <em class="replaceable">printer_name</em></b></dt>
+<dd>
+<p>Sends a printer notify message to Windows NT/2000/XP for the
+specified printer. This message can be sent only to
+<em class="emphasis">smbd</em>. Warning: no message is printed if the
+<em class="replaceable">printer_name</em> parameter is specified
+incorrectly.</p>
+</dd>
+
+</dl>
+
+
+</div>
+</div>
+
+<a name="INDEX-20"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>smbgroupedit</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>This command, new to Samba 3.0, sets up mappings between Unix groups
+and Windows NT/2000/XP groups and also allows a Unix group to become
+a domain group. This command must be run by the superuser.</p>
+<div class="sect1"><a name="appc-53-fm2xml"/>
+
+<h4 class="refsect1">Command synopsis</h4>
+
+<blockquote><pre class="code">smbgroupedit <em class="replaceable">[options]</em></pre></blockquote>
+
+
+</div>
+
+<div class="sect1"><a name="appc-54-fm2xml"/>
+
+<h4 class="refsect1">Options</h4>
+
+<dl>
+<dt><b><tt class="literal">-a</tt> <em class="replaceable">Unix_group_name</em></b></dt>
+<dd>
+<p>Adds a mapping for the specified Unix group. The
+<tt class="literal">-n</tt> option is used along with this option to
+specify the Windows NT group to which the Unix group is mapped.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-c</tt> <em class="replaceable">SID</em></b></dt>
+<dd>
+<p>Changes a mapping between a Windows NT group and a Unix group. The
+Windows NT group is specified as a SID with this option, and the Unix
+group is specified with the <tt class="literal">-u</tt> option.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-d</tt> <em class="replaceable">description</em></b></dt>
+<dd>
+<p>Specifies a comment for the mapping, which will be stored along with
+it.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-l</tt></b></dt>
+<dd>
+<p>When used with the <tt class="literal">-v</tt> option, prints a long
+listing. This is the default. The information printed includes the
+name of the Windows NT group, its SID, its corresponding Unix group
+(if a mapping has been defined), the group type, the comment, and the
+privileges of the group.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-n</tt> <em class="replaceable">Windows_group_name</em></b></dt>
+<dd>
+<p>Specifies the name of the Windows NT group. Used with the
+<tt class="literal">-a</tt> option.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-p</tt> <em class="replaceable">privilege</em></b></dt>
+<dd>
+<p>Used along with the <tt class="literal">-a</tt> option to specify a Windows
+NT privilege to be given to the Unix group.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-s</tt></b></dt>
+<dd>
+<p>When used with the <tt class="literal">-v</tt> option, prints a short
+listing. The information printed includes just the name of the
+Windows NT group, its SID, and, if a mapping has been defined, its
+corresponding Unix group. This option is useful for determining the
+SID of a group, for use with the <tt class="literal">-c</tt> option.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-t</tt> <em class="replaceable">TYPE</em></b></dt>
+<dd>
+<p>Assigns a Windows group type to the group.
+<em class="replaceable">TYPE</em> is a single character, and is one of
+<tt class="literal">b</tt> (built-in), <tt class="literal">d</tt> (domain), or
+<tt class="literal">l</tt> (local).</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-u</tt> <em class="replaceable">Unix_group_name</em></b></dt>
+<dd>
+<p>Specifies the name of the Unix group to map to the Windows NT group.
+Used with the <tt class="literal">-c</tt> option.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-v</tt></b></dt>
+<dd>
+<p>Prints a list of groups in the Windows NT domain in which the Samba
+server is operating. See also the <tt class="literal">-l</tt> and
+<tt class="literal">-s</tt> options.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-x</tt> <em class="replaceable">Unix_group_name</em></b></dt>
+<dd>
+<p>Deletes the mapping for the Unix group specified.</p>
+</dd>
+
+</dl>
+
+
+</div>
+</div>
+
+<a name="INDEX-21"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>smbmnt</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>This is a low-level helper program for mounting smbfs filesystems. It
+used by <em class="emphasis">smbmount</em> to do the privileged part of
+the mount operation on behalf of an ordinary user. Generally, users
+should not run this command directly.</p>
+<div class="sect1"><a name="appc-56-fm2xml"/>
+
+<h4 class="refsect1">Command synopsis</h4>
+
+<blockquote><pre class="code">smbmnt mnt_point <em class="replaceable">[options]</em></pre></blockquote>
+
+
+</div>
+
+<div class="sect1"><a name="appc-57-fm2xml"/>
+
+<h4 class="refsect1">Options</h4>
+
+<dl>
+<dt><b><tt class="literal">-r</tt></b></dt>
+<dd>
+<p>Mounts the filesystem as read-only.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-u</tt> <em class="replaceable">uid</em> </b></dt>
+<dd>
+<p>Specifies the UID to use for the owner of the files.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-g</tt> <em class="replaceable">gid</em></b></dt>
+<dd>
+<p>Specifies the GID to use for the group of the files.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-f</tt> <em class="replaceable">mask</em></b></dt>
+<dd>
+<p>Specifies the octal file mask.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-d</tt> <em class="replaceable">mask</em></b></dt>
+<dd>
+<p>Specifies the octal directory mask.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-o</tt> <em class="replaceable">options</em></b></dt>
+<dd>
+<p>Specifies the list of options that are passed to the smbfs module.</p>
+</dd>
+
+</dl>
+
+
+<p>To allow users to mount SMB shares without help from an
+administrator, set the &quot;set user
+ID&quot; permission on the <em class="emphasis">smbmnt</em>
+executable. However, note that this can raise security issues.</p>
+
+</div>
+</div>
+
+<a name="INDEX-22"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>smbmount</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>This program mounts an smbfs filesystem on a mount point in the Unix
+filesystem. It is typically called as <em class="emphasis">mount.smb</em>
+from <em class="emphasis">mount</em>, although it can also be run directly
+by users. After mounting the smbfs filesystem,
+<em class="emphasis">smbmount</em> continues to run as a daemon as long as
+the filesystem is mounted. It logs events in the file
+<em class="filename">log.smbmount</em> in the same directory as the other
+Samba log files (which is commonly
+<em class="filename">/usr/local/samba/var</em> by default). The logging
+level is controlled by the <tt class="literal">debug level</tt> parameter
+in the Samba configuration file.</p>
+<div class="sect1"><a name="appc-59-fm2xml"/>
+
+<h4 class="refsect1">Command synopsis</h4>
+
+<blockquote><pre class="code">smbmount <em class="replaceable">service mount_point [-o options]</em></pre></blockquote>
+<p>The service argument specifies the SMB share to mount, given as a
+UNC. The <em class="replaceable">mount_point</em> argument specifies a
+directory to use as the mount point. The options to
+<em class="emphasis">smbmount</em> are specified as a comma-separated list
+of
+<em class="replaceable">key</em><tt class="literal">=</tt><em class="replaceable">value</em>
+pairs. The documented options are as follows. Others can be passed if
+the kernel supports them.</p>
+
+</div>
+
+<div class="sect1"><a name="appc-60-fm2xml"/>
+
+<h4 class="refsect1">Options</h4>
+
+<dl>
+<dt><b><tt class="literal">username=</tt><em class="replaceable">name</em></b></dt>
+<dd>
+<p>Specifies the username to connect as. If this is not provided, the
+environment variable USER will be tried. The name can be specified as
+<em class="replaceable">username</em><tt class="literal">%</tt><em class="replaceable">password</em>,
+<em class="replaceable">user</em><tt class="literal">/</tt><em class="replaceable">workgroup</em>,
+or
+<em class="replaceable">user</em><tt class="literal">/</tt><em class="replaceable">workgroup</em><tt class="literal">%</tt><em class="replaceable">password</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">password=</tt><em class="replaceable">string</em></b></dt>
+<dd>
+<p>Specifies the SMB password. If no password is provided using this
+option, the <em class="emphasis">username</em> option, or the
+<em class="emphasis">credentials</em> option, the environment variable
+PASSWD is used. If that also does not exist,
+<em class="emphasis">smbmount</em> will prompt interactively for a
+password.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">credentials=</tt><em class="replaceable">filename</em></b></dt>
+<dd>
+<p>Specifies a file that contains a username and password in the
+following format:</p>
+
+
+<blockquote><pre class="code">username = <em class="replaceable">value</em>
+password = <em class="replaceable">value</em></pre></blockquote>
+</dd>
+
+
+<dt><b><tt class="literal">uid=</tt><em class="replaceable">number</em></b></dt>
+<dd>
+<p>Sets the Unix user ID to be used as the owner of all files in the
+mounted filesystem. It can be specified as a username or numeric UID.
+Defaults to the UID of the user running
+<em class="emphasis">smbmount</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">gid=</tt><em class="replaceable">number</em></b></dt>
+<dd>
+<p>Sets the Unix group ID to be used as the group for all files in the
+mounted filesystem. It can be specified as a group name or a numeric
+GID. Defaults to the GID of the user running
+<em class="emphasis">smbmount</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">port=</tt><em class="replaceable">number</em></b></dt>
+<dd>
+<p>Sets the TCP port number. This is 139, which is required by most
+Windows versions.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">fmask=</tt><em class="replaceable">octal_mask</em> </b></dt>
+<dd>
+<p>Sets the Unix permissions of all files in the mounted filesystem.
+Defaults to the user's current umask.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">dmask=</tt><em class="replaceable">octal_mask</em></b></dt>
+<dd>
+<p>Sets the Unix permissions of all directories in the mounted
+filesystem. Defaults to the current umask.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">debug=</tt><em class="replaceable">number</em></b></dt>
+<dd>
+<p>Sets the debugging level.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">ip=</tt><em class="replaceable">host</em></b></dt>
+<dd>
+<p>Sets the destination hostname or IP address.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">netbiosname=</tt><em class="replaceable">name</em></b></dt>
+<dd>
+<p>Sets the computer name to connect as. This defaults to the hostname
+of the local system.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">workgroup=</tt><em class="replaceable">name</em></b></dt>
+<dd>
+<p>Sets the workgroup or domain.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">sockopt=</tt><em class="replaceable">opts</em></b></dt>
+<dd>
+<p>Sets TCP socket options.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">scope=</tt><em class="replaceable">num</em></b></dt>
+<dd>
+<p>Sets the NetBIOS scope.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">guest</tt></b></dt>
+<dd>
+<p>Don't expect or prompt for a password.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">ro</tt></b></dt>
+<dd>
+<p>Mounts the share read-only.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">rw</tt></b></dt>
+<dd>
+<p>Mounts the share read-write.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">iocharset=</tt><em class="replaceable">charset</em></b></dt>
+<dd>
+<p>Sets the charset used by the Linux machine for codepage-to-charset
+translation. See also the <em class="emphasis">codepage</em> option.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">codepage=</tt><em class="replaceable">page</em></b></dt>
+<dd>
+<p>Sets the DOS code page. See also the <em class="emphasis">iocharset</em>
+option.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">ttl=</tt><em class="replaceable">milliseconds</em></b></dt>
+<dd>
+<p>Sets the time to live, in milliseconds, for entries in the directory
+cache. A higher value gives better performance on large directories
+and/or slower connections. The default is 1000ms. Try 10000ms (10
+seconds) as a starting value if directory operations are visibly
+slow.</p>
+</dd>
+
+</dl>
+
+
+</div>
+</div>
+
+<a name="INDEX-23"/><a name="INDEX-24"/><a name="INDEX-25"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>smbpasswd</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>The <em class="emphasis">smbpasswd</em> program provides the general
+function of managing <a name="INDEX-24"/><a name="INDEX-25"/>encrypted
+passwords. How it works depends on whether it is run by the superuser
+or an ordinary user.</p><p>For the superuser, <em class="emphasis">smbpasswd</em> can be used to
+maintain Samba's <em class="filename">smbpasswd</em>
+file. It can add or delete users, change their passwords, and modify
+other attributes pertaining to the user that are held in the
+<em class="filename">smbpasswd</em> file.</p><p>When run by ordinary users, <em class="emphasis">smbpasswd</em> can be
+used only to change their encrypted passwords. In this mode of
+operation, <em class="emphasis">smbpasswd</em> acts as a client to the
+<em class="emphasis">smbd</em> daemon. The program will fail if
+<em class="emphasis">smbd</em> is not operating, if the <tt class="literal">hosts
+allow</tt> or <tt class="literal">hosts deny</tt> parameters in the
+Samba configuration file do not permit connections from localhost (IP
+address 127.0.0.1), or if the <tt class="literal">encrypted passwords</tt>
+option is set to <tt class="literal">no</tt>. It is also possible for
+<em class="emphasis">smbpasswd</em> to change a user's
+password when it is maintained on a remote system, including a
+Windows NT domain controller.</p>
+<div class="sect1"><a name="appc-62-fm2xml"/>
+
+<h4 class="refsect1">Command synopsis</h4>
+<p>When run by the superuser:</p>
+
+<blockquote><pre class="code">smbpasswd <em class="replaceable">[options] [username] [password]</em></pre></blockquote>
+<p>In this case, the username of the user whose
+<em class="emphasis">smbpasswd</em> entry is to be modified is provided as
+the second argument.</p>
+
+<p>Otherwise:</p>
+
+<blockquote><pre class="code">smbpasswd <em class="replaceable">[options] [password]</em></pre></blockquote>
+
+
+</div>
+
+<div class="sect1"><a name="appc-63-fm2xml"/>
+
+<h4 class="refsect1">Superuser-only options</h4>
+
+<dl>
+<dt><b><tt class="literal">-a</tt> <em class="replaceable">username</em></b></dt>
+<dd>
+<p>Adds a user to the encrypted password file. The user must already
+exist in the system password file (<em class="filename">/etc/passwd</em>
+). If the user already exists in the <em class="filename">smbpasswd</em>
+file, the <tt class="literal">-a</tt> option changes the existing password.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-d</tt> <em class="replaceable">username</em></b></dt>
+<dd>
+<p>Disables a user in the encrypted password file. The
+user's entry in the file will remain, but will be
+marked with a flag disabling the user from authenticating.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-e</tt> <em class="replaceable">username</em></b></dt>
+<dd>
+<p>Enables a disabled user in the encrypted password file. This
+overrides the effect of the <tt class="literal">-d</tt> option.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-j</tt> <em class="replaceable">domain</em></b></dt>
+<dd>
+<p>Joins the Samba server to a Windows NT domain as a domain member
+server. The <em class="replaceable">domain</em> argument is the NetBIOS
+name of the Windows NT domain that is being joined. See also the
+<tt class="literal">-r</tt> and <tt class="literal">-U</tt> options.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-m</tt></b></dt>
+<dd>
+<p>Indicates that the account is a computer account in a Windows NT
+domain rather than a domain user account.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-n</tt></b></dt>
+<dd>
+<p>Sets the user's password to a null password. For the
+user to authenticate, the parameter <tt class="literal">null</tt>
+<tt class="literal">passwords</tt> <tt class="literal">=</tt>
+<tt class="literal">yes</tt> must exist in the <tt class="literal">[global]</tt>
+section of the Samba configuration file.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-R</tt> <em class="replaceable">resolve_order_list</em></b></dt>
+<dd>
+<p>Sets the resolve order of the name servers. This option is similar to
+the <tt class="literal">resolve</tt> <tt class="literal">order</tt> configuration
+option and can take any of the four parameters
+<tt class="literal">lmhosts</tt>, <tt class="literal">host</tt>,
+<tt class="literal">wins</tt>, and <tt class="literal">bcast</tt>, in any order.
+If more than one is specified, the argument is specified as a
+space-separated list.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-w</tt> <em class="replaceable">password</em></b></dt>
+<dd>
+<p>For use when Samba has been compiled with the
+<tt class="literal">--with-ldapsam</tt> configure option. Specifies the
+password that goes with the value of the <tt class="literal">ldap admin
+dn</tt> Samba configuration file parameter.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-x</tt> <em class="replaceable">username</em></b></dt>
+<dd>
+<p>Deletes the user from the <em class="filename">smbpasswd</em> file. This
+is a one-way operation, and all information associated with the entry
+is lost. To disable the account without deleting the
+user's entry in the file, see the
+<tt class="literal">-d</tt> option.</p>
+</dd>
+
+</dl>
+
+
+</div>
+
+<div class="sect1"><a name="appc-64-fm2xml"/>
+
+<h4 class="refsect1">Other options</h4>
+
+<dl>
+<dt><b><tt class="literal">-c</tt> <em class="replaceable">filename</em></b></dt>
+<dd>
+<p>Specifies the Samba configuration file, overriding the compiled-in
+default.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-D</tt> <em class="replaceable">debug_level</em></b></dt>
+<dd>
+<p>Sets the debug (also called logging) level. The level can range from
+to 10. Debug level 0 logs only the most important messages; level 1
+is normal; levels 3 and above are primarily for debugging and slow
+the program considerably.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-h</tt></b></dt>
+<dd>
+<p>Prints command-line usage information.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-L</tt></b></dt>
+<dd>
+<p>Causes <em class="emphasis">smbpasswd</em> to run in local mode, in which
+ordinary users are allowed to use the superuser-only options. This
+requires that the <em class="filename">smbpasswd</em> file be made
+readable and writable by the user. This is for testing purposes.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-r</tt> <em class="replaceable">NetBIOS_name</em></b></dt>
+<dd>
+<p>Specifies on which machine the password should change. If changing a
+Windows NT domain password, the remote system specified by
+<em class="replaceable">NetBIOS_name</em> must be the PDC for the
+domain. The user's username on the local system is
+used by default. See also the <tt class="literal">-U</tt> option for use
+when the user's Samba username is different from the
+local username.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-R</tt> <em class="replaceable">resolve_order</em></b></dt>
+<dd>
+<p>Sets the resolve order of the name servers. This option is similar to
+the resolve order configuration option and can take any of the four
+parameters <tt class="literal">lmhosts</tt>, <tt class="literal">host</tt>,
+<tt class="literal">wins</tt>, and <tt class="literal">bcast</tt>, in any order.
+If more than one is specified, the argument is specified as a
+space-separated list.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-s</tt> <em class="replaceable">username</em></b></dt>
+<dd>
+<p>Causes <em class="emphasis">smbpasswd</em> not to prompt for passwords
+from <em class="filename">/dev/tty</em>, but instead to read the old and
+new passwords from the standard input. This is useful when calling
+<em class="emphasis">smbpasswd</em> from a script.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-S</tt></b></dt>
+<dd>
+<p>Queries the domain controller of the domain, as specified by the
+<tt class="literal">workgroup</tt> parameter in the Samba configuration
+file, and retrieves the domain's SID. This will then
+be used as the SID for the local system. A specific PDC can be
+selected by combining this option with the <tt class="literal">-r</tt>
+option, and its domain's SID will be used. This
+option is for migrating domain accounts from a Windows NT primary
+domain controller to a Samba PDC.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-U</tt> <em class="replaceable">username[</em><tt class="literal">%</tt><em class="replaceable">password]</em></b></dt>
+<dd>
+<p>Changes the password for <em class="replaceable">username</em> on the
+remote system. This is to handle instances in which the remote
+username and local username are different. This option requires that
+<tt class="literal">-r</tt> also be used. Often used with
+<tt class="literal">-j</tt> to provide the username of the administrative
+user on the primary domain controller for adding computer accounts.</p>
+</dd>
+
+</dl>
+
+
+</div>
+</div>
+
+<a name="INDEX-26"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>smbsh</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>The <em class="emphasis">smbsh</em> program allows SMB shares to be
+accessed from a Unix system. When <em class="emphasis">smbsh</em> is run,
+an extra directory tree called <em class="filename">/smb </em>becomes
+available to dynamically linked shell commands. The first level of
+directories under <em class="filename">/smb</em> represent available
+workgroups, the next level of subdirectories represent the SMB
+servers in each workgroup, and the third level of subdirectories
+represent the disk and printer shares of each server.</p><p>Samba must be compiled with the <tt class="literal">--with-smbwrappers</tt>
+option to enable <em class="emphasis">smbsh</em>.</p>
+<div class="sect1"><a name="appc-66-fm2xml"/>
+
+<h4 class="refsect1">Options</h4>
+
+<dl>
+<dt><b><em class="emphasis">-d</em> <em class="replaceable">debug_level</em></b></dt>
+<dd>
+<p>Sets the debug (sometimes called logging) level. The level can range
+from 0, the default, to 10. Debug level 0 logs only the most
+important messages; level 1 is normal; levels 3 and above are
+primarily for debugging and slow <em class="emphasis">smbsh</em>
+considerably.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">-l</em> <em class="replaceable">filename</em></b></dt>
+<dd>
+<p>Sets the name of the logging file. By default, messages are sent to
+<em class="emphasis">stderr</em>.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">-L</em> <em class="replaceable">directory</em></b></dt>
+<dd>
+<p>Specifies the location of
+<em class="emphasis">smbsh</em>'s shared libraries,
+overriding the compiled-in default.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">-P</em> <em class="replaceable">prefix</em></b></dt>
+<dd>
+<p>Sets the name of the <tt class="literal">root</tt> directory to use for the
+SMB filesystem. The default is <em class="filename">/smb</em>.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">-R</em> <em class="replaceable">resolve_order</em></b></dt>
+<dd>
+<p>Sets the resolve order of the name servers. This option is similar to
+the <tt class="literal">resolve</tt> <tt class="literal">order</tt> configuration
+option and can take any of the four parameters
+<tt class="literal">lmhosts</tt>, <tt class="literal">host</tt>,
+<tt class="literal">wins</tt>, and <tt class="literal">bcast</tt>, in any order.
+If more than one is specified, the argument is specified as a
+space-separated list.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">-U</em> <em class="replaceable">username</em></b></dt>
+<dd>
+<p>Provides the username, and optionally the password, for
+authenticating the connection to the SMB server. The password can be
+supplied using the
+<em class="replaceable">username</em><tt class="literal">%</tt><em class="replaceable">password</em>
+format. If either or both the username and password are not provided,
+<em class="emphasis">smbsh</em> will prompt interactively for them.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">-W</em> <em class="replaceable">workgroup</em></b></dt>
+<dd>
+<p>Specifies the NetBIOS workgroup or domain to which the client will
+connect. This overrides the workgroup parameter in the Samba
+configuration file and is sometimes necessary to connect to some
+servers.</p>
+</dd>
+
+</dl>
+
+
+</div>
+</div>
+
+<a name="INDEX-27"/><a name="INDEX-28"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>smbspool</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>The <em class="emphasis">smbspool</em> program provides a
+<a name="INDEX-28"/>CUPS-compatible
+interface to Samba printing by providing a way to send a print job to
+an SMB printer using the command-line format specified by CUPS
+printers. Although <em class="emphasis">smbspool</em> is designed to work
+best with CUPS printers, it can be used to send print jobs to
+non-CUPS Samba printers as well.</p>
+<div class="sect1"><a name="appc-68-fm2xml"/>
+
+<h4 class="refsect1">Command synopsis</h4>
+
+<blockquote><pre class="code">smbspool <em class="replaceable">job user title copies options filename</em></pre></blockquote>
+<p>The arguments for <em class="emphasis">smbspool</em>, as shown here, are
+those used in the CUPS printing system. However, some of the
+arguments are currently ignored because they don't
+correspond to the Samba printing system. These arguments must be
+supplied in the command and can be filled in with
+&quot;dummy&quot; values.</p>
+
+<p>The <em class="replaceable">job</em> argument refers to the job number
+and is currently ignored. The <em class="replaceable">user</em>
+argument is the name of the user who submitted the print job and is
+also ignored. The <em class="replaceable">title</em> argument is the
+name of the print job and must be supplied. It is used as the name of
+the remote print file. The <em class="replaceable">copies</em> argument
+is the number of copies that will be printed. This number is used
+only if the (optional) <em class="filename">filename</em> argument is
+supplied. Otherwise, only one copy is printed. The
+<em class="replaceable">options</em> argument, for specifying printing
+options, is ignored. The <em class="replaceable">filename</em> argument
+is used for specifying the name of the file to be printed. If it is
+not provided, the standard input will be used.</p>
+
+<p>The printer that the job is to be sent to is specified in the
+DEVICE_URI environment variable. The format for the printer name is a
+device Universal Resource Indicator, which can be in any of the
+following formats:</p>
+
+<blockquote class="simplelist">
+
+<p><em class="emphasis">smb://server/printer</em></p>
+
+
+
+
+<p><em class="emphasis">smb://workgroup/server/printer</em></p>
+
+
+
+
+<p><em class="emphasis">smb://username:password@server/printer</em></p>
+
+
+
+
+<p><em class="emphasis">smb://username:password@workgroup/server/printer</em></p>
+
+</blockquote>
+
+
+</div>
+</div>
+
+<a name="INDEX-29"/><a name="INDEX-30"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>smbstatus</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>This program lists the current connections on a Samba server.</p>
+<div class="sect1"><a name="appc-70-fm2xml"/>
+
+<h4 class="refsect1">Options</h4>
+
+<dl>
+<dt><b><tt class="literal">-b</tt></b></dt>
+<dd>
+<p>Causes <em class="emphasis">smbstatus</em> to produce brief output. This
+includes the version of Samba and auditing information about the
+users that are connected to the server.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-d</tt></b></dt>
+<dd>
+<p>Gives verbose output, which includes a list of services, a list of
+locked files, and memory usage statistics. This is the default.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-L</tt></b></dt>
+<dd>
+<p>Prints only the list of current file locks.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-p</tt></b></dt>
+<dd>
+<p>Prints only a list of <em class="emphasis">smbd</em> process IDs.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-P</tt></b></dt>
+<dd>
+<p>Prints only the contents of the profiling memory area. Requires that
+Samba has been compiled with the profiling option.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-S</tt></b></dt>
+<dd>
+<p>Prints only a list of shares and their connections.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-s</tt> <em class="replaceable">filename</em></b></dt>
+<dd>
+<p>Specifies the Samba configuration file to use when processing this
+command.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-u</tt> <em class="replaceable">username</em></b></dt>
+<dd>
+<p>Limits the report to the activity of a single user.</p>
+</dd>
+
+</dl>
+
+
+</div>
+</div>
+
+<a name="INDEX-31"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>smbtar</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>The <em class="emphasis">smbtar</em> program is a shell-script wrapper
+around <em class="emphasis">smbclient</em> for doing tar-format archiving
+operations. It is functionally very similar to the Unix
+<em class="emphasis">tar</em> program.</p>
+<div class="sect1"><a name="appc-72-fm2xml"/>
+
+<h4 class="refsect1">Command synopsis</h4>
+
+<blockquote><pre class="code">smbtar <em class="replaceable">[options]</em></pre></blockquote>
+
+
+</div>
+
+<div class="sect1"><a name="appc-73-fm2xml"/>
+
+<h4 class="refsect1">Options</h4>
+
+<dl>
+<dt><b><tt class="literal">-a</tt></b></dt>
+<dd>
+<p>Resets (clears) the archive attribute on files after they are backed
+up. The default is to leave the archive attribute unchanged.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-b</tt> <em class="replaceable">blocksize</em></b></dt>
+<dd>
+<p>Sets block size, in units of 512 bytes, for reading or writing the
+archive file. Defaults to 20, which results in a block size of 10240
+bytes.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-d</tt> <em class="replaceable">directory</em></b></dt>
+<dd>
+<p>Changes the working directory on the remote system to
+<em class="replaceable">directory</em> before starting the restore or
+backup operation.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-i</tt></b></dt>
+<dd>
+<p>Specifies incremental mode; files are backed up only if they have the
+DOS archive attribute set. The archive attribute is reset (cleared)
+after each file is read.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-l</tt> <em class="replaceable">log_level</em></b></dt>
+<dd>
+<p>Sets the logging level. This corresponds to the <tt class="literal">-d</tt>
+option of <em class="emphasis">smbclient</em> and other Samba programs.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-N</tt> <em class="replaceable">filename</em></b></dt>
+<dd>
+<p>Backs up only files newer than <em class="filename">filename</em>. For
+incremental backups.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-p</tt> <em class="replaceable">password</em></b></dt>
+<dd>
+<p>Specifies the password to use to access a share. An alternative to
+using the
+<em class="replaceable">username</em><tt class="literal">%</tt><em class="replaceable">password</em>
+format with the <tt class="literal">-u</tt> option.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-r</tt></b></dt>
+<dd>
+<p>Restores files to the share from the tar file.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-s</tt> <em class="replaceable">server</em></b></dt>
+<dd>
+<p>Specifies the SMB server. See also the <tt class="literal">-x</tt> option.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-t</tt> <em class="replaceable">filename</em></b></dt>
+<dd>
+<p>Specifies the file or Unix device to use as the archiving medium. The
+default is <em class="filename">tar.out</em> or the value of the TAPE
+environment variable, if it has been set.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-u</tt> <em class="replaceable">username</em></b></dt>
+<dd>
+<p>Specifies the user account to use when connecting to the share. You
+can specify the password as well, in the format
+<em class="replaceable">username</em><tt class="literal">%</tt><em class="replaceable">password</em>.
+The username defaults to the user's Unix username.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-v</tt></b></dt>
+<dd>
+<p>Operates in verbose mode, printing error messages and additional
+information that can be used in debugging and monitoring. Backup and
+restore operations will list each file as it is processed.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-x</tt> <em class="replaceable">share</em></b></dt>
+<dd>
+<p>States the name of the share on the server to which to connect. The
+default is <tt class="literal">backup</tt>. See also the
+<tt class="literal">-s</tt> option.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-X</tt> <em class="replaceable">file_list</em></b></dt>
+<dd>
+<p>Tells <em class="emphasis">smbtar</em> to exclude the specified files from
+the backup or restore operation.</p>
+</dd>
+
+</dl>
+
+
+</div>
+</div>
+
+<a name="INDEX-32"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>smbumount</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>The <em class="emphasis">smbumount</em> command exists to allow an
+ordinary (nonsuperuser) user to unmount a smbfs filesystem, which the
+user had previously mounted using <em class="emphasis">smbmount</em>.</p>
+<div class="sect1"><a name="appc-75-fm2xml"/>
+
+<h4 class="refsect1">Command synopsis</h4>
+
+<blockquote><pre class="code">smbumount <em class="replaceable">mount_point</em></pre></blockquote>
+<p>For ordinary users to issue the command,
+<em class="emphasis">smbumount</em> must be made suid
+<tt class="literal">root</tt>.</p>
+
+</div>
+</div>
+
+<a name="INDEX-33"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>testparm</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>The <em class="emphasis">testparm</em> program checks a Samba
+configuration file for obvious errors.</p>
+<div class="sect1"><a name="appc-77-fm2xml"/>
+
+<h4 class="refsect1">Command synopsis</h4>
+
+<blockquote><pre class="code">testparm <em class="replaceable">[options] [filename] [hostname IP_addr]</em></pre></blockquote>
+<p>If the configuration file is not provided using the
+<em class="filename">filename</em> argument, then it defaults to
+<em class="filename">/usr/local/samba/lib/smb.conf</em>. If the hostname
+and an IP address of a system are included, an extra check is made to
+ensure that the system is allowed to connect to each service defined
+in the configuration file. This is done by comparing the hostname and
+IP address to the definitions of the <tt class="literal">hosts allow</tt>
+and <tt class="literal">hosts deny</tt> parameters.</p>
+
+</div>
+
+<div class="sect1"><a name="appc-78-fm2xml"/>
+
+<h4 class="refsect1">Options</h4>
+
+<dl>
+<dt><b><tt class="literal">-h</tt></b></dt>
+<dd>
+<p>Prints usage information for the program.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-L</tt> <em class="replaceable">server_name</em></b></dt>
+<dd>
+<p>Sets the <tt class="literal">%L</tt> configuration variable to the
+specified server name.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-s</tt></b></dt>
+<dd>
+<p>Disables the default behavior of prompting for the Enter key to be
+pressed before printing the list of configuration options for the
+server.</p>
+</dd>
+
+</dl>
+
+
+</div>
+</div>
+
+<a name="INDEX-34"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>testprns</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>This is a very simple program that checks to see if a specified
+printer name exists in the system printer capabilities (printcap)
+file.</p>
+<div class="sect1"><a name="appc-80-fm2xml"/>
+
+<h4 class="refsect1">Command synopsis</h4>
+
+<blockquote><pre class="code">testprns <em class="replaceable">printername [printcapname]</em></pre></blockquote>
+<p>If <em class="replaceable">printcapname</em> isn't
+specified, Samba attempts to use the one specified in the Samba
+configuration file with the <tt class="literal">printcap name</tt>
+parameter. If none is specified there, Samba will try
+<em class="filename">/etc/printcap</em>.</p>
+
+</div>
+</div>
+
+<a name="INDEX-35"/><div class="refentry"><table width="515" border="0" cellpadding="5"><tr><td align="left"><font size="+1"><b><i>wbinfo</i></b></font></td><td align="right"><i></i></td></tr></table><hr width="515" size="3" noshade="true" align="left" color="black"/><table width="515" border="0" cellpadding="5"><tr><td align="left"/><td align="right"/></tr></table><p>This program retrieves and prints information from the
+<em class="emphasis">winbindd</em> daemon, which must be running for
+<em class="emphasis">wbinfo</em> to function.</p>
+<div class="sect1"><a name="appc-82-fm2xml"/>
+
+<h4 class="refsect1">Command synopsis</h4>
+
+<blockquote><pre class="code">wbinfo <em class="replaceable">[options]</em></pre></blockquote>
+
+
+</div>
+
+<div class="sect1"><a name="appc-83-fm2xml"/>
+
+<h4 class="refsect1">Options</h4>
+
+<dl>
+<dt><b><tt class="literal">-u</tt> </b></dt>
+<dd>
+<p>Prints all usernames that have been mapped from the Windows NT domain
+to Unix users. Users in all trusted domains are also listed.</p>
+</dd>
+
+
+
+<dt><b> <tt class="literal">-</tt><em class="emphasis">g</em> </b></dt>
+<dd>
+<p>Prints all group names that have been mapped from the Windows NT
+domain to Unix groups. Groups in all trusted domains are also
+reported.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-h</tt> <em class="replaceable">NetBIOS_name</em></b></dt>
+<dd>
+<p>Queries the WINS server and prints the IP address of the specified
+system.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-n</tt> <em class="replaceable">name</em> </b></dt>
+<dd>
+<p>Prints the SID corresponding to the name specified. The argument can
+be specified as <em class="replaceable">DOMAIN/name</em> (or by using a
+character other than the slash, as defined by the winbind separator
+character) to specify both the domain and the name. If the domain and
+separator are omitted, the value of the <tt class="literal">workgroup</tt>
+parameter in the Samba configuration file is used as the name of the
+domain.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-s</tt> <em class="replaceable">SID</em> </b></dt>
+<dd>
+<p>Prints the name mapped to a SID, which is specified in the format
+<tt class="literal">S-1-</tt><em class="replaceable">N-N-D-D-D-R</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-U</tt> <em class="replaceable">UID</em></b></dt>
+<dd>
+<p>Prints the SID mapped to a Unix UID, if one exists in the current
+domain.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-G</tt> <em class="replaceable">gid</em></b></dt>
+<dd>
+<p>Prints the SID mapped to a Unix group ID, if one exists in the
+current domain.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-S</tt> <em class="replaceable">SID</em></b></dt>
+<dd>
+<p>Prints the Unix UID that winbind has mapped to the specified SID, if
+one exists.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-Y</tt> <em class="replaceable">SID</em></b></dt>
+<dd>
+<p>Prints the Unix group ID that winbind has mapped to the specified
+SID, if one exists.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-t</tt></b></dt>
+<dd>
+<p>Tests to see that the workstation trust account for the Samba server
+is valid.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-m</tt> </b></dt>
+<dd>
+<p>Prints a list of Windows NT domains trusted by the Windows server.
+This does not include the PDC's domain.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-r</tt> <em class="replaceable">username</em></b></dt>
+<dd>
+<p>Prints the list of Unix group IDs to which the user belongs. This
+works only if the user's account is maintained on a
+domain controller.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-a</tt> <em class="replaceable">username</em><tt class="literal">%</tt><em class="replaceable">password</em></b></dt>
+<dd>
+<p>Checks to see if a user can authenticate through
+<em class="emphasis">winbindd</em> using the specified username and
+password.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">-A</tt> <em class="replaceable">username</em><tt class="literal">%</tt><em class="replaceable">password</em></b></dt>
+<dd>
+<p>Saves the username and password used by <em class="emphasis">winbindd</em>
+to the domain controller. For use when operating in a Windows 2000
+domain.</p>
+</dd>
+
+</dl>
+
+
+</div>
+</div>
+
+
+<hr/><h4 class="head4"><a href="toc.html">TOC</a></h4>
+
+</body></html>
diff --git a/docs/htmldocs/using_samba/appd.html b/docs/htmldocs/using_samba/appd.html
new file mode 100644
index 0000000000..0e2a8822f8
--- /dev/null
+++ b/docs/htmldocs/using_samba/appd.html
@@ -0,0 +1,82 @@
+<html>
+<body bgcolor="#ffffff">
+
+<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
+hspace="10" align="left" />
+
+<h1 class="head0">Appendix D. Downloading Samba with CVS</h1>
+
+
+<p>In <a href="ch02.html">Chapter 2</a> we showed you how to download the
+latest stable version of Samba published by the Samba developers. For
+most purposes (including virtually all production servers) this
+procedure will meet your needs. However, sometimes you might want to
+run a version of Samba that includes the latest bug fixes and
+features, maybe for research and testing purposes, or just to see
+what the Samba developers have been up to lately.</p>
+
+<p>The Samba team keeps the latest updates of the Samba source code in a
+<a name="INDEX-1"/><a name="INDEX-2"/>Concurrent Versions System
+(CVS) repository. CVS is a freely available
+<a name="INDEX-3"/>configuration management tool
+and is distributed under the GNU General Public License. You can
+download the latest copy from <a href="http://www.cvshome.org/">http://www.cvshome.org/</a>. The Samba team
+describes various ways to access its CVS repository at <a href="http://www.samba.org/samba/cvs.html">http://www.samba.org/samba/cvs.html</a>.</p>
+
+<a name="samba2-APP-D-NOTE-162"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>Although the CVS code contains the latest features, it also contains
+the latest bugs and sometimes won't even compile
+properly! If you prefer a less &quot;bleeding
+edge&quot; release, try looking in the
+<em class="filename">alpha</em> and <em class="filename">pre</em> directories
+on the Samba FTP server. The <em class="filename">alpha</em> directory
+contains alpha releases, and the <em class="emphasis">pre</em> directory
+contains (usually more stable) prerelease versions. (See <a href="ch02.html">Chapter 2</a> for information on downloading via FTP.) Alpha
+releases might be a little behind the latest CVS code, but are less
+buggy and usually compile properly on the more common Unix versions.</p>
+</blockquote>
+
+<p>One of the nicest things about CVS is its ability to handle remote
+logins. This means that people across the globe on the Internet can
+download and update various source files for any project that uses a
+CVS repository. Such is the case with Samba. Once you have CVS
+installed on your system, you must first log in to the Samba source
+server with the following command:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>cvs -d :pserver:cvs@pserver.samba.org:/cvsroot login</b></tt></pre></blockquote>
+
+<p>When you are prompted for a password, enter <tt class="literal">cvs</tt>.
+You are connected to the CVS server at
+<tt class="literal">pserver.samba.org</tt>. Once you are connected, you can
+download the latest source tree with the following command:<a name="FNPTR-1"/><a href="#FOOTNOTE-1">[1]</a></p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>cvs -z5 -d :pserver:pserver@pserver.samba.org:/cvsroot co samba</b></tt></pre></blockquote>
+
+<p>This downloads the entire Samba distribution (file by file) into a
+directory called <em class="filename">samba</em>, created in your current
+directory. The <em class="filename">samba</em> directory has the same
+structure as the Samba source distribution described in <a href="ch02.html">Chapter 2</a>, except that it has additional directories
+named <em class="filename">CVS</em> throughout the source tree. These
+directories are used by CVS to store information about each file in
+the source tree and how to update them. After the download is
+completed, you can follow the instructions in <a href="ch02.html">Chapter 2</a> to configure, compile, and install your new
+Samba release.</p>
+
+<p>The Samba developers typically update the Samba source code one or
+more times per day. Whenever you want to catch up to the latest
+changes, simply <em class="emphasis">cd</em> to the
+<em class="filename">samba</em> directory and run the following command:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>cvs update -d -P</b></tt></pre></blockquote>
+
+<p>Each time you do this, you will need to reconfigure, recompile, and
+reinstall to update your installation as we showed you in <a href="ch02.html">Chapter 2</a>.</p>
+
+<hr/><h4 class="head4">Footnotes</h4><blockquote><a name="FOOTNOTE-1"/>
+<p><a href="#FNPTR-1">[1]</a> The <tt class="literal">-z</tt> option causes the transfer to be made
+in GNU gzip compressed format and requires the
+<em class="filename">gzip</em> program to be installed on your system to
+work. If you do not have <em class="filename">gzip</em>, omit the
+<tt class="literal">-z</tt> option.</p> </blockquote><hr/><h4 class="head4"><a href="toc.html">TOC</a></h4>
+
+</body></html>
diff --git a/docs/htmldocs/using_samba/appe.html b/docs/htmldocs/using_samba/appe.html
new file mode 100644
index 0000000000..d3263eb3cb
--- /dev/null
+++ b/docs/htmldocs/using_samba/appe.html
@@ -0,0 +1,826 @@
+<html>
+<body bgcolor="#ffffff">
+
+<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
+hspace="10" align="left" />
+
+<h1 class="head0">Appendix E. Configure Options</h1>
+
+
+<p><a name="INDEX-1"/>As we
+explained in <a href="ch02.html">Chapter 2</a>, the
+<em class="emphasis">configure</em> program is run before the Samba source
+code is compiled to fit the compilation process to the local
+architecture. At this stage, it is possible to specify options to
+customize Samba's behavior further and include or
+exclude features. This is an example of specifying configure options:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>./configure --with-smbmount --with-configdir=/etc/samba --with-manpages-langs=ja</b></tt></pre></blockquote>
+
+<p>This example configures the Samba installation to support mounting
+SMB filesystems, look for the Samba configuration file in
+<em class="filename">/etc/samba</em> (instead of the default location of
+<em class="filename">/usr/local/samba/lib</em>), and install
+Japanese-language manual pages. We have picked these three configure
+options because they illustrate the usage of the three types of
+options that are included up to Samba 3.0. The
+<tt class="literal">--with-smbmount</tt> option is a Boolean option, which
+can take a value of <tt class="literal">yes</tt> or <tt class="literal">no</tt>.
+All the Boolean options are set to <tt class="literal">no</tt> by default,
+and it is only necessary to provide the option to turn it on. If you
+want to be more explicit, you can specify
+<tt class="literal">--with-smbmount=yes</tt>. To turn an option off
+explicitly, you can also specify
+<tt class="literal">--without-</tt><em class="replaceable">feature</em>
+rather than
+<tt class="literal">--with-</tt><em class="replaceable">feature</em><tt class="literal">=no</tt>.</p>
+
+<p>In the case of the other two options we have shown, an argument must
+be supplied after the equals (<tt class="literal">=</tt>) sign. Some of the
+options are used to specify the directories that Samba uses for
+various purposes. Only one option is in the last group, where
+something other than a directory is specified as an option argument.</p>
+
+<p>The supported configure options vary from release to release. For
+example, between Samba 2.2.x and Samba 3.0, many options were
+dropped, and a few were added. To get a list of the configure options
+for your release, use the following command:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>./configure --help</b></tt></pre></blockquote>
+
+<p><a href="appe.html#samba2-APP-E-TABLE-1">Table E-1</a> lists Samba's configure
+options.</p>
+
+<a name="samba2-APP-E-TABLE-1"/><h4 class="head4">Table E-1. Configuration options</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Configuration option</p>
+</th>
+<th>
+<p>Description</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">--with-acl-support</tt></p>
+</td>
+<td>
+<p>Support Windows NT/2000/XP ACLs</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-afs</tt></p>
+</td>
+<td>
+<p>Support the Andrew Filesystem (AFS)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-automount</tt></p>
+</td>
+<td>
+<p>Support the NFS automounter</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-codepagedir=</tt><em class="replaceable">dir</em></p>
+</td>
+<td>
+<p>Location of codepage files</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-configdir=</tt><em class="replaceable">dir</em></p>
+</td>
+<td>
+<p>Location of configuration files</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-dce-dfs</tt></p>
+</td>
+<td>
+<p>Support DCE/DFS</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-fhs</tt></p>
+</td>
+<td>
+<p>Use FHS-compliant locations of files</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-included-popt</tt></p>
+</td>
+<td>
+<p>Use Samba's <em class="emphasis">popt(  )</em></p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-krb4=base-</tt><em class="replaceable">dir</em></p>
+</td>
+<td>
+<p>Support Kerberos 4</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-krb5=base-</tt><em class="replaceable">dir</em></p>
+</td>
+<td>
+<p>Support Kerberos 5 (Microsoft ADS)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-ldapsam</tt></p>
+</td>
+<td>
+<p>Support LDAP SAM</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-libiconv=</tt><em class="replaceable">directory</em></p>
+</td>
+<td>
+<p>Specify <em class="filename">iconv</em> library</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-libsmbclient</tt></p>
+</td>
+<td>
+<p>Build <em class="filename">smbclient</em> library</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-lockdir=</tt><em class="replaceable">directory</em></p>
+</td>
+<td>
+<p>Location of lock files</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-logfilebase=</tt><em class="replaceable">directory</em></p>
+</td>
+<td>
+<p>Location of log files</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-manpages-langs=</tt><em class="replaceable">language</em></p>
+</td>
+<td>
+<p>Specify language for manual pages</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-msdfs</tt></p>
+</td>
+<td>
+<p>Support Microsoft Dfs</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-nisplus-home</tt></p>
+</td>
+<td>
+<p>Support NIS+ home directories</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-nisplussam</tt></p>
+</td>
+<td>
+<p>Support NIS+ SAM</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-pam</tt></p>
+</td>
+<td>
+<p>Support PAM restrictions</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-pam_smbpass</tt></p>
+</td>
+<td>
+<p>Build <em class="filename">pam_smbpass.so</em> PAM module</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-piddir=</tt><em class="replaceable">directory</em></p>
+</td>
+<td>
+<p>Location of PID files</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-privatedir=</tt><em class="replaceable">directory</em></p>
+</td>
+<td>
+<p>Location of <em class="filename">smbpasswd</em> file</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-profiling-data</tt></p>
+</td>
+<td>
+<p>Support gathering of profiling information</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-quotas</tt></p>
+</td>
+<td>
+<p>Support disk quotas</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-readline=</tt><em class="replaceable">directory</em></p>
+</td>
+<td>
+<p>Specify readline library</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-sendfile-support</tt></p>
+</td>
+<td>
+<p>Support <em class="emphasis">sendfile</em>(  ) system call</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-smbmount</tt></p>
+</td>
+<td>
+<p>Support <em class="emphasis">smbmount</em> and smbfs</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-smbwrapper</tt></p>
+</td>
+<td>
+<p>Build <em class="filename">smbwrapper</em> library for
+<em class="emphasis">smbsh</em> support</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-spinlocks</tt></p>
+</td>
+<td>
+<p>Use spinlocks instead of fcntl locks</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-ssl</tt></p>
+</td>
+<td>
+<p>Support SSL</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-sslinc=</tt><em class="replaceable">directory</em></p>
+</td>
+<td>
+<p>Location of SSL include files</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-ssllib=</tt><em class="replaceable">directory</em></p>
+</td>
+<td>
+<p>Location of SSL libraries</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-swatdir=</tt><em class="replaceable">directory</em></p>
+</td>
+<td>
+<p>Location of SWAT files</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-syslog</tt></p>
+</td>
+<td>
+<p>Support syslog message logging</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-tdbsam</tt></p>
+</td>
+<td>
+<p>Support TDB database files for SAM</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-utmp</tt></p>
+</td>
+<td>
+<p>Support utmp file accounting</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--with-winbind</tt></p>
+</td>
+<td>
+<p>Build winbind</p>
+</td>
+</tr>
+
+</table>
+
+<dl>
+<dt><b><tt class="literal">--with-acl-support</tt><a name="INDEX-2"/><a name="INDEX-3"/></b></dt>
+<dd>
+<p>Includes support for Windows NT/2000/XP access control lists
+(<a name="INDEX-4"/>ACLs). For this to work, you need
+to have POSIX ACL support in the host operating system. See <a href="ch08.html">Chapter 8</a> for details.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-afs</tt><a name="INDEX-5"/><a name="INDEX-6"/></b></dt>
+<dd>
+<p>Includes support for the <a name="INDEX-7"/>Andrew
+Filesystem (AFS), for authenticating users who are accessing files
+through AFS.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-automount</tt><a name="INDEX-8"/><a name="INDEX-9"/></b></dt>
+<dd>
+<p>Includes support for the automounter, a feature often used in
+conjunction with NFS, to mount <a name="INDEX-10"/><a name="INDEX-11"/>NFS shares automatically at the
+first attempt to access them. You might wish to enable this feature
+if any of the directories shared by your Samba server are (or
+include) NFS-mounted directories.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-codepagedir</tt><a name="INDEX-12"/><a name="INDEX-13"/>=<em class="replaceable">directory</em></b></dt>
+<dd>
+<p>Specifies the directory in which to put codepage files for
+<a name="INDEX-14"/>internationalization
+support. See the
+&quot;Internationalization&quot; section
+earlier in this chapter for more information on this feature. By
+default, this directory is
+<em class="filename">/usr/local/samba/lib/codepages</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-configdir</tt><a name="INDEX-15"/><a name="INDEX-16"/>=<em class="replaceable">directory</em></b></dt>
+<dd>
+<p>Specifies the directory in which Samba keeps its configuration file,
+usually called <em class="filename">smb.conf</em>. By default, this is
+<em class="filename">/usr/local/samba/lib</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-dce-dfs</tt><a name="INDEX-17"/><a name="INDEX-18"/></b></dt>
+<dd>
+<p>Includes support for the <a name="INDEX-19"/>Distributed Computing Environment
+Distributed Filesystem (DCE/DFS). This is a distributed filesystem
+included in some Unix variants and is not the same as
+Microsoft's Distributed Filesystem (Dfs).</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-fhs</tt><a name="INDEX-20"/><a name="INDEX-21"/></b></dt>
+<dd>
+<p>Adheres to the <a name="INDEX-22"/>Filesystem Hierarchy Standard when
+locating files. For details, see <a href="http://www.pathname.com/fhs">http://www.pathname.com/fhs</a>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-included-popt</tt><a name="INDEX-23"/><a name="INDEX-24"/></b></dt>
+<dd>
+<p>Includes Samba's own support for parsing
+<a name="INDEX-25"/>command-line options, instead of using
+the local system's <em class="emphasis">popt( )</em>
+C-library function.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-krb4</tt><a name="INDEX-26"/><a name="INDEX-27"/>=<em class="replaceable">base-dir</em></b></dt>
+<dd>
+<p>Includes support for <a name="INDEX-28"/>Kerberos Version 4.0, specifying the base
+directory of the Kerberos distribution. Kerberos is an authentication
+protocol developed at MIT that uses private-key cryptography to
+provide strong security between nodes. This version is not the same
+as Microsoft's adaptation of Kerberos in Active
+Directory, which is the preferred version for use with Samba. This
+option exists only in versions of Samba earlier than 3.0.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-krb5</tt><a name="INDEX-29"/><a name="INDEX-30"/>=<em class="replaceable">base-dir</em></b></dt>
+<dd>
+<p>Includes support for Kerberos Version 5.0, specifying the base
+directory of the Kerberos distribution. This version of Kerberos is
+compatible with the Kerberos authentication in
+Microsoft's Active Directory used in Windows 2000
+and Windows XP.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-ldapsam</tt><a name="INDEX-31"/><a name="INDEX-32"/></b></dt>
+<dd>
+<p>Includes support for using
+<a name="INDEX-33"/>LDAP instead of the
+<em class="filename">smbpasswd</em> file for maintaining
+Samba's equivalent to the Windows NT SAM database.
+This option is necessary to use the parameters
+<tt class="literal">ldap</tt> <tt class="literal">admin</tt>
+<tt class="literal">dn</tt>, <tt class="literal">ldap</tt>
+<tt class="literal">filter</tt>, <tt class="literal">ldap</tt>
+<tt class="literal">port</tt>, <tt class="literal">ldap</tt>
+<tt class="literal">server</tt>, <tt class="literal">ldap</tt>
+<tt class="literal">ssl</tt>, and <tt class="literal">ldap</tt>
+<tt class="literal">suffix</tt> in the Samba configuration file. It is
+necessary to specify <tt class="literal">--with-ldapsam</tt> only in Samba
+versions prior to 3.0.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-libiconv</tt><a name="INDEX-34"/><a name="INDEX-35"/>=<em class="replaceable">directory</em></b></dt>
+<dd>
+<p>Specifies a location for <em class="emphasis">iconv( )</em> support. The
+<a name="INDEX-36"/><em class="emphasis">iconv( )</em> function
+exists in the C library to perform conversion between different
+character sets. This option allows Samba's default
+method of determining the location of the <em class="emphasis">iconv()</em> 
+library to be overridden. Ordinarily, the configuration
+process checks for support in the C library on the system and, if not
+found, uses code included in the Samba source tree. Using
+<tt class="literal">--with-libiconv</tt>, it is possible to specify
+explicitly where the support is located. The include files are
+assumed to be in
+<em class="replaceable">directory</em><em class="filename">/include</em>,
+and library files are assumed to be in
+<em class="replaceable">directory</em><em class="filename">/lib</em>. This
+option is new in Samba 3.0.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-libsmbclient</tt><a name="INDEX-37"/><a name="INDEX-38"/></b></dt>
+<dd>
+<p>Allows applications outside the
+<a name="INDEX-39"/>Samba
+suite to access Samba's features. When
+<tt class="literal">--with-libsmbclient</tt> is specified, the library is
+built during the compilation process.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-lockdir</tt><a name="INDEX-40"/><a name="INDEX-41"/>=<em class="replaceable">directory</em></b></dt>
+<dd>
+<p>Specifies the directory in which Samba keeps
+<a name="INDEX-42"/>lock
+files. By default this directory is
+<em class="filename">/usr/local/samba/var/locks</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-logfilebase</tt><a name="INDEX-43"/><a name="INDEX-44"/>=<em class="replaceable">directory</em></b></dt>
+<dd>
+<p>Specifies the directory in which Samba keeps <a name="INDEX-45"/>log files for the
+<em class="emphasis">smbd</em>, <em class="emphasis">nmbd</em>, and
+<em class="emphasis">winbindd</em> daemons. This defaults to
+<em class="filename">/usr/local/samba/var</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-manpages-langs</tt><a name="INDEX-46"/><a name="INDEX-47"/>=<em class="replaceable">language</em></b></dt>
+<dd>
+<p>Starting with Samba 3.0, <a name="INDEX-48"/><a name="INDEX-49"/>Samba's manual pages
+are available in different languages. The default is
+<tt class="literal">en</tt> for English, and the language can be specified
+as <tt class="literal">ja</tt> for Japanese or <tt class="literal">pl</tt> for
+Polish.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-msdfs</tt><a name="INDEX-50"/><a name="INDEX-51"/></b></dt>
+<dd>
+<p>Includes support for Microsoft Distributed Filesystem
+(<a name="INDEX-52"/>Dfs). See <a href="ch08.html">Chapter 8</a> for
+more information on this feature. Specifying this option is necessary
+only in Samba versions prior to 3.0.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-nisplus-home</tt><a name="INDEX-53"/><a name="INDEX-54"/></b></dt>
+<dd>
+<p>Includes support for locating the
+<a name="INDEX-55"/>NIS+ server that is
+serving a particular user's home directory and
+telling the client to connect to it. Use
+<tt class="literal">--with-automount</tt> along with this option.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-nisplussam</tt><a name="INDEX-56"/><a name="INDEX-57"/></b></dt>
+<dd>
+<p>Includes support for integrating
+<a name="INDEX-58"/>NIS+ into Samba's
+equivalent of the Windows NT password database.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-pam</tt><a name="INDEX-59"/><a name="INDEX-60"/></b></dt>
+<dd>
+<p>When this configure option is specified and the parameter
+<tt class="literal">obey</tt> <tt class="literal">pam</tt>
+<tt class="literal">restrictions</tt> in the Samba configuration file is
+set to <tt class="literal">yes</tt>, obeys PAM's
+configuration regarding account and session management. When
+encrypted passwords are in use, Samba uses the
+<em class="filename">smbpasswd</em> file for authentication, bypassing the
+PAM subsystem. Therefore, this option works only when
+<tt class="literal">encrypt</tt> <tt class="literal">passwords</tt> is set to
+<tt class="literal">no</tt>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-pam_smbpass</tt><a name="INDEX-61"/><a name="INDEX-62"/></b></dt>
+<dd>
+<p>When this option is specified, the compilation process builds a PAM
+module called <em class="filename">pam_smbpass.so</em> and places it in
+the <em class="filename">source/bin</em> directory. This module allows
+applications outside of the Samba suite to authenticate users with
+Samba's <em class="filename">smbpasswd</em> file. For
+more information, see the <em class="filename">README</em> file in the
+<em class="filename">source/pam_smbpass</em> directory of the Samba
+distribution and the file
+<em class="filename">PAM-Authentication-And-Samba.html</em> in the
+<em class="filename">docs/html</em> directory.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-piddir</tt><a name="INDEX-63"/><a name="INDEX-64"/>=<em class="replaceable">directory</em></b></dt>
+<dd>
+<p>Specifies the directory in which Samba keeps files such as
+<a name="INDEX-65"/>browse lists, WINS
+data, and PID files for keeping track of the process IDs of the Samba
+daemons. The default is
+<em class="filename">/usr/local/samba/var/locks</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-privatedir</tt><a name="INDEX-66"/><a name="INDEX-67"/>=<em class="replaceable">directory</em></b></dt>
+<dd>
+<p>Specifies the directory in which Samba keeps the
+<em class="filename">smbpasswd</em>, <em class="filename">secrets.tdb,</em> and
+related files for
+<a name="INDEX-68"/>authentication.
+The default is <em class="filename">/usr/local/samba/private</em>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-profiling-data</tt><a name="INDEX-69"/><a name="INDEX-70"/></b></dt>
+<dd>
+<p>Includes support for analyzing the execution time of
+Samba's internal code. This is normally used only by
+the Samba developers.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-quotas</tt><a name="INDEX-71"/><a name="INDEX-72"/></b></dt>
+<dd>
+<p>Includes <a name="INDEX-73"/>disk-quota support. This is classified
+as an experimental option by the Samba developers.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-readline</tt><a name="INDEX-74"/><a name="INDEX-75"/>=<em class="replaceable">directory</em></b></dt>
+<dd>
+<p>Specifies a location for
+<a name="INDEX-76"/><em class="emphasis">readline( )</em>
+support. The <em class="emphasis">readline( )</em> function exists in the
+C library to accept a line of input from an interactive user and
+provide support for editing and history. Samba uses these functions
+in <em class="emphasis">smbclient</em> and <em class="emphasis">rpcclient</em>.</p>
+
+<p>This option allows Samba's default method of
+determining the location of the <tt class="function">readline( )</tt>
+library to be overridden. Ordinarily, the configuration process
+checks for support in the C library on the system and, if not found,
+uses code included in the Samba source tree. Using
+<tt class="literal">--with-readline</tt>, it is possible to specify the
+directory explicitly in which the library containing
+<em class="emphasis">readline( )</em> is located.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-sendfile-support</tt><a name="INDEX-77"/><a name="INDEX-78"/></b></dt>
+<dd>
+<p>Checks to see if the Samba host operating system supports the
+<a name="INDEX-79"/><em class="emphasis">sendfile( )</em> system
+call, which speeds up file transfers by copying data directly to and
+from kernel buffers, avoiding the overhead of copying to and from
+buffers in user space. If the operating system has the
+<em class="emphasis">sendfile( )</em> system call, support is included in
+Samba for the <tt class="literal">use</tt> <tt class="literal">sendfile</tt>
+configuration file option. This is an experimental option included in
+Samba 2.2.5 and later versions.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-smbmount</tt><a name="INDEX-80"/><a name="INDEX-81"/></b></dt>
+<dd>
+<p>Must be specified if you want to mount SMB shares in your Unix
+filesystem using the <em class="filename"/><a name="INDEX-82"/>smbfs</em> filesystem and the
+<em class="emphasis">smbmount</em><a name="INDEX-83"/> command, as discussed in <a href="ch05.html">Chapter 5</a>. Currently, this works only with Linux.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-smbwrapper</tt><a name="INDEX-84"/><a name="INDEX-85"/></b></dt>
+<dd>
+<p>To use <a name="INDEX-86"/>smbsh to access SMB shares from Unix (as
+discussed in <a href="ch05.html">Chapter 5</a>), use this option to
+include the
+<em class="filename">smbwrapper</em><a name="INDEX-87"/> library.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-spinlocks</tt><a name="INDEX-88"/><a name="INDEX-89"/></b></dt>
+<dd>
+<p>Uses <a name="INDEX-90"/><a name="INDEX-91"/>spin locks instead of the normal method of
+file locking that uses the <em class="emphasis">fcntl( )</em> C-library
+function. Using this option results in a Samba installation that
+consumes much more CPU time on the host system. Use it only when
+absolutely necessary.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-ssl</tt><a name="INDEX-92"/><a name="INDEX-93"/></b></dt>
+<dd>
+<p>Includes support for running Samba with
+<a name="INDEX-94"/>SSL encryption. This little-used
+feature was dropped for Samba 3.0. It still works with Samba 2.2.x
+and before, but a better method is to use a <a name="INDEX-95"/>virtual private
+network (VPN).</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-sslinc</tt><a name="INDEX-96"/><a name="INDEX-97"/>=<em class="replaceable">directory</em></b></dt>
+<dd>
+<p>Specifies the location of the SSL include files.
+<em class="filename">/usr/local/ssl/include</em> is the default location.
+This option exists in versions prior to Samba 3.0.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-ssllib</tt><a name="INDEX-98"/><a name="INDEX-99"/>=<em class="replaceable">directory</em></b></dt>
+<dd>
+<p>Specifies the location of the SSL libraries. The default location is
+<em class="filename">/usr/local/ssl/lib</em>. This option exists in
+versions prior to Samba 3.0.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-swatdir</tt><a name="INDEX-100"/><a name="INDEX-101"/>=<em class="replaceable">directory</em></b></dt>
+<dd>
+<p>Specifies where to install the files for
+<a name="INDEX-102"/>SWAT.
+<em class="filename">/usr/local/samba/swat</em> is the default location.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-syslog</tt><a name="INDEX-103"/><a name="INDEX-104"/></b></dt>
+<dd>
+<p>Includes support for
+<a name="INDEX-105"/>syslog error
+logging. This option must be specified for the Samba configuration
+file parameters <tt class="literal">syslog</tt> and
+<tt class="literal">syslog</tt> <tt class="literal">only</tt> to work. This
+option is widely supported, but might not work correctly on all Samba
+host systems.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-tdbsam</tt><a name="INDEX-106"/><a name="INDEX-107"/></b></dt>
+<dd>
+<p>Includes support for keeping Samba's equivalent of
+the Windows NT SAM in a <em class="filename">.tdb</em> database file
+rather than in the <em class="filename">smbpasswd</em> file. This is an
+experimental feature.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-utmp</tt><a name="INDEX-108"/><a name="INDEX-109"/></b></dt>
+<dd>
+<p>Includes support for <a name="INDEX-110"/>user accounting in the
+system's
+<em class="filename">utmp</em><a name="INDEX-111"/> file. It is necessary for the
+<tt class="literal">utmp</tt> and <tt class="literal">utmp</tt>
+<tt class="literal">directory</tt> Samba configuration file options to
+work. This option is widely supported, but might not work correctly
+on all Samba host systems.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-winbind</tt><a name="INDEX-112"/><a name="INDEX-113"/></b></dt>
+<dd>
+<p>Includes <a name="INDEX-114"/>winbind support in Samba.
+Instead of defaulting to <tt class="literal">no</tt>, as with other boolean
+options, <tt class="literal">--with-winbind</tt> is
+automatically set to <tt class="literal">yes</tt> on systems that support
+winbind functionality. The only time you would need to specify this
+option is to turn it off, like this:</p>
+
+
+<blockquote><pre class="code"># <tt class="userinput"><b>configure --without-winbind</b></tt></pre></blockquote>
+
+<p>This excludes winbind functionality from Samba even when the local
+operating system can support it. For more information on winbind, see
+<a href="ch09.html">Chapter 9</a>. <a name="INDEX-115"/></p>
+</dd>
+
+</dl>
+
+
+
+<hr/><h4 class="head4"><a href="toc.html">TOC</a></h4>
+</body></html>
diff --git a/docs/htmldocs/using_samba/appf.html b/docs/htmldocs/using_samba/appf.html
new file mode 100644
index 0000000000..c3eb7d4d81
--- /dev/null
+++ b/docs/htmldocs/using_samba/appf.html
@@ -0,0 +1,780 @@
+<html>
+<body bgcolor="#ffffff">
+
+<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
+hspace="10" align="left" />
+
+<h1 class="head0">Appendix F. Running Samba on Mac OS X Server</h1>
+
+
+
+<p><a name="INDEX-1"/>Mac OS X Server is an Apple
+operating-system product based on Mac OS X, with the addition of
+administrative tools and server software. One area in which it
+differs from Mac OS X is in the configuration of Samba-based
+services. In this appendix, we'll tell you how to
+set up SMB file and printer shares, enable client user access, and
+monitor activity. Our specific focus is on Mac OS X Server 10.2.</p>
+
+
+
+<div class="sect1"><a name="samba2-APP-F-SECT-1"/>
+
+<h2 class="head1">Setup Procedures</h2>
+
+<p>The first thing to note is that the procedure described in <a href="ch02.html">Chapter 2</a> using System Preferences to enable Samba does
+not apply to Mac OS X Server. Unlike Mac OS X, the Sharing pane of
+System Preferences does not include an option to turn on Windows File
+Sharing. Instead, there is a set of applications to configure,
+activate, and monitor services: Workgroup Manager, Server Settings,
+Server Status, and Open Directory Assistant, all located in the
+directory <em class="filename">/Applications/Utilities</em>.</p>
+
+<a name="samba2-APP-F-NOTE-163"/><blockquote class="note"><h4 class="objtitle">NOTE</h4>
+<p>In addition to being installed with Mac OS X Server, these and other
+administrative applications are included on a separate installation
+CD-ROM sold with the operating system. They can be used to manage Mac
+OS X Server systems remotely from any Mac OS X machine.</p>
+
+<p>For more information, refer to the <em class="citetitle">Mac OS X Server
+Administrator's
+Guide</em><a name="INDEX-2"/>, included as a PDF
+file in the <em class="filename">/Library/Documentation/MacOSXServer</em>
+directory, and also downloadable from Apple
+Computer's web site at <a href="http://www.apple.com/server/">http://www.apple.com/server/</a>.</p>
+</blockquote>
+
+<p>Briefly, the procedure for setting up SMB file and printer shares is
+as follows:</p>
+
+<ol><li>
+<p>Designate share points in Workgroup Manager for file sharing.</p>
+</li><li>
+<p>Set up print queues in Server Settings for printer sharing, and
+activate Printer Service.</p>
+</li><li>
+<p>Configure and activate Windows Services in Server Settings.</p>
+</li><li>
+<p>Activate Password Server and enable SMB authentication in Open
+Directory Assistant.</p>
+</li><li>
+<p>Enable Password Server authentication for user accounts in Workgroup
+Manager.</p>
+</li><li>
+<p>Monitor file and print services with Server Status.</p>
+</li></ol>
+
+<div class="sect2"><a name="samba2-APP-F-SECT-1.1"/>
+
+<h3 class="head2">Sharing Files</h3>
+
+<p><a name="INDEX-3"/><a name="INDEX-4"/>The
+first step to enable SMB file sharing is to designate one or more
+<em class="firstterm">share points</em>. Share points are folders that
+form the root of shared volumes for any of the protocols supported by
+Mac OS X Server: Apple Filesharing Protocol (AFP), Network Filesystem
+(NFS), File Transfer Protocol (FTP), and SMB.</p>
+
+<p>To designate a share point, launch Workgroup Manager. You will be
+prompted for the local or remote server's hostname
+or IP address, as well as for a username and password; this process
+is required by all the Mac OS X Server administrative applications.
+Once Workgroup Manager is open, click the Sharing button in the
+toolbar. The list on the left, under the Share Points tab, displays
+currently defined share points. To add a new one, click the All tab,
+and navigate to the folder you want to share.</p>
+
+<p>On the right, under the General tab, check the box labeled Share this
+item and its contents, change the ownership and permissions if
+desired, then click the Save button. Next, under the Protocols tab,
+select Windows File Settings from the pop-up menu, and ensure that
+the box labeled Share this item using SMB is checked. At this point,
+you can also decide whether to allow guest access to the share,
+change the name of the share displayed to SMB clients, or set
+permissions for files and folders created by SMB clients. Click the
+Save button when you're finished making changes. See
+<a href="appf.html#samba2-APP-F-FIG-1">Figure F-1</a>.</p>
+
+<div class="figure"><a name="samba2-APP-F-FIG-1"/><img src="figs/sam2_af01.gif"/></div><h4 class="head4">Figure F-1. Workgroup Manager: Share Points and Windows File Settings</h4>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-APP-F-SECT-1.2"/>
+
+<h3 class="head2">Sharing Printers</h3>
+
+<p><a name="INDEX-5"/><a name="INDEX-6"/>Printer shares are set up
+differently. First, launch Server Settings; under the File &amp;
+Print tab, select Print, then Configure Print Service.... Check the
+box labeled Automatically share new queues for Windows printing.
+Next, click the Print icon again and then Show Print Monitor. Make
+sure the printers you want to share are listed. Printers directly
+attached to the server should have queues created automatically, but
+remote printers you wish to reshare must be added by clicking New
+Queue and discovering or specifying the printers. When
+you're finished, click Save, select the Print icon
+one more time, and select Start Print Service. See <a href="appf.html#samba2-APP-F-FIG-2">Figure F-2</a>.</p>
+
+<div class="figure"><a name="samba2-APP-F-FIG-2"/><img src="figs/sam2_af02.gif"/></div><h4 class="head4">Figure F-2. Server Settings: Print Service</h4>
+
+<a name="samba2-APP-F-NOTE-164"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>Server Settings will make local printers available for sharing only
+if they're PostScript compatible. Unfortunately,
+many printers, including consumer-grade USB inkjet printers,
+aren't. If you want to make one of these printers
+available to SMB clients, you can still add the share to
+<em class="filename">/etc/smb.conf</em> yourself with a text editor. See
+&quot;Rolling Your Own&quot; later in this
+chapter for instructions and caveats related to making manual changes
+to <em class="filename">smb.conf</em>.</p>
+</blockquote>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-APP-F-SECT-1.3"/>
+
+<h3 class="head2">Configuring and Activating Services</h3>
+
+<p><a name="INDEX-7"/>At this point, neither
+the file shares nor the printer shares are available to SMB clients.
+To activate them, click the Windows icon in Server Settings, and
+click Configure Windows Services.... Under the General tab, you can
+set the server's NetBIOS hostname, the workgroup or
+Windows NT domain in which the server resides, and the description
+that gets displayed in a browse list. You can also specify the code
+page for an alternate character set. Finally, you can enable
+boot-time startup of Samba. See <a href="appf.html#samba2-APP-F-FIG-3">Figure F-3</a>.</p>
+
+<div class="figure"><a name="samba2-APP-F-FIG-3"/><img src="figs/sam2_af03.gif"/></div><h4 class="head4">Figure F-3. Server Settings: Windows Services</h4>
+
+<p>The Windows Services Access tab offers options to enable guest access
+and limit the number of simultaneous client connections; under the
+Logging tab, you can specify the verbosity of your logging. With
+options under the Neighborhood tab, you can configure your machine as
+a WINS client or server or have it provide browser services locally
+or across subnets.</p>
+
+<a name="samba2-APP-F-SIDEBAR-1"/><blockquote><table border="1" cellpadding="6"><tr><td>
+<h4 class="head4">Password Server</h4>
+
+<p><a name="INDEX-8"/><a name="INDEX-9"/>Password Server is a feature
+introduced with Mac OS X Server 10.2. In prior versions of Mac OS X
+Server, Windows authentication was handled with Authentication
+Manager, which stored a user's Windows password in
+the <tt class="literal">tim_password</tt> property of the
+user's NetInfo record. This can still be done in
+Version 10.2, although it's strongly discouraged
+because the encrypted password is visible to other users with access
+to the NetInfo domain and can potentially be decrypted.</p>
+
+<p>If you need to use Authentication Manager, use the following
+procedure to enable it:</p>
+
+<ol><li>
+<p>On every machine hosting a domain that will bind into the NetInfo
+hierarchy, execute the command <tt class="literal">tim -init -auto</tt>
+<em class="replaceable">tag</em> for each domain, where
+<em class="replaceable">tag</em> is the name of the
+domain's database.</p>
+</li>
+<li>
+<p>When prompted, provide a password to be used as the encryption key
+for the domain. This key is used to decrypt the Windows passwords and
+is stored in an encrypted file readable only by root,
+<em class="filename">/var/db/netinfo/.tag.tim</em>.</p>
+</li>
+<li>
+<p>Set <tt class="literal">AUTHSERVER=-YES-</tt> in
+<em class="filename">/etc/hostconfig</em>.</p>
+</li>
+<li>
+<p>Start Authentication Manager by invoking <em class="emphasis">tim</em>.
+This is also executed during the boot sequence by the AuthServer
+startup item.</p>
+</li>
+<li>
+<p>Reset the password of each user requiring SMB client access. In Mac
+OS X Server 10.2 or later, make sure the user is set up for Basic
+authentication, not Password Server authentication.</p>
+</li></ol></td></tr></table></blockquote>
+
+<p>When you've finished configuring Windows Services,
+click the Save button, then click the Windows icon in Server
+Settings, and select Start Windows Services. This starts the Samba
+daemons, enabling access from SMB clients.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-APP-F-SECT-1.4"/>
+
+<h3 class="head2">Activating Password Server</h3>
+
+<p><a name="INDEX-10"/><a name="INDEX-11"/>Now that
+you've set up file and printer shares, you need to
+make sure users can properly authenticate to access them. In Mac OS X
+Server, this is accomplished with the <a name="INDEX-12"/>Open Directory
+Password Server, a service based on the <a name="INDEX-13"/>Simple Authentication and Security
+Layer (SASL) standard and usable with many different authentication
+protocols, including the LAN Manager and Windows NT LAN Manager
+(NTLM) protocols. This section describes how to support SMB client
+authentication, but for more information on what Password Server does
+and how it works, see the Mac OS X Server
+Administrator's Guide.</p>
+
+<p>To enable Password Server or merely check its settings, start the
+Open Directory Assistant. Unless you wish to change any of the
+settings, just click the right arrow button in the lower-right corner
+of the window until you get to the first Security step. At this
+point, activate Password Server by selecting the option marked
+Password and authentication information will be provided to other
+systems. The next step displays the main administrative account, and
+the one after that gives you a choice of authentication protocols to
+enable (see <a href="appf.html#samba2-APP-F-FIG-4">Figure F-4</a>). Make sure that SMB-NT is
+checked, and check SMB-Lan Manager if you have Windows 95/98/Me or
+older clients. The final step saves the Password Server configuration
+and prompts you to reboot.</p>
+
+<div class="figure"><a name="samba2-APP-F-FIG-4"/><img src="figs/sam2_af04.gif"/></div><h4 class="head4">Figure F-4. Password Server authentication protocols</h4>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-APP-F-SECT-1.5"/>
+
+<h3 class="head2">Enabling Password Server</h3>
+
+<p><a name="INDEX-14"/><a name="INDEX-15"/>To enable the
+use of Password Server for a user account, launch Workgroup Manager,
+and click the Accounts button in the toolbar. Under the Users tab on
+the far left (with the silhouette of a single person), select the
+account, and under the Advanced tab on the right, select Password
+Server for the User Password Type (see <a href="appf.html#samba2-APP-F-FIG-5">Figure F-5</a>).
+You are prompted to enter a new user password to be stored in the
+Password Server database. After saving the account configuration, the
+user can authenticate and access shares from an SMB client.</p>
+
+<div class="figure"><a name="samba2-APP-F-FIG-5"/><img src="figs/sam2_af05.gif"/></div><h4 class="head4">Figure F-5. Workgroup Manager: Enabling Password Server authentication</h4>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-APP-F-SECT-1.6"/>
+
+<h3 class="head2">Monitoring Services</h3>
+
+<p><a name="INDEX-16"/>Once you've got
+everything working, you'll want to keep an eye on
+things. The Server Status application gives you views into the
+various services provided by Mac OS X Server. For Windows Services,
+you can see the current state of the service, browse the logs
+(located in the directory
+<em class="filename">/Library/Logs/WindowsServices</em>), display and
+terminate individual connections, and view a graph of connections
+over time (see <a href="appf.html#samba2-APP-F-FIG-6">Figure F-6</a>). Similar information is
+provided for Print Service.</p>
+
+<div class="figure"><a name="samba2-APP-F-FIG-6"/><img src="figs/sam2_af06.gif"/></div><h4 class="head4">Figure F-6. Server Status: Windows Services</h4>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-APP-F-SECT-2"/>
+
+<h2 class="head1">Configuration Details</h2>
+
+<p><a name="INDEX-17"/>Underneath the GUI, a lot of activity
+takes place to offer Windows Services. In the non-Server version of
+Mac OS X, selecting Windows File Sharing sets the
+<tt class="literal">SMBSERVER</tt> parameter in
+<em class="filename">/etc/hostconfig</em> and triggers the Samba startup
+item. In Mac OS X Server, under normal circumstances the Samba
+startup item and the <tt class="literal">SMBSERVER</tt> parameter are never
+used.</p>
+
+<p>Instead, a process named <em class="emphasis">sambadmind</em> generates
+<em class="filename">/etc/smb.conf</em> from the configuration specified
+in Server Settings and Workgroup Manager and handles starting and
+restarting the Samba daemons as necessary. The
+<em class="emphasis">sambadmind</em> process is in turn monitored by
+<em class="emphasis">watchdog</em>, which keeps an eye on certain
+processes and restarts those which fail. The
+<em class="emphasis">watchdog</em> utility is configured in
+<em class="filename">/etc/watchdog.conf</em>, a file similar to a System V
+<em class="filename">inittab</em>, which specifies how the services under
+<em class="emphasis">watchdog</em>'s purview are to be
+treated. For example, the line for <em class="emphasis">sambadmind</em>
+looks like this:</p>
+
+<blockquote><pre class="code">sambadmin:respawn:/usr/sbin/sambadmind -d     # SMB Admin daemon</pre></blockquote>
+
+<p>Using a <em class="emphasis">watchdog</em>-monitored process such as
+<em class="emphasis">sambadmind</em> to start the Samba daemons, instead
+of a one-time execution of a startup item, results in more reliable
+service. In Mac OS X Server, if a Samba daemon dies unexpectedly, it
+is quickly restarted. (Examples of other services monitored by
+<em class="emphasis">watchdog</em> are Password Server, Print Service, and
+the Server Settings daemon that allows remote management.)</p>
+
+<p>There's another wrinkle in Mac OS X Server: the
+Samba configuration settings are not written directly to
+<em class="filename">/etc/smb.conf</em>, as they are in the non-Server
+version of Mac OS X. Instead, they're stored in the
+server's local Open Directory domain,<a name="FNPTR-1"/><a href="#FOOTNOTE-1">[1]</a> from which <em class="emphasis">sambadmind</em> retrieves them
+and regenerates <em class="filename">smb.conf</em>. For example, the Samba
+global parameters are stored in
+<em class="filename">/config/SMBServer</em> (see <a href="appf.html#samba2-APP-F-FIG-7">Figure F-7</a>). Share point information is also kept in Open
+Directory, under <em class="filename">/config/SharePoints</em>, while CUPS
+takes responsibility for printer configuration in
+<em class="filename">/etc/cups/printers.conf</em> (also creating stub
+entries used by Samba in <em class="filename">/etc/printcap</em>).</p>
+
+<div class="figure"><a name="samba2-APP-F-FIG-7"/><img src="figs/sam2_af07.gif"/></div><h4 class="head4">Figure F-7. NetInfo Manager: SMBServer properties</h4>
+
+<p><a href="appf.html#samba2-APP-F-TABLE-1">Table F-1</a> summarizes the association of Windows
+Services settings in the Server Settings application, properties
+stored in Open Directory, and parameters in
+<em class="filename">/etc/smb.conf</em>.</p>
+
+<a name="samba2-APP-F-TABLE-1"/><h4 class="head4">Table F-1. Samba configuration settings in Mac OS X Server</h4><table border="1">
+
+
+
+
+<tr>
+<th>
+<p>Server Settings graphical element in Windows Services</p>
+</th>
+<th>
+<p>Open Directory property in <em class="filename">/config/SMBServer</em></p>
+</th>
+<th>
+<p>Samba global parameter in<em class="filename">/etc/smb.conf</em></p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p>General &rarr; Server Name</p>
+</td>
+<td>
+<p><tt class="literal">netbios_name</tt></p>
+</td>
+<td>
+<p><tt class="literal">netbios name</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>General &rarr; Workgroup</p>
+</td>
+<td>
+<p><tt class="literal">workgroup</tt></p>
+</td>
+<td>
+<p><tt class="literal">workgroup</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>General &rarr; Description</p>
+</td>
+<td>
+<p><tt class="literal">description</tt></p>
+</td>
+<td>
+<p><tt class="literal">server string</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>General &rarr; Code Page</p>
+</td>
+<td>
+<p><tt class="literal">code_page</tt></p>
+</td>
+<td>
+<p><tt class="literal">client code page</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>General &rarr; Start Windows Services on system startup</p>
+</td>
+<td>
+<p><tt class="literal">auto_start</tt></p>
+</td>
+<td>
+<p>N/A</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Access &rarr; Allow Guest Access</p>
+</td>
+<td>
+<p><tt class="literal">guest_access</tt>, <tt class="literal">map_to_guest</tt></p>
+</td>
+<td>
+<p><tt class="literal">map to guest</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>N/A</p>
+</td>
+<td>
+<p><tt class="literal">guest_account</tt></p>
+</td>
+<td>
+<p><tt class="literal">guest account</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Access &rarr; Maximum client connections</p>
+</td>
+<td>
+<p><tt class="literal">max_connections</tt></p>
+</td>
+<td>
+<p><tt class="literal">max smbd processes</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Logging &rarr; Detail Level</p>
+</td>
+<td>
+<p><tt class="literal">logging</tt></p>
+</td>
+<td>
+<p><tt class="literal">log level</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Neighborhood &rarr; WINS Registration &rarr;
+Off</p>
+</td>
+<td>
+<p><tt class="literal">WINS_enabled</tt>, <tt class="literal">WINS_register</tt></p>
+</td>
+<td>
+<p><tt class="literal">wins support</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Neighborhood &rarr; WINS Registration &rarr;
+Enable WINS server</p>
+</td>
+<td>
+<p><tt class="literal">WINS_enabled</tt></p>
+</td>
+<td>
+<p><tt class="literal">wins support</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Neighborhood &rarr; WINS Registration &rarr;
+Register with WINS server</p>
+</td>
+<td>
+<p><tt class="literal">WINS_register</tt>, <tt class="literal">WINS_address</tt></p>
+</td>
+<td>
+<p><tt class="literal">wins server</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Neighborhood &rarr; Workgroup/Domain Services
+&rarr; Master Browser</p>
+</td>
+<td>
+<p><tt class="literal">Local_Master</tt></p>
+</td>
+<td>
+<p><tt class="literal">local master</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Neighborhood &rarr; Workgroup/Domain Services
+&rarr; Domain Master Browser</p>
+</td>
+<td>
+<p><tt class="literal">Domain_Master</tt></p>
+</td>
+<td>
+<p><tt class="literal">domain master</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Print &rarr; Start Print Service</p>
+</td>
+<td>
+<p><tt class="literal">printing</tt></p>
+</td>
+<td>
+<p>N/A</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>N/A</p>
+</td>
+<td>
+<p><tt class="literal">lprm_command</tt></p>
+</td>
+<td>
+<p><tt class="literal">lprm command</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>N/A</p>
+</td>
+<td>
+<p><tt class="literal">lppause_command</tt></p>
+</td>
+<td>
+<p><tt class="literal">lppause command</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>N/A</p>
+</td>
+<td>
+<p><tt class="literal">lpresume_command</tt></p>
+</td>
+<td>
+<p><tt class="literal">lpresume command</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>N/A</p>
+</td>
+<td>
+<p><tt class="literal">printer_admin</tt></p>
+</td>
+<td>
+<p><tt class="literal">printer admin</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>N/A</p>
+</td>
+<td>
+<p><tt class="literal">encryption</tt></p>
+</td>
+<td>
+<p><tt class="literal">encrypt passwords</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>N/A</p>
+</td>
+<td>
+<p><tt class="literal">coding_system</tt></p>
+</td>
+<td>
+<p><tt class="literal">coding system</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>N/A</p>
+</td>
+<td>
+<p><tt class="literal">log_dir</tt></p>
+</td>
+<td>
+<p>N/A</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>N/A</p>
+</td>
+<td>
+<p><tt class="literal">smb_log</tt></p>
+</td>
+<td>
+<p><tt class="literal">log file</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>N/A</p>
+</td>
+<td>
+<p><tt class="literal">nmb_log</tt></p>
+</td>
+<td>
+<p>N/A</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>N/A</p>
+</td>
+<td>
+<p><tt class="literal">samba_sbindir</tt></p>
+</td>
+<td>
+<p>N/A</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>N/A</p>
+</td>
+<td>
+<p><tt class="literal">samba_bindir</tt></p>
+</td>
+<td>
+<p>N/A</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>N/A</p>
+</td>
+<td>
+<p><tt class="literal">samba_libdir</tt></p>
+</td>
+<td>
+<p>N/A</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>N/A</p>
+</td>
+<td>
+<p><tt class="literal">samba_lockdir</tt></p>
+</td>
+<td>
+<p>N/A</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>N/A</p>
+</td>
+<td>
+<p><tt class="literal">samba_vardir</tt></p>
+</td>
+<td>
+<p>N/A</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>N/A</p>
+</td>
+<td>
+<p><tt class="literal">stop_time</tt></p>
+</td>
+<td>
+<p>N/A <a name="INDEX-19"/></p>
+</td>
+</tr>
+
+</table>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-APP-F-SECT-3"/>
+
+<h2 class="head1">Rolling Your Own</h2>
+
+<p><a name="INDEX-20"/>When making manual changes to the Samba
+configuration file, take care to block changes initiated from
+graphical applications by invoking this command:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>chflags uchg /etc/smb.conf</b></tt></pre></blockquote>
+
+<p>From that point on, the GUI will be useful only for starting,
+stopping, and monitoring the service&mdash;not for configuring it.</p>
+
+<p>If you install your own version of Samba, you can still manage it
+from Server Settings by changing some of the Open Directory
+properties in <em class="filename">/config/SMBServer</em>.</p>
+
+<p>To do this, open NetInfo Manager and modify the
+<tt class="literal">samba_sbindir</tt> and <tt class="literal">samba_bindir</tt>
+properties to match the location of your Samba installation.
+Optionally, you can modify <tt class="literal">samba_libdir</tt>,
+<tt class="literal">samba_vardir</tt>, and
+<tt class="literal">samba_lockdir</tt>. Assuming a default Samba
+installation, you can also change these at the command line with the
+following commands:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>nicl . -create /config/SMBServer samba_sbindir /usr/local/samba/bin</b></tt>
+# <tt class="userinput"><b>nicl . -create /config/SMBServer samba_bindir /usr/local/samba/bin</b></tt>
+# <tt class="userinput"><b>nicl . -create /config/SMBServer samba_libdir /usr/local/samba/lib</b></tt>
+# <tt class="userinput"><b>nicl . -create /config/SMBServer samba_vardir /usr/local/samba/var</b></tt>
+# <tt class="userinput"><b>nicl . -create /config/SMBServer samba_lockdir /usr/local/samba/var/locks</b></tt></pre></blockquote>
+
+<p>You can check your settings with this command:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>nicl . -read /config/SMBServer</b></tt></pre></blockquote>
+
+<p>In Server Settings, select Stop Windows Services, then run this
+command:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>killall sambadmind</b></tt></pre></blockquote>
+
+<p>The <em class="emphasis">watchdog</em> utility restarts
+<em class="emphasis">sambadmind</em> within seconds. Finally, go back to
+Server Settings, and select Start Windows Services.</p>
+
+<p>If you don't modify Open Directory properties to
+match your active Samba installation (because you wish to manage your
+configuration another way), be sure never to activate Windows
+Services from the Server Settings application, or
+you'll wind up with two sets of Samba daemons
+running concurrently. <a name="INDEX-21"/></p>
+
+
+</div>
+
+<hr/><h4 class="head4">Footnotes</h4><blockquote><a name="FOOTNOTE-1"/>
+<p><a href="#FNPTR-1">[1]</a> In versions of Mac OS X prior to 10.2, Open Directory domains
+were called NetInfo domains. NetInfo Manager (located in
+<em class="filename">/Applications/Utilities</em>) provides a graphical
+interface to view and modify the contents of Open Directory
+databases. For more information, see the <em class="citetitle">Mac OS X Server
+Administrator's Guide</em>, as well as
+<em class="citetitle">Understanding and Using NetInfo</em>, downloadable
+from the Mac OS X Server resources web page at <a href="http://www.apple.com/server/resources.html">http://www.apple.com/server/resources.html</a>.</p>
+</blockquote>
+
+
+<hr/><h4 class="head4"><a href="toc.html">TOC</a></h4>
+</body></html>
diff --git a/docs/htmldocs/using_samba/appg.html b/docs/htmldocs/using_samba/appg.html
new file mode 100644
index 0000000000..779f68034f
--- /dev/null
+++ b/docs/htmldocs/using_samba/appg.html
@@ -0,0 +1,500 @@
+<html>
+<body bgcolor="#ffffff">
+
+<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
+hspace="10" align="left" />
+
+<h1 class="head0">Appendix G. GNU Free Documentation License</h1>
+
+
+<div class="sect1"><a name="samba2-APP-G-SECT-1"/>
+
+<a name="INDEX-1"/><h2 class="head1">GNU Free Documentation License</h2>
+
+
+<div class="sect2"><a name="samba2-APP-G-SECT-1.1"/>
+
+<h3 class="head2">Version 1.2, November 2002</h3>
+
+<p>Copyright &copy; 2000, 2001, 2002 Free Software Foundation, Inc.</p>
+
+<p>59 Temple Place, Suite 330, Boston, MA 02111-1307 USA</p>
+
+<p>Everyone is permitted to copy and distribute verbatim copies of this
+license document, but changing it is not allowed.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-APP-G-SECT-1.2"/>
+
+<h3 class="head2">0. PREAMBLE</h3>
+
+<p>The purpose of this License is to make a manual, textbook, or other
+functional and useful document
+&quot;free&quot; in the sense of freedom: to
+assure everyone the effective freedom to copy and redistribute it,
+with or without modifying it, either commercially or noncommercially.
+Secondarily, this License preserves for the author and publisher a
+way to get credit for their work, while not being considered
+responsible for modifications made by others.</p>
+
+<p>This License is a kind of
+&quot;copyleft&quot;, which means that
+derivative works of the document must themselves be free in the same
+sense. It complements the GNU General Public License, which is a
+copyleft license designed for free software.</p>
+
+<p>We have designed this License in order to use it for manuals for free
+software, because free software needs free documentation: a free
+program should come with manuals providing the same freedoms that the
+software does. But this License is not limited to software manuals;
+it can be used for any textual work, regardless of subject matter or
+whether it is published as a printed book. We recommend this License
+principally for works whose purpose is instruction or reference.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-APP-G-SECT-1.3"/>
+
+<h3 class="head2">1. APPLICABILITY AND DEFINITIONS</h3>
+
+<p>This License applies to any manual or other work, in any medium, that
+contains a notice placed by the copyright holder saying it can be
+distributed under the terms of this License. Such a notice grants a
+world-wide, royalty-free license, unlimited in duration, to use that
+work under the conditions stated herein. The
+&quot;Document&quot;, below, refers to any
+such manual or work. Any member of the public is a licensee, and is
+addressed as &quot;you&quot;. You accept the
+license if you copy, modify or distribute the work in a way requiring
+permission under copyright law.</p>
+
+<p>A &quot;Modified Version&quot; of the
+Document means any work containing the Document or a portion of it,
+either copied verbatim, or with modifications and/or translated into
+another language.</p>
+
+<p>A &quot;Secondary Section&quot; is a named
+appendix or a front-matter section of the Document that deals
+exclusively with the relationship of the publishers or authors of the
+Document to the Document's overall subject (or to
+related matters) and contains nothing that could fall directly within
+that overall subject. (Thus, if the Document is in part a textbook of
+mathematics, a Secondary Section may not explain any mathematics.)
+The relationship could be a matter of historical connection with the
+subject or with related matters, or of legal, commercial,
+philosophical, ethical or political position regarding them.</p>
+
+<p>The &quot;Invariant Sections&quot; are
+certain Secondary Sections whose titles are designated, as being
+those of Invariant Sections, in the notice that says that the
+Document is released under this License. If a section does not fit
+the above definition of Secondary then it is not allowed to be
+designated as Invariant. The Document may contain zero Invariant
+Sections. If the Document does not identify any Invariant Sections
+then there are none.</p>
+
+<p>The &quot;Cover Texts&quot; are certain short
+passages of text that are listed, as Front-Cover Texts or Back-Cover
+Texts, in the notice that says that the Document is released under
+this License. A Front-Cover Text may be at most 5 words, and a
+Back-Cover Text may be at most 25 words.</p>
+
+<p>A &quot;Transparent&quot; copy of the
+Document means a machine-readable copy, represented in a format whose
+specification is available to the general public, that is suitable
+for revising the document straightforwardly with generic text editors
+or (for images composed of pixels) generic paint programs or (for
+drawings) some widely available drawing editor, and that is suitable
+for input to text formatters or for automatic translation to a
+variety of formats suitable for input to text formatters. A copy made
+in an otherwise Transparent file format whose markup, or absence of
+markup, has been arranged to thwart or discourage subsequent
+modification by readers is not Transparent. An image format is not
+Transparent if used for any substantial amount of text. A copy that
+is not &quot;Transparent&quot; is called
+&quot;Opaque&quot;.</p>
+
+<p>Examples of suitable formats for Transparent copies include plain
+ASCII without markup, T<sup class="superscript">E</sup>Xinfo input
+format, L<sup class="superscript">A</sup>T<sup class="superscript">E</sup>X
+input format, SGML or XML using a publicly available DTD, and
+standard-conforming simple HTML, PostScript or PDF designed for human
+modification. Examples of transparent image formats include PNG, XCF
+and JPG. Opaque formats include proprietary formats that can be read
+and edited only by proprietary word processors, SGML or XML for which
+the DTD and/or processing tools are not generally available, and the
+machine-generated HTML, PostScript or PDF produced by some word
+processors for output purposes only.</p>
+
+<p>The &quot;Title Page&quot; means, for a
+printed book, the title page itself, plus such following pages as are
+needed to hold, legibly, the material this License requires to appear
+in the title page. For works in formats which do not have any title
+page as such, &quot;Title Page&quot; means
+the text near the most prominent appearance of the
+work's title, preceding the beginning of the body of
+the text.</p>
+
+<p>A section &quot;Entitled XYZ&quot; means a
+named subunit of the Document whose title either is precisely XYZ or
+contains XYZ in parentheses following text that translates XYZ in
+another language. (Here XYZ stands for a specific section name
+mentioned below, such as
+&quot;Acknowledgments&quot;,
+&quot;Dedications&quot;,
+&quot;Endorsements&quot;, or
+&quot;History&quot;.) To
+&quot;Preserve the Title&quot; of such a
+section when you modify the Document means that it remains a section
+&quot;Entitled XYZ&quot; according to this
+definition.</p>
+
+<p>The Document may include Warranty Disclaimers next to the notice
+which states that this License applies to the Document. These
+Warranty Disclaimers are considered to be included by reference in
+this License, but only as regards disclaiming warranties: any other
+implication that these Warranty Disclaimers may have is void and has
+no effect on the meaning of this License.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-APP-G-SECT-1.4"/>
+
+<h3 class="head2">2. VERBATIM COPYING</h3>
+
+<p>You may copy and distribute the Document in any medium, either
+commercially or noncommercially, provided that this License, the
+copyright notices, and the license notice saying this License applies
+to the Document are reproduced in all copies, and that you add no
+other conditions whatsoever to those of this License. You may not use
+technical measures to obstruct or control the reading or further
+copying of the copies you make or distribute. However, you may accept
+compensation in exchange for copies. If you distribute a large enough
+number of copies you must also follow the conditions in section 3.</p>
+
+<p>You may also lend copies, under the same conditions stated above, and
+you may publicly display copies.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-APP-G-SECT-1.5"/>
+
+<h3 class="head2">3. COPYING IN QUANTITY</h3>
+
+<p>If you publish printed copies (or copies in media that commonly have
+printed covers) of the Document, numbering more than 100, and the
+Document's license notice requires Cover Texts, you
+must enclose the copies in covers that carry, clearly and legibly,
+all these Cover Texts: Front-Cover Texts on the front cover, and
+Back-Cover Texts on the back cover. Both covers must also clearly and
+legibly identify you as the publisher of these copies. The front
+cover must present the full title with all words of the title equally
+prominent and visible. You may add other material on the covers in
+addition. Copying with changes limited to the covers, as long as they
+preserve the title of the Document and satisfy these conditions, can
+be treated as verbatim copying in other respects.</p>
+
+<p>If the required texts for either cover are too voluminous to fit
+legibly, you should put the first ones listed (as many as fit
+reasonably) on the actual cover, and continue the rest onto adjacent
+pages.</p>
+
+<p>If you publish or distribute Opaque copies of the Document numbering
+more than 100, you must either include a machine-readable Transparent
+copy along with each Opaque copy, or state in or with each Opaque
+copy a computer-network location from which the general network-using
+public has access to download using public-standard network protocols
+a complete Transparent copy of the Document, free of added material.
+If you use the latter option, you must take reasonably prudent steps,
+when you begin distribution of Opaque copies in quantity, to ensure
+that this Transparent copy will remain thus accessible at the stated
+location until at least one year after the last time you distribute
+an Opaque copy (directly or through your agents or retailers) of that
+edition to the public.</p>
+
+<p>It is requested, but not required, that you contact the authors of
+the Document well before redistributing any large number of copies,
+to give them a chance to provide you with an updated version of the
+Document.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-APP-G-SECT-1.6"/>
+
+<h3 class="head2">4. MODIFICATIONS</h3>
+
+<p>You may copy and distribute a Modified Version of the Document under
+the conditions of sections 2 and 3 above, provided that you release
+the Modified Version under precisely this License, with the Modified
+Version filling the role of the Document, thus licensing distribution
+and modification of the Modified Version to whoever possesses a copy
+of it. In addition, you must do these things in the Modified Version:</p>
+
+<ol><li>
+<p>Use in the Title Page (and on the covers, if any) a title distinct
+from that of the Document, and from those of previous versions (which
+should, if there were any, be listed in the History section of the
+Document). You may use the same title as a previous version if the
+original publisher of that version gives permission.</p>
+</li><li>
+<p>List on the Title Page, as authors, one or more persons or entities
+responsible for authorship of the modifications in the Modified
+Version, together with at least five of the principal authors of the
+Document (all of its principal authors, if it has fewer than five),
+unless they release you from this requirement.</p>
+</li><li>
+<p>State on the Title page the name of the publisher of the Modified
+Version, as the publisher.</p>
+</li><li>
+<p>Preserve all the copyright notices of the Document.</p>
+</li><li>
+<p>Add an appropriate copyright notice for your modifications adjacent
+to the other copyright notices.</p>
+</li><li>
+<p>Include, immediately after the copyright notices, a license notice
+giving the public permission to use the Modified Version under the
+terms of this License, in the form shown in the Addendum below.</p>
+</li><li>
+<p>Preserve in that license notice the full lists of Invariant Sections
+and required Cover Texts given in the Document's
+license notice.</p>
+</li><li>
+<p>Include an unaltered copy of this License.</p>
+</li><li>
+<p>Preserve the section Entitled
+&quot;History&quot;, Preserve its Title, and
+add to it an item stating at least the title, year, new authors, and
+publisher of the Modified Version as given on the Title Page. If
+there is no section Entitled
+&quot;History&quot; in the Document, create
+one stating the title, year, authors, and publisher of the Document
+as given on its Title Page, then add an item describing the Modified
+Version as stated in the previous sentence.</p>
+</li><li>
+<p>Preserve the network location, if any, given in the Document for
+public access to a Transparent copy of the Document, and likewise the
+network locations given in the Document for previous versions it was
+based on. These may be placed in the
+&quot;History&quot; section. You may omit a
+network location for a work that was published at least four years
+before the Document itself, or if the original publisher of the
+version it refers to gives permission.</p>
+</li><li>
+<p>For any section Entitled
+&quot;Acknowledgments&quot; or
+&quot;Dedications&quot;, Preserve the Title
+of the section, and preserve in the section all the substance and
+tone of each of the contributor acknowledgments and/or dedications
+given therein.</p>
+</li><li>
+<p>Preserve all the Invariant Sections of the Document, unaltered in
+their text and in their titles. Section numbers or the equivalent are
+not considered part of the section titles.</p>
+</li><li>
+<p>Delete any section Entitled
+&quot;Endorsements&quot;. Such a section may
+not be included in the Modified Version.</p>
+</li><li>
+<p>Do not retitle any existing section to be Entitled
+&quot;Endorsements&quot; or to conflict in
+title with any Invariant Section.</p>
+</li><li>
+<p>Preserve any Warranty Disclaimers.</p>
+
+<p>If the Modified Version includes new front-matter sections or
+appendices that qualify as Secondary Sections and contain no material
+copied from the Document, you may at your option designate some or
+all of these sections as invariant. To do this, add their titles to
+the list of Invariant Sections in the Modified
+Version's license notice. These titles must be
+distinct from any other section titles.</p>
+
+<p>You may add a section Entitled
+&quot;Endorsements&quot;, provided it
+contains nothing but endorsements of your Modified Version by various
+parties&mdash;for example, statements of peer review or that the text
+has been approved by an organization as the authoritative definition
+of a standard.</p>
+
+<p>You may add a passage of up to five words as a Front-Cover Text, and
+a passage of up to 25 words as a Back-Cover Text, to the end of the
+list of Cover Texts in the Modified Version. Only one passage of
+Front-Cover Text and one of Back-Cover Text may be added by (or
+through arrangements made by) any one entity. If the Document already
+includes a cover text for the same cover, previously added by you or
+by arrangement made by the same entity you are acting on behalf of,
+you may not add another; but you may replace the old one, on explicit
+permission from the previous publisher that added the old one.</p>
+
+<p>The author(s) and publisher(s) of the Document do not by this License
+give permission to use their names for publicity for or to assert or
+imply endorsement of any Modified Version.</p>
+</li></ol>
+
+</div>
+
+
+<div class="sect2"><a name="samba2-APP-G-SECT-1.7"/>
+
+<h3 class="head2">5. COMBINING DOCUMENTS</h3>
+
+<p>You may combine the Document with other documents released under this
+License, under the terms defined in section 4 above for modified
+versions, provided that you include in the combination all of the
+Invariant Sections of all of the original documents, unmodified, and
+list them all as Invariant Sections of your combined work in its
+license notice, and that you preserve all their Warranty Disclaimers.</p>
+
+<p>The combined work need only contain one copy of this License, and
+multiple identical Invariant Sections may be replaced with a single
+copy. If there are multiple Invariant Sections with the same name but
+different contents, make the title of each such section unique by
+adding at the end of it, in parentheses, the name of the original
+author or publisher of that section if known, or else a unique
+number. Make the same adjustment to the section titles in the list of
+Invariant Sections in the license notice of the combined work.</p>
+
+<p>In the combination, you must combine any sections Entitled
+&quot;History&quot; in the various original
+documents, forming one section Entitled
+&quot;History&quot;; likewise combine any
+sections Entitled
+&quot;Acknowledgements&quot;, and any
+sections Entitled &quot;Dedications&quot;.
+You must delete all sections Entitled
+&quot;Endorsements&quot;.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-APP-G-SECT-1.8"/>
+
+<h3 class="head2">6. COLLECTIONS OF DOCUMENTS</h3>
+
+<p>You may make a collection consisting of the Document and other
+documents released under this License, and replace the individual
+copies of this License in the various documents with a single copy
+that is included in the collection, provided that you follow the
+rules of this License for verbatim copying of each of the documents
+in all other respects.</p>
+
+<p>You may extract a single document from such a collection, and
+distribute it individually under this License, provided you insert a
+copy of this License into the extracted document, and follow this
+License in all other respects regarding verbatim copying of that
+document.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-APP-G-SECT-1.9"/>
+
+<h3 class="head2">7. AGGREGATION WITH INDEPENDENT WORKS</h3>
+
+<p>A compilation of the Document or its derivatives with other separate
+and independent documents or works, in or on a volume of a storage or
+distribution medium, is called an
+&quot;aggregate&quot; if the copyright
+resulting from the compilation is not used to limit the legal rights
+of the compilation's users beyond what the
+individual works permit. When the Document is included as an
+aggregate, this License does not apply to the other works in the
+aggregate which are not themselves derivative works of the Document.</p>
+
+<p>If the Cover Text requirement of section 3 is applicable to these
+copies of the Document, then if the Document is less than one half of
+the entire aggregate, the Document's Cover Texts may
+be placed on covers that bracket the Document within the aggregate,
+or the electronic equivalent of covers if the Document is in
+electronic form. Otherwise they must appear on printed covers that
+bracket the whole aggregate.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-APP-G-SECT-1.10"/>
+
+<h3 class="head2">8. TRANSLATION</h3>
+
+<p>Translation is considered a kind of modification, so you may
+distribute translations of the Document under the terms of section 4.
+Replacing Invariant Sections with translations requires special
+permission from their copyright holders, but you may include
+translations of some or all Invariant Sections in addition to the
+original versions of these Invariant Sections. You may include a
+translation of this License, and all the license notices in the
+Document, and any Warranty Disclaimers, provided that you also
+include the original English version of this License and the original
+versions of those notices and disclaimers. In case of a disagreement
+between the translation and the original version of this License or a
+notice or disclaimer, the original version will prevail.</p>
+
+<p>If a section in the Document is Entitled
+&quot;Acknowledgements&quot;,
+&quot;Dedications&quot;, or
+&quot;History&quot;, the requirement (section
+4) to Preserve its Title (section 1) will typically require changing
+the actual title.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-APP-G-SECT-1.11"/>
+
+<h3 class="head2">9. TERMINATION</h3>
+
+<p>You may not copy, modify, sublicense, or distribute the Document
+except as expressly provided for under this License. Any other
+attempt to copy, modify, sublicense or distribute the Document is
+void, and will automatically terminate your rights under this
+License. However, parties who have received copies, or rights, from
+you under this License will not have their licenses terminated so
+long as such parties remain in full compliance.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-APP-G-SECT-1.12"/>
+
+<h3 class="head2">10. FUTURE REVISIONS OF THIS LICENSE</h3>
+
+<p>The Free Software Foundation may publish new, revised versions of the
+GNU Free Documentation License from time to time. Such new versions
+will be similar in spirit to the present version, but may differ in
+detail to address new problems or concerns. See <a href="http://www.gnu.org/copyleft/">http://www.gnu.org/copyleft/</a>.</p>
+
+<p>Each version of the License is given a distinguishing version number.
+If the Document specifies that a particular numbered version of this
+License &quot;or any later version&quot;
+applies to it, you have the option of following the terms and
+conditions either of that specified version or of any later version
+that has been published (not as a draft) by the Free Software
+Foundation. If the Document does not specify a version number of this
+License, you may choose any version ever published (not as a draft)
+by the Free Software Foundation. <a name="INDEX-2"/></p>
+
+
+</div>
+
+
+</div>
+
+
+<hr/><h4 class="head4"><a href="toc.html">TOC</a></h4>
+</body></html>
diff --git a/docs/htmldocs/using_samba/ch00.html b/docs/htmldocs/using_samba/ch00.html
new file mode 100644
index 0000000000..5a2c89feb8
--- /dev/null
+++ b/docs/htmldocs/using_samba/ch00.html
@@ -0,0 +1,368 @@
+<html>
+<body bgcolor="#ffffff">
+
+<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
+hspace="10" align="left" />
+
+<h1 class="head0">Preface</h1>
+
+
+<p>You are reading a book about Samba, a software suite that networks
+Windows, Unix, and other operating systems using
+Windows' native networking protocol. Samba allows
+Unix servers to offer Windows networking services by matching the
+filesystem and networking models of Unix to those of Windows. Samba
+acts as a bridge between the two systems, connecting the
+corresponding parts of their architectures and providing a
+translation wherever necessary.</p>
+
+<p>Bridging the gap between systems as dissimilar as Windows and Unix is
+a complex task, which Samba handles surprisingly well. To be a good
+Samba administrator, your abilities must parallel
+Samba's. For starters, you need to know basic Unix
+system and network administration and have a good understanding of
+Windows filesystems and networking fundamentals. In addition, you
+need to learn how Samba fills in the &quot;gray
+area&quot; between Unix and Windows. Once you know how
+everything fits together, you'll find it easy to
+configure a Samba server to provide your network with reliable and
+high-performance computational resources.</p>
+
+<p>Our job is to make all of that easier for you. We do this by starting
+out with a quick and yet comprehensive tour of Windows networking in
+<a href="ch01.html">Chapter 1</a>, followed by tutorially-oriented
+<a href="ch02.html">Chapter 2</a> and <a href="ch03.html">Chapter 3</a>, which tell you how to set up a minimal Samba server
+and configure Windows clients to work with it. Most likely, you will
+be surprised how quickly you can complete the required tasks.</p>
+
+<p>We believe that a hands-on approach is the most effective, and you
+can use the Samba server you build in <a href="ch02.html">Chapter 2</a> and <a href="ch03.html">Chapter 3</a> as a test
+system for trying out examples that we show and describe throughout
+the book. You can jump around from chapter to chapter if you like,
+but if you continue sequentially from <a href="ch04.html">Chapter 4</a>
+onward, by the time you finish the book you will have a
+well-configured production Samba server ready for use. All you have
+to do is add the appropriate support for your intended purpose as we
+explain how to use each feature.</p>
+
+
+
+<div class="sect1"><a name="samba2-PREFACE-2-SECT-1"/>
+
+<h2 class="head1">Audience for This Book</h2>
+
+<p>This book is primarily intended for Unix administrators who need to
+support Windows clients on their network, as well as anyone who needs
+to access the resources of a Windows network environment from a Unix
+client. While we assume you are familiar with basic Unix system
+administration, we do <em class="emphasis">not</em> assume you are a
+networking expert. We do our best along the way to help out with
+unusual definitions and terms.</p>
+
+<p>Furthermore, we don't assume that you are an expert
+in Microsoft Windows. We carefully explain all the essential concepts
+related to Windows networking, and we go through the Windows side of
+the installation task in considerable detail, providing examples for
+both Windows 95/98/Me and Windows NT/2000/XP, which are significantly
+different. For the Unix side, we give examples that work with common
+Unix operating systems, such as Linux, Solaris, FreeBSD, and Mac OS
+X.</p>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-PREFACE-2-SECT-2"/>
+
+<h2 class="head1">Organization</h2>
+
+<p>Here is a quick description of each chapter:</p>
+
+<p><a href="ch01.html">Chapter 1</a> introduces Samba and its capabilities,
+then describes the most important concepts of NetBIOS and SMB/CIFS
+networking. Finally, we give you a quick overview of the daemons and
+utilities that are included in the Samba distribution.</p>
+
+<p><a href="ch02.html">Chapter 2</a> covers configuring, compiling,
+installing, setting up, and testing the Samba server on a Unix
+platform.</p>
+
+<p><a href="ch03.html">Chapter 3</a> explains how to configure Microsoft
+Windows 95/98/Me and Windows NT/2000/XP clients to participate in an
+SMB network.</p>
+
+<p><a href="ch04.html">Chapter 4</a> explains the ins and outs of Windows NT
+domains and how to configure Samba to work in a network set up as a
+Windows NT domain.</p>
+
+<p><a href="ch05.html">Chapter 5</a> describes methods for accessing SMB
+shares on the network from Unix client systems.</p>
+
+<p><a href="ch06.html">Chapter 6</a>
+gets you up to speed on the structure of the Samba
+configuration file and shows you how to take control of file-sharing
+services.</p>
+
+<p><a href="ch07.html">Chapter 7</a> introduces name resolution, which is
+used to convert NetBIOS computer names into IP addresses, and
+browsing, the method used in SMB networking to find what resources
+are being shared on the network.</p>
+
+<p><a href="ch08.html">Chapter 8</a> continues the discussion of file-sharing options, and
+covers more advanced functions such as permissions, access control
+lists, opportunistic locks, and setting up a Distributed filesystem
+tree.</p>
+
+<p><a href="ch09.html">Chapter 9</a> discusses how
+to set up Samba users, introduces you to Samba security, and shows
+you how to work with encrypted and nonencrypted passwords.</p>
+
+<p><a href="ch10.html">Chapter 10</a>
+discusses printer setup for sharing Unix printers on the
+SMB network, and allowing Unix workstations to access SMB shared
+printers.</p>
+
+<p><a href="ch11.html">Chapter 11</a>
+bundles several miscellaneous topics associated with
+Samba, such as configuring Samba shares for programmers and
+internationalization issues.</p>
+
+<p><a href="ch12.html">Chapter 12</a> details what to do if
+you have problems installing Samba. This comparatively
+large chapter is packed with troubleshooting hints and strategies for
+identifying what is going wrong.</p>
+
+<p><a href="appa.html">Appendix A</a> provides working examples of
+<em class="filename">smb.conf</em> files for use in configuring Samba for
+its more common applications. You can easily modify the examples for
+use in a wide variety of circumstances.</p>
+
+<p><a href="appb.html">Appendix B</a> covers each option that can be used in
+the Samba configuration file.</p>
+
+<p><a href="appc.html">Appendix C</a> is a quick reference that covers each
+server daemon and tool that make up the Samba suite.</p>
+
+<p><a href="appd.html">Appendix D</a> explains how to download the latest
+development version of the Samba source code using CVS.</p>
+
+<p><a href="appe.html">Appendix E</a> documents each option that can be used
+with the <em class="emphasis">configure</em> command before compiling the
+Samba source code.</p>
+
+<p><a href="appf.html">Appendix F</a> includes directions for sharing files
+and printers with the Server edition of Mac OS X.</p>
+
+<p><a href="appg.html">Appendix G</a> is the copyright license under which
+this book is published.</p>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-PREFACE-2-SECT-3"/>
+
+<h2 class="head1">Conventions Used in This Book</h2>
+
+<p>The following font conventions are followed throughout this book:</p>
+
+<dl>
+<dt><b>Italic </b></dt>
+<dd>
+<p>Filenames, file extensions, URLs, executable files, command options,
+and emphasis.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">Constant</tt> <tt class="literal">width</tt> </b></dt>
+<dd>
+<p>Samba configuration options, computer names, user and group names,
+hostnames, domain names, other code that appears in the text, and
+command-line information that should be typed verbatim on the screen.</p>
+</dd>
+
+
+
+<dt><b><tt class="userinput"><b>Constant width bold</b></tt> </b></dt>
+<dd>
+<p>Commands that are entered by the user and new configuration options
+that we wish to bring to the attention of the reader.</p>
+</dd>
+
+
+
+<dt><b><em class="replaceable">Constant width italic</em></b></dt>
+<dd>
+<p>Replaceable content in code and command-line information.</p>
+</dd>
+
+</dl>
+
+<a name="samba2-PREFACE-2-NOTE-82"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>This designates a note, which is an important aside to the nearby
+text.</p>
+</blockquote>
+<a name="samba2-PREFACE-2-NOTE-83"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>This designates a warning related to the nearby text.</p>
+</blockquote>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-PREFACE-2-SECT-4"/>
+
+<h2 class="head1">How to Contact Us</h2>
+
+<p>We have tested and verified the information in this book to the best
+of our ability, but you might find that features have changed (or
+even that we have made mistakes!). Please let us know about any
+errors you find, as well as your suggestions for future editions, by
+writing to:</p>
+
+<blockquote class="simplelist">
+
+<p>O'Reilly &amp; Associates, Inc.</p>
+
+<p>1005 Gravenstein Highway North</p>
+
+<p>Sebastopol, CA 95472</p>
+
+<p>(800) 998-9938 (in the United States or Canada)</p>
+
+<p>(707) 829-0515 (international/local)</p>
+
+<p>(707) 829-0104 (fax)</p>
+
+</blockquote>
+
+<p>To ask technical questions or comment on the book, send email to:</p>
+
+<blockquote class="simplelist">
+
+<p><em class="email">bookquestions@oreilly.com</em></p>
+
+</blockquote>
+
+<p>We have a web page for this book where we list examples and any plans
+for future editions. You can access this information at:</p>
+
+<blockquote class="simplelist">
+
+<p><a href="http://www.oreilly.com/catalog/samba2">http://www.oreilly.com/catalog/samba2</a></p>
+
+</blockquote>
+
+<p>You can also contact Jay Ts, the lead author of this edition, through
+his web site at:</p>
+
+<blockquote class="simplelist">
+
+<p><a href="http://www.jayts.com">http://www.jayts.com</a></p>
+
+</blockquote>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-PREFACE-2-SECT-5"/>
+
+<h2 class="head1">Acknowledgments</h2>
+
+<p>We thank Leon Towns-von Stauber for thoroughly researching the use of
+Samba on Mac OS X and writing material that appears in <a href="ch02.html">Chapter 2</a>, <a href="ch05.html">Chapter 5</a>, and <a href="ch10.html">Chapter 10</a>, as well as the entire <a href="appf.html">Appendix F</a>. We also thank our technical reviewers Sam
+Johnston, Matthew Temple, Marty Leisner, and Don McCall.</p>
+
+
+<div class="sect2"><a name="samba2-PREFACE-2-SECT-5.1"/>
+
+<h3 class="head2">Jay Ts</h3>
+
+<p>This book would have been extremely difficult to write if it
+hadn't been for the copy of VMware Workstation
+graciously provided by VMware, Inc. I want to thank Rik Farrow for
+his clarifying comments on security topics related to Samba and
+Windows, and both him and Rose Moon for their supportive friendship.
+Thanks also go to Mark Watson for his encouragement and advice on the
+topic of authoring technical books. Additionally,
+I'd like to express my appreciation to Andy Oram at
+O'Reilly for being a supportive, friendly, and
+easygoing editor, and for offering me terms that I could say yes
+to&mdash;something that a few other publishers
+didn't even approach. SuSE, Inc. generously provided
+a copy of SuSE Linux 8.1 Professional.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-PREFACE-2-SECT-5.2"/>
+
+<h3 class="head2">Robert Eckstein</h3>
+
+<p>I'd first like to recognize Dave Collier-Brown and
+Peter Kelly for all their help in the creation of this book.
+I'd also like to thank each technical reviewer who
+helped polish this book into shape on such short notice: Matthew
+Temple, Jeremy Allison, and of course Andrew Tridgell. Andrew and
+Jeremy deserve special recognition, not only for creating such a
+wonderful product, but also for providing a tireless amount of
+support in the final phase of this book&mdash;hats off to you, guys!
+A warm hug goes out to my wife Michelle, who once again put up with a
+husband loaded down with too much caffeine and a tight schedule.
+Thanks to Dave Sifry and the people at LinuxCare, San Francisco, for
+hosting me on such short notice for Andrew
+Tridgell's visit. And finally, a huge amount of
+thanks to our editor, Andy Oram, who (very) patiently helped guide
+this book through its many stages until we got it right.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-PREFACE-2-SECT-5.3"/>
+
+<h3 class="head2">David Collier-Brown</h3>
+
+<p>I'd particularly like to thank Joyce, who put up
+with me during the sometimes exciting development of the book. My
+thanks to Andy Oram, who was kind enough to provide the criticism
+that allowed me to contribute; the crew at ACE (Opcom) who humored
+the obvious madman in their midst; and Ian MacMillan, who voluntarily
+translated several of my early drafts from nerd to English. I would
+also like to give special thanks to Perry Donham, Drew Sullivan, and
+Jerry DeRoo for starting and sustaining this mad project. Finally,
+I'd like to thank Bob Eckstein for a final,
+sustained, and professional effort that lifted the whole book up to
+the level that Andy needed.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-PREFACE-2-SECT-5.4"/>
+
+<h3 class="head2">All</h3>
+
+<p>We would especially like to give thanks to Perry Donham and Peter
+Kelly for helping mold the first draft of this book. Although Perry
+was unable to contribute to subsequent drafts, his material was
+essential to getting this book off on the right foot. In addition,
+some of the browsing material came from text originally written by
+Dan Shearer for O'Reilly.</p>
+
+
+</div>
+
+
+</div>
+
+
+<hr/><h4 class="head4"><a href="toc.html">TOC</a></h4>
+</body></html>
diff --git a/docs/htmldocs/using_samba/ch01.html b/docs/htmldocs/using_samba/ch01.html
new file mode 100644
index 0000000000..98a687f08e
--- /dev/null
+++ b/docs/htmldocs/using_samba/ch01.html
@@ -0,0 +1,3193 @@
+<html>
+<body bgcolor="#ffffff">
+
+<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
+hspace="10" align="left" />
+
+<h1 class="head0">Chapter 1. Learning the Samba</h1>
+
+
+<p><a name="INDEX-1"/>Samba
+is an extremely useful networking tool for anyone who has both
+Windows and Unix systems on his network. Running on a Unix system, it
+allows Windows to share files and printers on the Unix host, and it
+also allows Unix users to access resources shared by Windows systems.</p>
+
+<p>Although it might seem natural to use a Windows server to serve files
+and printers to a network containing Windows clients, there are good
+reasons for preferring a Samba server for this duty. Samba is
+reliable software that runs on reliable Unix operating systems,
+resulting in fewer problems and a low cost of maintenance. Samba also
+offers better performance under heavy loads, outperforming Windows
+2000 Server by a factor of 2 to 1 on identical PC hardware, according
+to published third-party benchmarks. When common, inexpensive PC
+hardware fails to meet the demands of a huge client load, the Samba
+server can easily be moved to a proprietary &quot;big
+iron&quot; Unix mainframe, which can outperform Windows
+running on a PC many times. If all that weren't
+enough, Samba has a very nice cost advantage: it's
+free. Not only is the software itself freely available, but also no
+client licenses are required, and it runs on high-quality, free
+operating systems such as Linux and FreeBSD.</p>
+
+<p>After reading the previous paragraph, you might come to the
+conclusion that Samba is commonly used by large organizations with
+thousands of users on their networks&mdash;and you'd
+be right! But Samba's user base includes
+organizations all over the planet, of all types and sizes: from
+international corporations, to medium and small businesses, to
+individuals who run Samba on their Linux laptops. In the last case, a
+tool such as VMware is used to run Windows on the same computer, with
+Samba enabling the two operating systems to share files.</p>
+
+<p>The types of users vary even more&mdash;Samba is used by
+corporations, banks and other financial institutions, government and
+military organizations, schools, public libraries, art galleries,
+families, and even authors! This book was developed on a Linux system
+running VMware and Windows 2000, with Adobe FrameMaker running on
+Windows and the document files served by Samba from the Linux
+filesystem.</p>
+
+<p>Does all this whet your technological appetite? If so, we encourage
+you to keep reading, learn about Samba, and follow our examples to
+set up a Samba server of your own. In this and upcoming chapters, we
+will tell you exactly how to get started.</p>
+
+
+
+<div class="sect1"><a name="samba2-CHP-1-SECT-1"/>
+
+<h2 class="head1">What Is Samba?</h2>
+
+<p><a name="INDEX-2"/>Samba
+is a suite of Unix applications that speak the
+<a name="INDEX-3"/><a name="INDEX-4"/>Server
+Message Block (SMB) protocol. Microsoft Windows operating systems and
+the OS/2 operating system use SMB to perform client-server networking
+for file and printer sharing and associated operations. By supporting
+this protocol, Samba enables computers running Unix to get in on the
+action, communicating with the same networking protocol as Microsoft
+Windows and appearing as another Windows system on the network from
+the perspective of a Windows client. A <a name="INDEX-5"/>Samba
+server offers the following services:</p>
+
+<ul><li>
+<p>Share one or more directory trees</p>
+</li><li>
+<p>Share one or more Distributed filesystem (Dfs) trees</p>
+</li><li>
+<p>Share printers installed on the server among Windows clients on the
+network</p>
+</li><li>
+<p>Assist clients with network browsing</p>
+</li><li>
+<p>Authenticate clients logging onto a Windows domain</p>
+</li><li>
+<p>Provide or assist with Windows Internet Name Service (WINS)
+name-server resolution</p>
+</li></ul>
+<p>The Samba suite also includes client tools that allow users on a Unix
+system to access folders and printers that Windows systems and Samba
+servers offer on the network.</p>
+
+<p>Samba is the brainchild of Andrew <a name="INDEX-6"/>Tridgell, who currently heads the Samba
+development team. Andrew started the project in 1991, while working
+with a Digital Equipment Corporation (DEC) software suite called
+Pathworks, created for connecting DEC VAX computers to computers made
+by other companies. Without knowing the significance of what he was
+doing, Andrew created a file-server program for an odd protocol that
+was part of Pathworks. That protocol later turned out to be SMB. A
+few years later, he expanded upon his custom-made SMB server and
+began distributing it as a product on the Internet under the name
+&quot;SMB Server.&quot; However, Andrew
+couldn't keep that name&mdash;it already belonged to
+another company's product&mdash;so he tried the
+following Unix renaming approach:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>grep -i '^s.*m.*b' /usr/dict/words</b></tt></pre></blockquote>
+
+<p>And the response was:</p>
+
+<blockquote><pre class="code">salmonberry
+samba
+sawtimber
+scramble</pre></blockquote>
+
+<p>Thus, the name &quot;Samba&quot; was born.</p>
+
+<p>Today, the Samba suite revolves around a pair of Unix daemons that
+provide shared resources&mdash;called <em class="firstterm">shares
+</em>or s<em class="firstterm">ervices</em>&mdash;to SMB clients
+on the network. These are:</p>
+
+<dl>
+<dt><b><a name="INDEX-7"/>smbd</b></dt>
+<dd>
+<p>A daemon that handles file and printer sharing and provides
+authentication and authorization for SMB clients.</p>
+</dd>
+
+
+
+<dt><b><a name="INDEX-8"/>nmbd</b></dt>
+<dd>
+<p>A daemon that supports NetBIOS Name Service and WINS, which is
+Microsoft's implementation of a NetBIOS Name Server
+(NBNS). It also assists with network browsing.</p>
+</dd>
+
+</dl>
+
+<p>Samba is currently maintained and extended by a group of volunteers
+under the active supervision of Andrew Tridgell. Like the Linux
+operating system, Samba is distributed as open source software
+(<a href="http://opensource.org">http://opensource.org</a>) by its
+authors and is distributed under the GNU General Public License
+(GPL). Since its inception, development of Samba has been sponsored
+in part by the Australian National University, where Andrew Tridgell
+earned his Ph.D. Since then, many other organizations have sponsored
+Samba developers, including LinuxCare, VA Linux Systems,
+Hewlett-Packard, and IBM. It is a true testament to Samba that both
+commercial and noncommercial entities are prepared to spend money to
+support an open source effort.</p>
+
+<p>Microsoft has also contributed by offering its definition of the SMB
+protocol to the Internet Engineering Task Force (IETF) in 1996 as the
+<a name="INDEX-9"/><a name="INDEX-10"/>Common
+Internet File System (CIFS). Although we prefer to use the term
+&quot;SMB&quot; in this book, you will also
+often find the protocol being referred to as
+&quot;CIFS.&quot; This is especially true on
+Microsoft's web site.</p>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-1-SECT-2"/>
+
+<h2 class="head1">What Can Samba Do for Me?</h2>
+
+<p><a name="INDEX-11"/>As explained earlier, Samba can help
+Windows and Unix computers coexist in the same network. However,
+there are some specific reasons why you might want to set up a Samba
+server on your network:</p>
+
+<ul><li>
+<p>You don't want to pay for&mdash;or
+can't afford&mdash;a full-fledged Windows server,
+yet you still need the functionality that one provides.</p>
+</li><li>
+<p>The Client Access Licenses (CALs) that Microsoft requires for each
+Windows client to access a Windows server are unaffordable.</p>
+</li><li>
+<p>You want to provide a common area for data or user directories to
+transition from a Windows server to a Unix one, or vice versa.</p>
+</li><li>
+<p>You want to share printers among Windows and Unix workstations.</p>
+</li><li>
+<p>You are supporting a group of computer users who have a mixture of
+Windows and Unix computers.</p>
+</li><li>
+<p>You want to integrate Unix and Windows authentication, maintaining a
+single database of user accounts that works with both systems.</p>
+</li><li>
+<p>You want to network Unix, Windows, Macintosh (OS X), and other
+systems using a single protocol.</p>
+</li></ul>
+<p>Let's take a quick tour of
+<a name="INDEX-12"/>Samba in action. Assume that we have
+the following basic network configuration: a Samba-enabled Unix
+system, to which we will assign the name <tt class="literal">toltec</tt>,
+and a pair of Windows clients, to which we will assign the names
+<tt class="literal">maya</tt> and <tt class="literal">aztec</tt>, all connected
+via a local area network (LAN). Let's also assume
+that <tt class="literal">toltec</tt> also has a local inkjet printer
+connected to it, <tt class="literal">lp</tt>, and a disk share named
+<tt class="literal">spirit</tt>&mdash;both of which it can offer to the
+other two computers. A graphic of this network is shown in <a href="ch01.html#samba2-CHP-1-FIG-1">Figure 1-1</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-1-FIG-1"/><img src="figs/sam2_0101.gif"/></div><h4 class="head4">Figure 1-1. A simple network set up with a Samba server</h4>
+
+<p>In this network, each computer listed shares the same
+<em class="firstterm">workgroup</em>. A workgroup is a group name tag
+that identifies an arbitrary collection of computers and their
+resources on an SMB network. Several workgroups can be on the network
+at any time, but for our basic network example,
+we'll have only one: the METRAN workgroup.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-2.1"/>
+
+<h3 class="head2">Sharing a Disk Service</h3>
+
+<p><a name="INDEX-13"/><a name="INDEX-14"/><a name="INDEX-15"/>If everything is properly
+configured, we should be able to see the Samba server,
+<tt class="literal">toltec</tt>, through the Network Neighborhood of the
+<tt class="literal">maya</tt> Windows desktop. In fact, <a href="ch01.html#samba2-CHP-1-FIG-2">Figure 1-2</a> shows the Network Neighborhood of the
+<tt class="literal">maya</tt> computer, including <tt class="literal">toltec</tt>
+and each computer that resides in the METRAN workgroup. Note the
+Entire Network icon at the top of the list. As we just mentioned,
+more than one workgroup can be on an SMB network at any given time.
+If a user clicks the Entire Network icon, she will see a list of all
+the workgroups that currently exist on the network.</p>
+
+<div class="figure"><a name="samba2-CHP-1-FIG-2"/><img src="figs/sam2_0102.gif"/></div><h4 class="head4">Figure 1-2. The Network Neighborhood directory</h4>
+
+<p>We can take a closer look at the <tt class="literal">toltec</tt> server by
+double-clicking its icon. This contacts <tt class="literal">toltec</tt>
+itself and requests a list of its
+<em class="firstterm">shares</em>&mdash;the file and printer
+resources&mdash;that the computer provides. In this case, a printer
+named <tt class="literal">lp</tt>, a home directory named
+<tt class="literal">jay</tt>, and a disk share named
+<tt class="literal">spirit</tt> are on the server, as shown in <a href="ch01.html#samba2-CHP-1-FIG-3">Figure 1-3</a>. Note that the Windows display shows hostnames
+in mixed case (Toltec). Case is irrelevant in hostnames, so you might
+see toltec, Toltec, and TOLTEC in various displays or command output,
+but they all refer to a single system. Thanks to Samba, Windows 98
+sees the Unix server as a valid SMB server and can access the
+<tt class="literal">spirit</tt> folder as if it were just another system
+folder.</p>
+
+<div class="figure"><a name="samba2-CHP-1-FIG-3"/><img src="figs/sam2_0103.gif"/></div><h4 class="head4">Figure 1-3. Shares available on the Toltec server as viewed from maya</h4>
+
+<p>One popular Windows feature is the ability to map a drive letter
+(such as E:, F:, or Z:) to a shared directory on the network using
+the Map Network Drive option in Windows Explorer.<a name="FNPTR-1"/><a href="#FOOTNOTE-1">[1]</a>
+Once you do so, your applications can access the folder across the
+network using the drive letter. You can store data on it, install and
+run programs from it, and even password-protect it against unwanted
+visitors. See <a href="ch01.html#samba2-CHP-1-FIG-4">Figure 1-4</a> for an example of mapping
+a <a name="INDEX-16"/><a name="INDEX-17"/>drive letter to a network
+directory.</p>
+
+<div class="figure"><a name="samba2-CHP-1-FIG-4"/><img src="figs/sam2_0104.gif"/></div><h4 class="head4">Figure 1-4. Mapping a network drive to a Windows drive letter</h4>
+
+<p>Take a look at the Path: entry in the dialog box of <a href="ch01.html#samba2-CHP-1-FIG-4">Figure 1-4</a>. An equivalent way to represent a directory on
+a network computer is by using two backslashes, followed by the name
+of the networked computer, another backslash, and the networked
+directory of the computer, as shown here:</p>
+
+<blockquote><pre class="code">\\<em class="replaceable">network-computer</em>\<em class="replaceable">directory</em></pre></blockquote>
+
+<p>This is known as the <em class="firstterm"/><a name="INDEX-18"/>Universal
+Naming Convention (UNC)</em>  in the Windows world. For example, the dialog
+box in <a href="ch01.html#samba2-CHP-1-FIG-4">Figure 1-4</a> represents the network directory
+on the <tt class="literal">toltec</tt> server as:</p>
+
+<blockquote><pre class="code">\\toltec\spirit</pre></blockquote>
+
+<p>If this looks somewhat familiar to you, you're
+probably thinking of <em class="firstterm">uniform resource
+locators</em><a name="INDEX-19"/><a name="INDEX-20"/> (URLs), which are addresses that web
+browsers such as Netscape Navigator and Internet Explorer use to
+resolve systems across the Internet. Be sure not to confuse the two:
+URLs such as <a href="http://www.oreilly.com">http://www.oreilly.com</a> use forward slashes
+instead of backslashes, and they precede the initial slashes with the
+data transfer protocol (i.e., ftp, http) and a colon (:). In reality,
+URLs and UNCs are two completely separate things, although sometimes
+you can specify an SMB share using a URL rather than a UNC. As a URL,
+the <em class="filename">\\toltec\spirit</em> share would be specified as
+<em class="filename">smb://toltec/spirit</em>.</p>
+
+<p>Once the network drive is set up, Windows and its programs behave as
+if the networked directory were a local disk. If you have any
+applications that support multiuser functionality on a network, you
+can install those programs on the network drive.<a name="FNPTR-2"/><a href="#FOOTNOTE-2">[2]</a> <a href="ch01.html#samba2-CHP-1-FIG-5">Figure 1-5</a> shows the
+resulting network drive as it would appear with other storage devices
+in the Windows 98 client. Note the pipeline attachment in the icon
+for the J: drive; this indicates that it is a network drive rather
+than a fixed drive.</p>
+
+<div class="figure"><a name="samba2-CHP-1-FIG-5"/><img src="figs/sam2_0105.gif"/></div><h4 class="head4">Figure 1-5. The Network directory mapped to the client drive letter J</h4>
+
+<p>My Network Places, found in Windows Me, 2000, and XP, works
+differently from Network Neighborhood. It is necessary to click a few
+more icons, but eventually we can get to the view of the
+<tt class="literal">toltec</tt> server as shown in <a href="ch01.html#samba2-CHP-1-FIG-6">Figure 1-6</a>. This is from a Windows 2000 system. Setting
+up the network drive using the Map Network Drive option in Windows
+2000 works similarly to other Windows versions. <a name="INDEX-21"/><a name="INDEX-22"/><a name="INDEX-23"/></p>
+
+<div class="figure"><a name="samba2-CHP-1-FIG-6"/><img src="figs/sam2_0106.gif"/></div><h4 class="head4">Figure 1-6. Shares available on Toltec (viewed from dine)</h4>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-2.2"/>
+
+<h3 class="head2">Sharing a Printer</h3>
+
+<p><a name="INDEX-24"/><a name="INDEX-25"/><a name="INDEX-26"/>You probably noticed that the printer
+<tt class="literal">lp</tt> appeared under the available shares for
+<tt class="literal">toltec</tt> in <a href="ch01.html#samba2-CHP-1-FIG-3">Figure 1-3</a>. This
+indicates that the Unix server has a printer that can be shared by
+the various SMB clients in the workgroup. Data sent to the printer
+from any of the clients will be spooled on the Unix server and
+printed in the order in which it is received.</p>
+
+<p><a name="INDEX-27"/><a name="INDEX-28"/>Setting up a Samba-enabled
+printer on the Windows side is even easier than setting up a disk
+share. By double-clicking the printer and identifying the
+manufacturer and model, you can install a driver for this printer on
+the Windows client. Windows can then properly format any information
+sent to the network printer and access it as if it were a local
+printer. On Windows 98, double-clicking the Printers icon in the
+Control Panel opens the Printers window shown in <a href="ch01.html#samba2-CHP-1-FIG-7">Figure 1-7</a>. Again, note the pipeline attachment below the
+printer, which identifies it as being on a network.</p>
+
+<div class="figure"><a name="samba2-CHP-1-FIG-7"/><img src="figs/sam2_0107.gif"/></div><h4 class="head4">Figure 1-7. A network printer available on Toltec</h4>
+
+
+<div class="sect3"><a name="samba2-CHP-1-SECT-2.2.1"/>
+
+<h3 class="head3">Seeing things from the Unix side</h3>
+
+<p><a name="INDEX-29"/><a name="INDEX-30"/>As mentioned earlier, Samba
+appears in Unix as a set of daemon programs. You can view them with
+the Unix <a name="INDEX-31"/><em class="emphasis">ps</em> command; you can
+read any messages they generate through custom debug files or the
+Unix <em class="emphasis">syslog</em> (depending on how Samba is set up);
+and you can configure them from a single Samba configuration file:
+<em class="emphasis">smb.conf</em>. In addition, if you want to get an idea of
+what the daemons are doing, Samba has a program called
+<em class="emphasis">smbstatus</em><a name="INDEX-32"/> that will lay it all on the line. Here
+is how it works:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>smbstatus</b></tt>
+Processing section &quot;[homes]&quot;
+Processing section &quot;[printers]&quot;
+Processing section &quot;[spirit]&quot;
+
+Samba version 2.2.6
+Service     uid    gid    pid     machine
+-----------------------------------------
+spirit      jay    jay    7735    maya     (172.16.1.6) Sun Aug 12 12:17:14 2002
+spirit      jay    jay    7779    aztec    (172.16.1.2) Sun Aug 12 12:49:11 2002
+jay         jay    jay    7735    maya     (172.16.1.6) Sun Aug 12 12:56:19 2002
+
+Locked files:
+Pid    DenyMode   R/W        Oplock     Name
+--------------------------------------------------
+7735   DENY_WRITE RDONLY     NONE       /u/RegClean.exe   Sun Aug 12 13:01:22 2002
+
+Share mode memory usage (bytes):
+   1048368(99%) free + 136(0%) used + 72(0%) overhead = 1048576(100%) total</pre></blockquote>
+
+<p>The Samba status from this output provides three sets of data, each
+divided into separate sections. The first section tells which systems
+have connected to the Samba server, identifying each client by its
+machine name (<tt class="literal">maya</tt> and <tt class="literal">aztec</tt>)
+and IP (Internet Protocol) address. The second section reports the
+name and status of the files that are currently in use on a share on
+the server, including the read/write status and any locks on the
+files. Finally, Samba reports the amount of memory it has currently
+allocated to the shares that it administers, including the amount
+actively used by the shares plus additional overhead. (Note that this
+is not the same as the total amount of memory that the
+<em class="emphasis">smbd</em> or <em class="emphasis">nmbd</em> processes are
+using.)</p>
+
+<p>Don't worry if you don't understand
+these statistics; they will become easier to understand as you move
+through the book.</p>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-1-SECT-3"/>
+
+<h2 class="head1">Getting Familiar with an SMB Network</h2>
+
+<p><a name="INDEX-33"/>Now that you have had a brief tour of
+Samba, let's take some time to get familiar with
+Samba's adopted environment: an SMB network.
+Networking with SMB is significantly different from working with
+common TCP/IP protocols such as FTP and Telnet because there are
+several new concepts to learn and a lot of information to cover.
+First, we will discuss the basic concepts behind an SMB network,
+followed by some Microsoft implementations of it, and finally we will
+show you where a Samba server can and cannot fit into the picture.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-3.1"/>
+
+<h3 class="head2">Understanding NetBIOS</h3>
+
+<p>To begin, let's step back in time. In 1984, IBM
+authored a simple application programming interface (API) for
+networking its computers, called the <em class="firstterm">Network Basic
+Input/Output System
+</em>(<a name="INDEX-34"/>NetBIOS).
+The NetBIOS API provided a rudimentary design for an application to
+connect and share data with other computers.</p>
+
+<p>It's helpful to think of the NetBIOS API as
+networking extensions to the standard BIOS API calls. The BIOS
+contains low-level code for performing filesystem operations on the
+local computer. NetBIOS originally had to exchange instructions with
+computers across IBM PC or Token Ring networks. It therefore required
+a low-level transport protocol to carry its requests from one
+computer to the next.</p>
+
+<p>In late 1985, IBM released one such protocol, which it merged with
+the NetBIOS API to become the <em class="firstterm">NetBIOS Extended User
+Interface</em> (<em class="emphasis">NetBEUI</em> ).
+<a name="INDEX-35"/>NetBEUI was
+designed for small LANs, and it let each computer claim a name (up to
+15 characters) that wasn't already in use on the
+network. By a &quot;small LAN,&quot; we mean
+fewer than 255 nodes on the network&mdash;which was considered a
+generous number in 1985!</p>
+
+<p>The NetBEUI protocol was very popular with networking applications,
+including those running under Windows for Workgroups. Later,
+implementations of NetBIOS over Novell's IPX
+networking protocols also emerged, which competed with NetBEUI.
+However, the networking protocols of choice for the burgeoning
+Internet community were TCP/IP and UDP/IP, and implementing the
+NetBIOS APIs over those protocols soon became a necessity.</p>
+
+<p>Recall that TCP/IP uses numbers to represent computer addresses
+(192.168.220.100, for instance) while NetBIOS uses only names. This
+was a major issue when trying to mesh the two protocols together. In
+1987, the IETF published standardization documents, titled RFC 1001
+and 1002, that outlined how NetBIOS would work over a TCP/UDP
+network. This set of documents still governs each implementation that
+exists today, including those provided by Microsoft with its Windows
+operating systems, as well as the Samba suite.</p>
+
+<p>Since then, the standard that this document governs has become known
+as <em class="firstterm">NetBIOS over
+TCP/IP</em><a name="INDEX-36"/><a name="INDEX-37"/><a name="INDEX-38"/>, or NBT for short.<a name="FNPTR-3"/><a href="#FOOTNOTE-3">[3]</a> </p>
+
+<p>The NBT standard (RFC 1001/1002)
+currently outlines a trio of services on a network:</p>
+
+<ul><li>
+<p>A name service</p>
+</li><li>
+<p>Two communication services:</p>
+<ul><li>
+<p>Datagrams</p>
+</li>
+
+<li>
+<p>Sessions</p>
+</li></ul>
+</li>
+</ul>
+
+<p>The <a name="INDEX-39"/>name
+service solves the name-to-address problem mentioned earlier; it
+allows each computer to declare a specific name on the network that
+can be translated to a machine-readable IP address, much like
+today's Domain Name System (DNS) on the Internet.
+The <a name="INDEX-40"/>datagram and <a name="INDEX-41"/>session services are both
+secondary communication protocols used to transmit data back and
+forth from NetBIOS computers across the network.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-3.2"/>
+
+<h3 class="head2">Getting a Name</h3>
+
+<p><a name="INDEX-42"/><a name="INDEX-43"/>In the NetBIOS world, when each
+computer comes online, it wants to claim a name for itself; this is
+called <em class="firstterm">name registration</em>. However, no two
+computers in the same workgroup should be able to claim the same
+name; this would cause endless confusion for any computer that wanted
+to communicate with either of them. There are two different
+approaches to ensuring that this doesn't happen:</p>
+
+<ul><li>
+<p>Use an <em class="firstterm"/>NBNS</em> to keep track of which hosts have
+registered a NetBIOS name.</p>
+</li><li>
+<p>Allow each computer on the network to defend its name in the event
+that another computer attempts to use it.</p>
+</li></ul>
+<p><a href="ch01.html#samba2-CHP-1-FIG-8">Figure 1-8</a> illustrates a (failed) name
+registration, with and without an NBNS.</p>
+
+<div class="figure"><a name="samba2-CHP-1-FIG-8"/><img src="figs/sam2_0108.gif"/></div><h4 class="head4">Figure 1-8. Broadcast versus NBNS name registration</h4>
+
+<p><a name="INDEX-44"/><a name="INDEX-45"/>As mentioned earlier,
+there must be a way to resolve a NetBIOS name to a specific IP
+address; this is known as <em class="firstterm">name resolution</em>.
+There are two different approaches with NBT here as well:</p>
+
+<ul><li>
+<p>Have each computer report back its IP address when it
+&quot;hears&quot; a broadcast request for its
+NetBIOS name.</p>
+</li><li>
+<p>Use an NBNS to help resolve NetBIOS names to IP addresses.</p>
+</li></ul>
+<p><a href="ch01.html#samba2-CHP-1-FIG-9">Figure 1-9</a> illustrates the two types of name
+resolution.</p>
+
+<div class="figure"><a name="samba2-CHP-1-FIG-9"/><img src="figs/sam2_0109.gif"/></div><h4 class="head4">Figure 1-9. Broadcast versus NBNS name resolution</h4>
+
+<p>As you might expect, having an NBNS on your network can help out
+tremendously. To see exactly why, let's look at the
+broadcast method.</p>
+
+<p>Here, when a client computer boots, it will
+<a name="INDEX-46"/>broadcast a
+message declaring that it wishes to register a specified NetBIOS name
+as its own. If nobody objects to the use of the name, it keeps the
+name. On the other hand, if another computer on the local subnet is
+currently using the requested name, it will send a message back to
+the requesting client that the name is already taken. This is known
+as <em class="firstterm">defending</em><a name="INDEX-47"/><a name="INDEX-48"/> the hostname. This type of system
+comes in handy when one client has unexpectedly dropped off the
+network&mdash;another can take its name unchallenged&mdash;but it
+does incur an inordinate amount of traffic on the network for
+something as simple as name registration.</p>
+
+<p>With an NBNS, the same thing occurs, except the communication is
+confined to the requesting computer and the NBNS. No broadcasting
+occurs when the computer wishes to register the name; the
+registration message is simply sent directly from the client to the
+NBNS, and the NBNS replies regardless of whether the name is already
+taken. This is known as <em class="firstterm">point-to-point
+communication</em><a name="INDEX-49"/>, and it is often beneficial on
+networks with more than one subnet. This is because routers are
+generally configured to block incoming packets that are broadcast to
+all computers in the subnet.</p>
+
+<p>The same principles apply to name resolution. Without an NBNS,
+NetBIOS name resolution would also be done with a broadcast
+mechanism. All request packets would be sent to each computer in the
+network, with the hope that one computer that might be affected will
+respond directly back to the computer that asked. Using an NBNS and
+point-to-point communication for this purpose is far less taxing on
+the network than flooding the network with broadcasts for every
+name-resolution request.</p>
+
+<p>It can be argued that broadcast packets do not cause significant
+problems in modern, high-bandwidth networks of hosts with fast CPUs,
+if only a small number of hosts are on the network, or the demand for
+bandwidth is low. There are certainly cases where this is true;
+however, our advice throughout this book is to avoid relying on
+broadcasts as much as possible. This is a good rule to follow for
+large, busy networks, and if you follow our advice when configuring a
+small network, your network will be able to grow without encountering
+problems later on that might be difficult to diagnose. <a name="INDEX-50"/><a name="INDEX-51"/></p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-3.3"/>
+
+<h3 class="head2">Node Types</h3>
+
+<p><a name="INDEX-52"/><a name="INDEX-53"/>How can you tell what strategy each
+client on your network will use when performing name registration and
+resolution? Each computer on an NBT network earns one of the
+following designations, depending on how it handles name registration
+and resolution: <a name="INDEX-54"/><a name="INDEX-55"/><a name="INDEX-56"/><a name="INDEX-57"/>b-node, p-node, m-node, and h-node. The
+behaviors of each type of node are summarized in <a href="ch01.html#samba2-CHP-1-TABLE-1">Table 1-1</a>.</p>
+
+<a name="samba2-CHP-1-TABLE-1"/><h4 class="head4">Table 1-1. NetBIOS node types</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Role</p>
+</th>
+<th>
+<p>Value</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p>b-node</p>
+</td>
+<td>
+<p>Uses broadcast registration and resolution only.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>p-node</p>
+</td>
+<td>
+<p>Uses point-to-point registration and resolution only.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>m-node (mixed)</p>
+</td>
+<td>
+<p>Uses broadcast for registration. If successful, it notifies the NBNS
+of the result. Uses broadcast for resolution; uses the NBNS if
+broadcast is unsuccessful.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>h-node (hybrid)</p>
+</td>
+<td>
+<p>Uses the NBNS for registration and resolution; uses broadcast if the
+NBNS is unresponsive or inoperative.</p>
+</td>
+</tr>
+
+</table>
+
+<p>In the case of Windows clients, you will usually find them listed as
+h-nodes or hybrid nodes. The first three node types appear in RFC
+1001/1002, and h-nodes were invented later by Microsoft, as a more
+fault-tolerant method.</p>
+
+<p>You can find the node type of a Windows 95/98/Me computer by running
+the <em class="emphasis">winipcfg</em><a name="INDEX-58"/><a name="INDEX-59"/> command from the Start
+&rarr; Run dialog (or from an MS-DOS prompt) and clicking
+the More Info&gt;&gt; button. On Windows NT/2000/XP, you can use the
+<tt class="literal">ipconfig</tt><a name="INDEX-60"/><a name="INDEX-61"/><a name="INDEX-62"/><a name="INDEX-63"/>
+<tt class="literal">/all</tt> command in a command-prompt window. In either
+case, search for the line that says <tt class="literal">Node Type</tt>.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-3.4"/>
+
+<h3 class="head2">What's in a Name?</h3>
+
+<p>The names <a name="INDEX-64"/><a name="INDEX-65"/>NetBIOS uses are quite different
+from the DNS hostnames you might be familiar with. First, NetBIOS
+names exist in a flat namespace. In other words, there are no
+hierarchical levels, such as in <tt class="literal">oreilly.com</tt> (two
+levels) or <em class="emphasis">ftp</em><em class="emphasis">.samba.org</em> (three
+levels). NetBIOS names consist of a single unique string such as
+<tt class="literal">navaho</tt> or <tt class="literal">hopi</tt> within each
+workgroup or domain. Second, NetBIOS names are allowed to be only 15
+characters and can consist only of standard alphanumeric characters
+(a-z, A-Z, 0-9) and the following:</p>
+
+<blockquote><pre class="code">! @ # $ % ^ &amp; ( ) - ' { } . ~</pre></blockquote>
+
+<p>Although you are allowed to use a <a name="INDEX-66"/><a name="INDEX-67"/><a name="INDEX-68"/>period (.) in a NetBIOS name, we recommend
+against it because those names are not guaranteed to work in future
+versions of NBT.</p>
+
+<p>It's not a coincidence that all valid DNS names are
+also valid NetBIOS names. In fact, the unqualified DNS name for a
+Samba server is often reused as its NetBIOS name. For example, if you
+had a system with a hostname of <tt class="literal">mixtec.ora.com</tt> ,
+its NetBIOS name would likely be MIXTEC (followed by 9 spaces).</p>
+
+
+<div class="sect3"><a name="samba2-CHP-1-SECT-3.4.1"/>
+
+<h3 class="head3">Resource names and types</h3>
+
+<p><a name="INDEX-69"/><a name="INDEX-70"/>With NetBIOS, a computer not
+only advertises its presence, but also tells others what types of
+services it offers. For example, <tt class="literal">mixtec</tt> can
+indicate that it's not just a workstation, but that
+it's also a file server and can receive Windows
+Messenger messages. This is done by adding a 16th byte to the end of
+the machine (resource) name, called the <em class="firstterm">resource
+type</em>, and registering the name multiple times, once for
+each service that it offers. See <a href="ch01.html#samba2-CHP-1-FIG-10">Figure 1-10</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-1-FIG-10"/><img src="figs/sam2_0110.gif"/></div><h4 class="head4">Figure 1-10. The structure of NetBIOS names</h4>
+
+<p>The 1-byte resource type indicates a unique service that the named
+computer provides. In this book, you will often see the resource type
+shown in angled brackets (&lt;&gt;) after the NetBIOS name, such as:</p>
+
+<blockquote><pre class="code">MIXTEC&lt;00&gt;</pre></blockquote>
+
+<p>You can see which names are registered for a particular NBT computer
+using the Windows command-line
+<em class="emphasis">nbtstat</em><a name="INDEX-71"/> utility.
+Because these services are unique (i.e., there cannot be more than
+one registered), you will see them listed as type UNIQUE in the
+output. For example, the following partial output describes the
+<tt class="literal">toltec</tt> server:</p>
+
+<blockquote><pre class="code">C:\&gt;<tt class="userinput"><b>nbtstat -a toltec</b></tt>
+
+       NetBIOS Remote Machine Name Table
+   Name               Type         Status
+---------------------------------------------
+TOLTEC          &lt;00&gt;  UNIQUE      Registered
+TOLTEC          &lt;03&gt;  UNIQUE      Registered
+TOLTEC          &lt;20&gt;  UNIQUE      Registered
+...</pre></blockquote>
+
+<p>This says the server has registered the NetBIOS name
+<tt class="literal">toltec</tt> as a machine (computer) name, as a
+recipient of messages from the Windows Messenger service, and as a
+file server. Some possible attributes a name can have are listed in
+<a href="ch01.html#samba2-CHP-1-TABLE-2">Table 1-2</a>.</p>
+
+<a name="samba2-CHP-1-TABLE-2"/><h4 class="head4">Table 1-2. NetBIOS unique resource types</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Named resource</p>
+</th>
+<th>
+<p>Hexadecimal byte value</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p>Standard Workstation Service</p>
+</td>
+<td>
+<p>00</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Messenger Service</p>
+</td>
+<td>
+<p>03</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>RAS Server Service</p>
+</td>
+<td>
+<p>06</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Domain Master Browser Service (associated with primary domain controller)</p>
+</td>
+<td>
+<p>1B</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Master Browser name</p>
+</td>
+<td>
+<p>1D</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>NetDDE Service</p>
+</td>
+<td>
+<p>1F</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Fileserver (including printer server)</p>
+</td>
+<td>
+<p>20</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>RAS Client Service</p>
+</td>
+<td>
+<p>21</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Network Monitor Agent</p>
+</td>
+<td>
+<p>BE</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Network Monitor Utility</p>
+</td>
+<td>
+<p>BF</p>
+</td>
+</tr>
+
+</table>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-1-SECT-3.4.2"/>
+
+<h3 class="head3">Group names and types</h3>
+
+<p>SMB also uses the concept of groups, with which computers can
+register themselves. Earlier we mentioned that the computers in our
+example belonged to a
+<em class="firstterm">workgroup</em><a name="INDEX-73"/>,
+which is a partition of computers on the same network. For example, a
+business might very easily have an ACCOUNTING and a SALES workgroup,
+each with different servers and printers. In the Windows world, a
+workgroup and an
+<a name="INDEX-74"/>SMB
+group are the same thing.</p>
+
+<p>Continuing our
+<em class="emphasis">nbtstat</em><a name="INDEX-75"/> example,
+the <tt class="literal">toltec</tt> Samba server is also a member of the
+METRAN workgroup (the GROUP attribute hex 00) and will participate in
+elections for the browse master (GROUP attribute 1E). Here is the
+remainder of the <em class="emphasis">nbtstat</em> output:</p>
+
+<blockquote><pre class="code">       NetBIOS Remote Machine Name Table
+   Name               Type         Status
+---------------------------------------------
+METRAN         &lt;00&gt;   GROUP       Registered
+METRAN         &lt;1E&gt;   GROUP       Registered
+..__MSBROWSE__.&lt;01&gt;   GROUP       Registered</pre></blockquote>
+
+<p>The possible group attributes a computer can have are illustrated in
+<a href="ch01.html#samba2-CHP-1-TABLE-3">Table 1-3</a>. More
+<a name="INDEX-76"/><a name="INDEX-77"/>information
+is available in <em class="emphasis">Windows NT in a Nutshell</em> by Eric
+<a name="INDEX-78"/>Pearce, also
+published by O'Reilly.</p>
+
+<a name="samba2-CHP-1-TABLE-3"/><h4 class="head4">Table 1-3. NetBIOS group resource types</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Named resource</p>
+</th>
+<th>
+<p>Hexadecimal byte value</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p>Standard Workstation group</p>
+</td>
+<td>
+<p>00</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Logon server</p>
+</td>
+<td>
+<p>1C</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Master Browser name</p>
+</td>
+<td>
+<p>1D</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Normal Group name (used in browser elections)</p>
+</td>
+<td>
+<p>1E</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Internet Group name (administrative)</p>
+</td>
+<td>
+<p>20</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">&lt;01&gt;&lt;02&gt;_ _MSBROWSE_ _&lt;02&gt;</tt></p>
+</td>
+<td>
+<p>01</p>
+</td>
+</tr>
+
+</table>
+
+<p>The final entry, <tt class="literal">_ _ MSBROWSE _ _</tt>
+<a name="INDEX-80"/>, is used to announce a group to other
+master browsers. The nonprinting characters in the name show up as
+dots in an <em class="emphasis">nbtstat</em> printout.
+Don't worry if you don't understand
+all of the resource or group types. Some of them you will not need
+with Samba, and others you will pick up as you move through the rest
+of the chapter. The important thing to remember here is the logistics
+of the naming mechanism.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-1-SECT-3.4.3"/>
+
+<h3 class="head3">Scope ID</h3>
+
+<p>In the dark ages of SMB networking before NetBIOS groups were
+introduced, you could use a very primitive method to isolate groups
+of computers from the rest of the network. Each SMB packet contains a
+field called the <em class="firstterm">scope
+ID</em><a name="INDEX-81"/><a name="INDEX-82"/>, with the idea being that
+systems on the network could be configured to accept only packets
+with a scope ID matching that of their configuration. This feature
+was hardly ever used and unfortunately lingers in modern
+implementations. Some of the utilities included in the Samba
+distribution allow the scope ID to be set. Setting the scope ID in a
+network is likely to cause problems, and we are mentioning scope ID
+only so that you will not be confused by it when you later encounter
+it in various places.</p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-3.5"/>
+
+<h3 class="head2">Datagrams and Sessions</h3>
+
+<p>At this point, let's digress to discuss the
+responsibility of NBT: to provide connection services between two
+NetBIOS computers.
+<a name="INDEX-83"/>NBT
+offers two services: the <em class="firstterm">session
+service</em><a name="INDEX-84"/> and the
+<em class="firstterm">datagram service</em><a name="INDEX-85"/>.
+Understanding how these two services work is not essential to using
+Samba, but it does give you an idea of how NBT works and how to
+troubleshoot Samba when it doesn't work.</p>
+
+<p>The datagram service has no stable connection between computers.
+Packets of data are simply sent or broadcast from one computer to
+another, without regard to the order in which they arrive at the
+destination, or even if they arrive at all. The use of datagrams
+requires less processing overhead than sessions, although the
+reliability of the connection can suffer. Datagrams, therefore, are
+used for quickly sending nonvital blocks of data to one or more
+computers. The datagram service communicates using the simple
+primitives shown in <a href="ch01.html#samba2-CHP-1-TABLE-4">Table 1-4</a>.</p>
+
+<a name="samba2-CHP-1-TABLE-4"/><h4 class="head4">Table 1-4. Datagram primitives</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Primitive</p>
+</th>
+<th>
+<p>Description</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p>Send Datagram</p>
+</td>
+<td>
+<p>Send datagram packet to computer or groups of computers.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Send Broadcast Datagram</p>
+</td>
+<td>
+<p>Broadcast datagram to any computer waiting with a Receive Broadcast
+datagram.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Receive Datagram</p>
+</td>
+<td>
+<p>Receive a datagram from a computer.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Receive Broadcast Datagram</p>
+</td>
+<td>
+<p>Wait for a Broadcast datagram.</p>
+</td>
+</tr>
+
+</table>
+
+<p>The session service is more complex. Sessions are a communication
+method that, in theory, offers the ability to detect problematic or
+inoperable connections between two NetBIOS applications. It helps to
+think of an NBT session as being similar to a telephone call, an
+analogy that obviously influenced the design of the CIFS standard.</p>
+
+<p>Once the connection is made, it remains open throughout the duration
+of the conversation, each side knows who the caller and the called
+computer are, and each can communicate with the simple primitives
+shown in <a href="ch01.html#samba2-CHP-1-TABLE-5">Table 1-5</a>.</p>
+
+<a name="samba2-CHP-1-TABLE-5"/><h4 class="head4">Table 1-5. Session primitives</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Primitive</p>
+</th>
+<th>
+<p>Description</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p>Call</p>
+</td>
+<td>
+<p>Initiate a session with a computer listening under a specified name.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Listen</p>
+</td>
+<td>
+<p>Wait for a call from a known caller or any caller.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Hang-up</p>
+</td>
+<td>
+<p>Exit a call.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Send</p>
+</td>
+<td>
+<p>Send data to the other computer.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Receive</p>
+</td>
+<td>
+<p>Receive data from the other computer.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Session Status</p>
+</td>
+<td>
+<p>Get information on requested sessions.</p>
+</td>
+</tr>
+
+</table>
+
+<p>Sessions are the backbone of resource sharing on an NBT network. They
+are typically used for establishing stable connections from client
+computers to disk or printer shares on a server. The client
+&quot;calls&quot; the server and starts
+trading information such as which files it wishes to open, which data
+it wishes to exchange, etc. These calls can last a long
+time&mdash;hours, even days&mdash;and all of this occurs within the
+context of a single connection. If there is an error, the session
+software (TCP) will retransmit until the data is received properly,
+unlike the &quot;punt-and-pray&quot; approach
+of the datagram service (UDP).</p>
+
+<p>In truth, while sessions are supposed to handle problematic
+communications, they sometimes don't. If the
+connection is interrupted, session information that is open between
+the two computers might become invalid. If that happens, the only way
+to regain the session information is for the same two computers to
+call each other again and start over.</p>
+
+<p>If you want more information on each service, we recommend you look
+at RFC 1001. However, there are two important things to remember
+here:</p>
+
+<ul><li>
+<p><a name="INDEX-88"/>Sessions always
+occur between two NetBIOS computers. If a session service is
+interrupted, the client is supposed to store sufficient state
+information for it to reestablish the connection. However, in
+practice, this often does not happen.</p>
+</li><li>
+<p><a name="INDEX-89"/>Datagrams can
+be broadcast to multiple computers, but they are unreliable. In other
+words, there is no way for the source to know that the datagrams it
+sent have indeed arrived at their destinations. <a name="INDEX-90"/></p>
+</li></ul>
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-1-SECT-4"/>
+
+<h2 class="head1">An Introduction to the SMB Protocol</h2>
+
+<p><a name="INDEX-91"/>Now
+we're going to cover some low-level technical
+details and explore the elementals of the SMB protocol. You probably
+don't need to know much about this to implement a
+simple Samba network, and therefore you might want to skip or skim
+over this section and go on to the next one
+(&quot;Windows Workgroups and Domains&quot;)
+on your first reading. However, assuming you are going to be
+responsible for long-term maintenance of a Samba network, it will
+help if you understand how it actually works. You will more easily be
+able to diagnose and correct any odd problems that pop up.</p>
+
+<p>At a high level, the SMB protocol suite is relatively simple. It
+includes commands for all the file and print operations that you
+might perform on a local disk or printer, such as:</p>
+
+<ul><li>
+<p>Opening and closing files</p>
+</li><li>
+<p>Creating and deleting files and directories</p>
+</li><li>
+<p>Reading and writing files</p>
+</li><li>
+<p>Searching for files</p>
+</li><li>
+<p>Queueing and dequeueing files in a print spool</p>
+</li></ul>
+<p>Each operation can be encoded into an SMB message and transmitted to
+and from a server. The original name
+&quot;SMB&quot; comes from the way in which
+the commands are formatted: they are versions of the standard DOS
+system-call data structures, or <em class="firstterm">Server Message
+Blocks</em>, redesigned for transmitting to another computer
+across a network.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-4.1"/>
+
+<h3 class="head2">SMB Format</h3>
+
+<p>Richard <a name="INDEX-92"/>Sharpe of the Samba team defines SMB as
+a <em class="firstterm">request-response</em> protocol.<a name="FNPTR-4"/><a href="#FOOTNOTE-4">[4]</a> In effect,
+this means that a client sends an SMB request to a server and the
+server sends an SMB response back to the client. In only one rare
+circumstance does a server send a message that is not in response to
+a client.</p>
+
+<p>An <a name="INDEX-94"/>SMB message is not as complex as you
+might think. Let's take a closer look at the
+internal structure of such a message. It can be broken down into two
+parts: the <em class="firstterm">header</em>, which is a fixed size, and
+the <em class="firstterm">command string</em>, whose size can vary
+dramatically based on the contents of the message.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-1-SECT-4.1.1"/>
+
+<h3 class="head3">SMB header format</h3>
+
+<p><a href="ch01.html#samba2-CHP-1-TABLE-6">Table 1-6</a> shows the format of an
+<a name="INDEX-95"/>SMB header. The COM field identifies
+the command being performed. SMB commands are not required to use all
+the fields in the SMB header. For example, when a client first
+attempts to connect to a server, it does not yet have a tree
+identifier (TID) value&mdash;one is assigned after it successfully
+connects&mdash;so a null TID is placed in its header field. Other
+fields can be padded with zeros when not used.</p>
+
+<p>The <a name="INDEX-96"/>SMB header fields are listed in <a href="ch01.html#samba2-CHP-1-TABLE-6">Table 1-6</a>.</p>
+
+<a name="samba2-CHP-1-TABLE-6"/><h4 class="head4">Table 1-6. SMB header fields</h4><table border="1">
+
+
+
+
+<tr>
+<th>
+<p>Field</p>
+</th>
+<th>
+<p>Size (bytes)</p>
+</th>
+<th>
+<p>Description</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">0xFF 'SMB</tt>'</p>
+</td>
+<td>
+<p><tt class="literal">1</tt></p>
+</td>
+<td>
+<p>Protocol identifier</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">COM</tt></p>
+</td>
+<td>
+<p><tt class="literal">1</tt></p>
+</td>
+<td>
+<p>Command code, from 0x00 to 0xFF</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">RCLS</tt></p>
+</td>
+<td>
+<p><tt class="literal">1</tt></p>
+</td>
+<td>
+<p>Error class</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">REH</tt></p>
+</td>
+<td>
+<p><tt class="literal">1</tt></p>
+</td>
+<td>
+<p>Reserved</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">ERR</tt></p>
+</td>
+<td>
+<p><tt class="literal">2</tt></p>
+</td>
+<td>
+<p>Error code</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">REB</tt></p>
+</td>
+<td>
+<p><tt class="literal">1</tt></p>
+</td>
+<td>
+<p>Reserved</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">RES</tt></p>
+</td>
+<td>
+<p><tt class="literal">14</tt></p>
+</td>
+<td>
+<p>Reserved</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">TID</tt></p>
+</td>
+<td>
+<p><tt class="literal">2</tt></p>
+</td>
+<td>
+<p>TID; a unique ID for a resource in use by the client</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">PID</tt></p>
+</td>
+<td>
+<p><tt class="literal">2</tt></p>
+</td>
+<td>
+<p>Caller process ID</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">UID</tt></p>
+</td>
+<td>
+<p><tt class="literal">2</tt></p>
+</td>
+<td>
+<p>User identifier</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">MID</tt></p>
+</td>
+<td>
+<p><tt class="literal">2</tt></p>
+</td>
+<td>
+<p>Multiplex identifier; used to route requests inside a process</p>
+</td>
+</tr>
+
+</table>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-1-SECT-4.1.2"/>
+
+<h3 class="head3">SMB command format</h3>
+
+<p>Immediately after the header is a variable number of bytes that
+constitute an <a name="INDEX-97"/>SMB command or reply. Each command,
+such as Open File (COM field identifier: <tt class="literal">SMBopen</tt>)
+or Get Print Queue (<tt class="literal">SMBsplretq</tt> ), has its own set
+of parameters and data. Like the SMB header fields, not all of the
+command fields need to be filled, depending on the specific command.
+For example, the Get Server Attributes
+(<tt class="literal">SMBdskattr</tt>) command sets the WCT and BCC fields
+to zero. The fields of the command segment are shown in <a href="ch01.html#samba2-CHP-1-TABLE-7">Table 1-7</a>.</p>
+
+<a name="samba2-CHP-1-TABLE-7"/><h4 class="head4">Table 1-7. SMB command contents</h4><table border="1">
+
+
+
+
+<tr>
+<th>
+<p>Field</p>
+</th>
+<th>
+<p>Size (bytes)</p>
+</th>
+<th>
+<p>Description</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">WCT</tt></p>
+</td>
+<td>
+<p><tt class="literal">1</tt></p>
+</td>
+<td>
+<p>Word count</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">VWV</tt></p>
+</td>
+<td>
+<p>Variable</p>
+</td>
+<td>
+<p>Parameter words (size given by WCT)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">BCC</tt></p>
+</td>
+<td>
+<p><tt class="literal">2</tt></p>
+</td>
+<td>
+<p>Parameter byte count</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">DATA</tt></p>
+</td>
+<td>
+<p>Variable</p>
+</td>
+<td>
+<p>Data (size given by BCC)</p>
+</td>
+</tr>
+
+</table>
+
+<p>Don't worry if you don't understand
+each field; they are not necessary for using Samba at an
+administrator level. However, they do come in handy when debugging
+system messages. We will show you some of the more common SMB
+messages that clients and servers send using a modified version of
+<em class="filename">tcpdump</em> later in this section. (If you prefer an
+<a name="INDEX-98"/><a name="INDEX-99"/>SMB sniffer with a graphical
+interface, try Ethereal, which uses the GTK libraries; see
+<a href="http://www.ethereal.com">http://www.ethereal.com</a> for more
+information on this tool.)</p>
+
+<a name="samba2-CHP-1-NOTE-84"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>For more information on each command in the
+<a name="INDEX-100"/>SMB protocol, see the
+<em class="citetitle">CIFS Technical
+Reference</em><a name="INDEX-101"/> at <a href="http://www.snia.org/tech_activities/CIFS">http://www.snia.org/tech_activities/CIFS</a>.</p>
+</blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-1-SECT-4.1.3"/>
+
+<h3 class="head3">SMB variations</h3>
+
+<p>The SMB protocol has been extended with new commands several times
+since its inception. Each new version is backward-compatible with the
+previous versions, so it is possible for a LAN to have clients and
+servers concurrently running different versions of the SMB protocol.</p>
+
+<p><a href="ch01.html#samba2-CHP-1-TABLE-8">Table 1-8</a> outlines the major versions of the
+<a name="INDEX-102"/>SMB
+protocol. Within each &quot;dialect&quot; of
+SMB are many sub-versions that include commands supporting particular
+releases of major operating systems. The ID string in column 2 is
+used by clients and servers to determine in which level of the
+protocol they will speak to each other.</p>
+
+<a name="samba2-CHP-1-TABLE-8"/><h4 class="head4">Table 1-8. SMB protocol dialects</h4><table border="1">
+
+
+
+
+<tr>
+<th>
+<p>Protocol name</p>
+</th>
+<th>
+<p>ID string</p>
+</th>
+<th>
+<p>Used by</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p>Core</p>
+</td>
+<td>
+<p><tt class="literal">PC NETWORK PROGRAM 1.0</tt></p>
+</td>
+<td>
+</td>
+</tr>
+<tr>
+<td>
+<p><a name="INDEX-103"/>Core Plus</p>
+</td>
+<td>
+<p><tt class="literal">MICROSOFT NETWORKS 1.03</tt></p>
+</td>
+<td>
+</td>
+</tr>
+<tr>
+<td>
+<p><a name="INDEX-104"/>LAN Manager 1.0</p>
+</td>
+<td>
+<p><tt class="literal">LANMAN1.0</tt></p>
+</td>
+<td>
+</td>
+</tr>
+<tr>
+<td>
+<p>LAN Manager 2.0</p>
+</td>
+<td>
+<p><tt class="literal">LM1.2X002</tt></p>
+</td>
+<td>
+</td>
+</tr>
+<tr>
+<td>
+<p>LAN Manager 2.1</p>
+</td>
+<td>
+<p><tt class="literal">LANMAN2.1</tt></p>
+</td>
+<td>
+</td>
+</tr>
+<tr>
+<td>
+<p><a name="INDEX-105"/>NT LAN
+Manager 1.0</p>
+</td>
+<td>
+<p><tt class="literal">NT LM 0.12</tt></p>
+</td>
+<td>
+<p>Windows NT 4.0</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><a name="INDEX-106"/>Samba's NT LM 0.12</p>
+</td>
+<td>
+<p><tt class="literal">Samba</tt></p>
+</td>
+<td>
+<p>Samba</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><a name="INDEX-107"/><a name="INDEX-108"/>Common
+Internet File System</p>
+</td>
+<td>
+<p><tt class="literal">CIFS 1.0</tt></p>
+</td>
+<td>
+<p>Windows 2000/XP</p>
+</td>
+</tr>
+
+</table>
+
+<p>Samba implements the NT LM 0.12 specification for NT LAN Manager 1.0.
+It is backward-compatible with all the other SMB variants. The CIFS
+specification is, in reality, LAN Manager 0.12 with a few specific
+additions.</p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-4.2"/>
+
+<h3 class="head2">SMB Clients and Servers</h3>
+
+<p><a name="INDEX-109"/><a name="INDEX-110"/>As
+mentioned earlier, SMB is a client/server protocol. In the purest
+sense, this means that a client sends a request to a server, which
+acts on the request and returns a reply. However, the client/server
+roles can often be reversed, sometimes within the context of a single
+SMB session. For example, consider the two Windows 95/98/Me computers
+in <a href="ch01.html#samba2-CHP-1-FIG-11">Figure 1-11</a>. The computer named
+<tt class="literal">maya</tt> shares a printer to the network, and the
+computer named <tt class="literal">toltec</tt> shares a disk directory.
+<tt class="literal">maya</tt> is in the client role when accessing
+<tt class="literal">toltec</tt>'s network drive and in the
+server role when printing a job for <tt class="literal">toltec</tt>.</p>
+
+<div class="figure"><a name="samba2-CHP-1-FIG-11"/><img src="figs/sam2_0111.gif"/></div><h4 class="head4">Figure 1-11. Two computers that both have resources to share</h4>
+
+<p>This brings out an important point in Samba terminology:</p>
+
+<ul><li>
+<p>A <em class="firstterm">server</em> is a computer with a resource to
+share.</p>
+</li><li>
+<p>A <em class="firstterm">client</em> is a computer that wishes to use that
+resource.</p>
+</li><li>
+<p>A computer can be a client, a server, or both, or it can be neither
+at any given time.</p>
+</li></ul>
+<p>Microsoft Windows products have both the SMB client and server built
+into the operating system, and it is common to find Windows acting as
+a server, client, both, or neither at any given time in a production
+network. Although Samba has been developed primarily to function as a
+server, there are also ways that it and associated software can act
+as an SMB client. As with Windows, it is even possible to set up a
+Unix system to act as an SMB client and not as a server. See <a href="ch05.html">Chapter 5</a> for more details on this topic.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-4.3"/>
+
+<h3 class="head2">A Simple SMB Connection</h3>
+
+<p><a name="INDEX-111"/>The client and server must complete
+three steps to establish a connection to a resource:</p>
+
+<ol><li>
+<p>Establish a NetBIOS session.</p>
+</li><li>
+<p>Negotiate the protocol variant.</p>
+</li><li>
+<p>Set session parameters, and make a tree connection to a resource.</p>
+</li></ol>
+<p>We will examine each step through the eyes of a useful tool that we
+mentioned earlier: the modified
+<em class="filename">tcpdump</em><a name="INDEX-112"/> that is
+available from the Samba web site.</p>
+
+<a name="samba2-CHP-1-NOTE-85"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>You can download the tcpdump program at <a href="http://www.samba.org">http://www.samba.org</a> in the
+<em class="filename">samba/ftp/tcpdump-smb</em> directory; the latest
+version as of this writing is 3.4-10. Use this program as you would
+use the standard <em class="filename">tcpdump</em> application, but add
+the <tt class="literal">-s 1500</tt> switch to ensure that you get the
+whole packet and not just the first few bytes.</p>
+</blockquote>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-4.4"/>
+
+<h3 class="head2">Establishing a NetBIOS Session</h3>
+
+<p><a name="INDEX-113"/>When a user first makes a request
+to access a network disk or send a print job to a remote printer,
+NetBIOS takes care of making a connection at the session layer. The
+result is a bidirectional channel between the client and server. The
+client and server need only two messages to establish this
+connection. This is shown in the following example session request
+and response, as captured by <em class="filename">tcpdump</em> .</p>
+
+<p>First, the client sends a request to open a session, and
+<em class="filename">tcpdump </em><a name="INDEX-114"/>reports:</p>
+
+<blockquote><pre class="code">&gt;&gt;&gt; NBT Packet
+NBT Session Request
+Flags=0x81000044
+Destination=TOLTEC      NameType=0x20 (Server)
+Source=MAYA             NameType=0x00 (Workstation)</pre></blockquote>
+
+<p>Then the server responds, granting a session to the client:</p>
+
+<blockquote><pre class="code">&gt;&gt;&gt; NBT Packet
+NBT Session Granted
+Flags=0x82000000</pre></blockquote>
+
+<p>At this point, there is an open channel between the client and server.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-4.5"/>
+
+<h3 class="head2">Negotiating the Protocol Variant</h3>
+
+<p>Next, the client sends a message to the server to negotiate an
+<a name="INDEX-115"/>SMB protocol. As mentioned
+earlier, the client sets its <a name="INDEX-116"/>tree identifier (TID) field to
+zero, because it does not yet know what TID to use. A <em class="emphasis">tree
+identifier</em> is a number that represents a connection to a
+share on a server.</p>
+
+<p>The command in the message is <tt class="literal">SMBnegprot</tt>, a
+request to negotiate a protocol variant that will be used for the
+entire session. Note that the client sends to the server a list of
+all the variants that it can speak, not vice versa:</p>
+
+<blockquote><pre class="code">&gt;&gt;&gt; NBT Packet
+NBT Session Packet
+Flags=0x0
+Length=154
+
+SMB PACKET: SMBnegprot (REQUEST)
+SMB Command   =  0x72
+Error class   =  0x0
+Error code    =  0
+Flags1        =  0x0
+Flags2        =  0x0
+Tree ID       =  0
+Proc ID       =  5315
+UID           =  0
+MID           =  257
+Word Count    =  0
+Dialect=PC NETWORK PROGRAM 1.0
+Dialect=MICROSOFT NETWORKS 3.0
+Dialect=DOS LM1.2X002
+Dialect=DOS LANMAN2.1
+Dialect=Windows for Workgroups 3.1a
+Dialect=NT LM 0.12</pre></blockquote>
+
+<p>The server responds to the
+<tt class="literal">SMBnegprot</tt><a name="INDEX-117"/> request with an index (with counting
+starting at 0) into the list of variants that the client offered, or
+with the value 0xFF if none of the protocol variants is acceptable:</p>
+
+<blockquote><pre class="code">&gt;&gt;&gt; NBT Packet
+NBT Session Packet
+Flags=0x0
+Length=84
+
+SMB PACKET: SMBnegprot (REPLY)
+SMB Command   =  0x72
+Error class   =  0x0
+Error code    =  0
+Flags1        =  0x80
+Flags2        =  0x1
+Tree ID       =  0
+Proc ID       =  5315
+UID           =  0
+MID           =  257
+Word Count    =  17
+NT1 Protocol
+DialectIndex=5
+[...]</pre></blockquote>
+
+<p>In this example, the server responds with the value 5, which
+indicates that the <tt class="literal">NT</tt> <tt class="literal">LM</tt>
+<tt class="literal">0.12</tt> dialect will be used for the remainder of the
+session.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-4.6"/>
+
+<h3 class="head2">Set Session and Login Parameters</h3>
+
+<p><a name="INDEX-118"/><a name="INDEX-119"/>The next step is to transmit session and
+login parameters for the session, which you do using the
+<a name="INDEX-120"/><tt class="literal">SMBSesssetupX</tt>
+command. The parameters include the following:</p>
+
+<ul><li>
+<p>The account name and password (if there is one)</p>
+</li><li>
+<p>The workgroup name</p>
+</li><li>
+<p>The maximum size of data that can be transferred</p>
+</li><li>
+<p>The number of pending requests that can be in the queue at a time</p>
+</li></ul>
+<p>The resulting output from <em class="filename">tcpdump </em>is:</p>
+
+<blockquote><pre class="code">&gt;&gt;&gt; NBT Packet
+NBT Session Packet
+Flags=0x0
+Length=150
+
+SMB PACKET: SMBsesssetupX (REQUEST)
+SMB Command   =  0x73
+Error class   =  0x0
+Error code    =  0
+Flags1        =  0x10
+Flags2        =  0x0
+Tree ID       =  0
+Proc ID       =  5315
+UID           =  1
+MID           =  257
+Word Count    =  13
+Com2=0x75
+Res1=0x0
+Off2=120
+MaxBuffer=2920
+MaxMpx=50
+VcNumber=0
+SessionKey=0x1380
+CaseInsensitivePasswordLength=24
+CaseSensitivePasswordLength=0
+Res=0x0
+Capabilities=0x1
+Pass1&amp;Pass2&amp;Account&amp;Domain&amp;OS&amp;LanMan=  
+  JAY METRAN Windows 4.0 Windows 4.0
+
+SMB PACKET: SMBtconX (REQUEST) (CHAINED)
+smbvwv[]=
+Com2=0xFF
+Off2=0
+Flags=0x2
+PassLen=1
+Passwd&amp;Path&amp;Device=
+smb_bcc=23
+smb_buf[]=\\TOLTEC\SPIRIT</pre></blockquote>
+
+<p>In this example, the <tt class="literal">SMBsesssetupX</tt> Session Setup
+command allows for an additional SMB command to be piggybacked onto
+it (indicated by the letter X at the end of the command name). The
+hexadecimal code of the second command is given in the
+<tt class="literal">Com2</tt> field. In this case the command is
+<tt class="literal">0x75</tt>, which is the <tt class="literal">SMBtconX</tt>
+<tt class="literal">(</tt>Tree Connect and X) command. The
+<tt class="literal">SMBtconX</tt><a name="INDEX-121"/> message looks for the name of the
+resource in the <em class="emphasis">smb_buf</em> buffer. In this example,
+<em class="emphasis">smb_buf</em> contains the string
+<tt class="literal">\\TOLTEC\SPIRIT</tt>, which is the full pathname to a
+shared directory on <tt class="literal">toltec</tt>. Using the
+&quot;and X&quot; commands like this speeds
+up each transaction because the server doesn't have
+to wait on the client to make a second request.</p>
+
+<p>Note that the TID is still zero. Finally, the server returns a TID to
+the client, indicating that the user has been authorized access and
+that the resource is ready to be used:</p>
+
+<blockquote><pre class="code">&gt;&gt;&gt; NBT Packet
+NBT Session Packet
+Flags=0x0
+Length=85
+
+SMB PACKET: SMBsesssetupX (REPLY)
+SMB Command   =  0x73
+Error class   =  0x0
+Error code    =  0
+Flags1        =  0x80
+Flags2        =  0x1
+Tree ID       =  1
+Proc ID       =  5315
+UID           =  100
+MID           =  257
+Word Count    =  3
+Com2=0x75
+Off2=68
+Action=0x1
+[000] Unix Samba 2.2.6
+[010] METRAN
+
+SMB PACKET: SMBtconX (REPLY) (CHAINED)
+smbvwv[]=
+Com2=0xFF
+Off2=0
+smbbuf[]=
+ServiceType=A:</pre></blockquote>
+
+<p>The <em class="emphasis">ServiceType</em> field is set to
+&quot;A&quot; to indicate that this is a file
+service. Available service types are:</p>
+
+<ul><li>
+<p>&quot;A&quot; for a disk or file</p>
+</li><li>
+<p>&quot;LPT1&quot; for a spooled output</p>
+</li><li>
+<p>&quot;COMM&quot; for a direct-connect printer
+or modem</p>
+</li><li>
+<p>&quot;IPC&quot; for a named pipe</p>
+</li></ul>
+<p>Now that a TID has been assigned, the client can use it as a handle
+to perform any operation that it would use on a local disk drive. It
+can open files, read and write to them, delete them, create new
+files, search for filenames, and so on. <a name="INDEX-122"/></p>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-1-SECT-5"/>
+
+<h2 class="head1">Windows Workgroups and Domains</h2>
+
+<p>Up to now, we've covered basic SMB technology, which
+is all you would need if you had nothing more advanced than MS-DOS
+clients on your network. We do assume you want to support Windows
+clients, especially the more recent versions, so next
+we'll describe the enhancements Microsoft has added
+to SMB networking&mdash;namely, Windows for Workgroups and Windows
+domains.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-5.1"/>
+
+<h3 class="head2">Windows Workgroups</h3>
+
+<p><a name="INDEX-123"/><a name="INDEX-124"/>Windows
+Workgroups are very similar to the SMB groups already described. You
+need to know just a few additional things.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-1-SECT-5.1.1"/>
+
+<h3 class="head3">Browsing</h3>
+
+<p><a name="INDEX-125"/>Browsing
+is the process of finding the other computers and shared resources in
+the Windows network. Note that there is no connection with a World
+Wide Web browser, apart from the general idea of
+&quot;discovering what's
+there.&quot; On the other hand, browsing the Windows
+network is like the Web in that what's out there can
+change without warning.</p>
+
+<p>Before browsing existed, users had to know the name of the computer
+they wanted to connect to on the network and then manually enter a
+UNC such as the following into an application or file manager to
+access resources:</p>
+
+<blockquote><pre class="code">\\toltec\spirit\</pre></blockquote>
+
+<p>Browsing is much more convenient, making it possible to examine the
+contents of a network by using the point-and-click GUI interface of
+the Network Neighborhood (or My Network Places<a name="FNPTR-5"/><a href="#FOOTNOTE-5">[5]</a>) on a Windows client.</p>
+
+<p>You will encounter two types of browsing in an SMB network:</p>
+
+<ul><li>
+<p><a name="INDEX-129"/>Browsing a list
+of computers and shared resources</p>
+</li><li>
+<p><a name="INDEX-130"/>Browsing the shared resource
+of a specific computer</p>
+</li></ul>
+<p>Let's look at the first one. On each LAN (or subnet)
+with a Windows workgroup or domain, one computer has the
+responsibility of maintaining a list of the computers that are
+currently accessible through the network. This computer is called the
+<em class="firstterm">local master
+browser</em><a name="INDEX-131"/><a name="INDEX-132"/>, and the list that it maintains is
+called the <em class="firstterm">browse
+list</em><a name="INDEX-133"/>. Computers on a subnet use the browse
+list to cut down on the amount of network traffic generated while
+browsing. Instead of each computer dynamically polling to determine a
+list of the currently available computers, the computer can simply
+query the local master browser to obtain a complete, up-to-date list.</p>
+
+<p>To browse the resources on a computer, a user must connect to the
+specific computer; this information cannot be obtained from the
+browse list. Browsing the list of resources on a computer can be done
+by double-clicking the computer's icon when it is
+presented in the Network Neighborhood. As you saw at the opening of
+the chapter, the computer will respond with a list of shared
+resources that can be accessed after the user is successfully
+authenticated.</p>
+
+<p>Each server on a Windows workgroup is required to announce its
+presence to the local master browser after it has registered a
+NetBIOS name, and (theoretically) announce that it is leaving the
+workgroup when it is shut down. It is the local master
+browser's responsibility to record what the servers
+have announced.</p>
+<a name="samba2-CHP-1-NOTE-86"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>The Windows <a name="INDEX-134"/>Network Neighborhood can behave
+oddly: until you select a particular computer to browse, the Network
+Neighborhood window might contain data that is not up-to-date. That
+means the Network Neighborhood window can be showing computers that
+have crashed or can be missing computers that
+haven't been noticed yet. Put succinctly, once
+you've selected a server and connected to it, you
+can be a lot more confident that the shares and printers really exist
+on the network.</p>
+</blockquote>
+
+<p>Unlike the roles you've seen earlier, almost any
+Windows system (including Windows for Workgroups and Windows 95/98/Me
+or NT/2000/XP) can act as a local master browser. The local master
+browser can have one or more
+<em class="firstterm"/><a name="INDEX-135"/><a name="INDEX-136"/>backup 
+browsers</em> on the local subnet
+that will take over in the event that the local master browser fails
+or becomes inaccessible. To ensure fluid operation, the local backup
+browsers will frequently synchronize their browse list with the local
+master browser.</p>
+
+<p>Here is how to calculate the minimum number of backup browsers that
+will be allocated on a workgroup:</p>
+
+<ul><li>
+<p>If up to 32 Windows NT/2000/XP workstations are on the network, or up
+to 16 Windows 95/98/Me computers are on the network, the local master
+browser allocates one backup browser in addition to the local master
+browser.</p>
+</li><li>
+<p>If the number of Windows NT/2000/XP workstations falls between 33 and
+64, or the number of Windows 95/98/Me workstations falls between 17
+and 32, the local master browser allocates two backup browsers.</p>
+</li><li>
+<p>For each group of 32 NT/2000/XP workstations or 16 Windows 95/98/Me
+computers beyond this, the local master browser allocates another
+backup browser.</p>
+</li></ul>
+<p>There is currently no upper limit on the number of backup browsers
+that can be allocated by the local master browser.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-1-SECT-5.1.2"/>
+
+<h3 class="head3">Browsing elections</h3>
+
+<p><a name="INDEX-137"/>Browsing
+is a critical aspect of any Windows workgroup. However, not
+everything runs perfectly on any network. For example,
+let's say that a computer running Windows on the
+desk of a small company's CEO is the local master
+browser&mdash;that is, until he switches it off while plugging in his
+massage chair. At this point the Windows NT Workstation in the spare
+parts department might agree to take over the job. However, that
+computer is currently running a large, poorly written program that
+has brought its processor to its knees. The moral: browsing has to be
+very tolerant of servers coming and going. Because nearly every
+Windows system can serve as a browser, there has to be a way of
+deciding at any time who will take on the job. This decision-making
+process is called an <em class="firstterm">election</em>.</p>
+
+<p>An election algorithm is built into nearly all Windows operating
+systems such that they can each agree who is going to be a local
+master browser and who will be local backup browsers. An election can
+be forced at any time. For example, let's assume
+that the CEO has finished his massage and reboots his server. As the
+server comes online, it will announce its presence, and an election
+will take place to see if the PC in the spare parts department should
+still be the master browser.</p>
+
+<p>When an election is performed, each computer broadcasts information
+about itself via datagrams. This information includes the following:</p>
+
+<ul><li>
+<p>The version of the election protocol used</p>
+</li><li>
+<p>The operating system on the computer</p>
+</li><li>
+<p>The amount of time the client has been on the network</p>
+</li><li>
+<p>The hostname of the client</p>
+</li></ul>
+<p>These values determine which operating system has seniority and will
+fulfill the role of the local master browser. (<a href="ch07.html">Chapter 7</a> describes the election process in more
+detail.) The architecture developed to achieve this is not elegant
+and has built-in security problems. While a browsing domain can be
+integrated with domain security, the election algorithm does not take
+into consideration which computers become browsers. Thus it is
+possible for any computer running a browser service to register
+itself as participating in the browsing election and (after winning)
+being able to change the browse list. Nevertheless, browsing is a key
+feature of Windows networking, and backward-compatibility
+requirements will ensure that it is in use for years to come.
+<a name="INDEX-138"/></p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-1-SECT-5.1.3"/>
+
+<h3 class="head3">Windows 95/98/Me authentication</h3>
+
+<p>Three types of passwords arise when
+<a name="INDEX-139"/><a name="INDEX-140"/>Windows
+95/98/Me is operating in a Windows workgroup:</p>
+
+<ul><li>
+<p>A Windows password</p>
+</li><li>
+<p>A Windows Networking password</p>
+</li><li>
+<p>A password for each shared resource that has been assigned password
+protection</p>
+</li></ul>
+<p>The Windows <a name="INDEX-141"/>password functions in a manner
+that might be a source of confusion for Unix system administrators.
+It is not there to prevent unauthorized users from using the
+computer. (If you don't believe that, try clicking
+the Cancel button on the password dialog box and see what happens!)
+Instead, the Windows password is used to gain access to a file that
+contains the Windows Networking and network resource passwords. There
+is one such file per registered user of the system, and they can be
+found in the <em class="filename">C:\Windows</em> directory with a name
+composed of the user's account name, followed by a
+<em class="filename">.pwl</em><a name="INDEX-142"/><a name="INDEX-143"/><a name="INDEX-144"/> extension. For example, if the
+user's account name is
+&quot;sarah,&quot; the file will be
+<em class="filename">C:\Windows\sarah.pwl</em>. This file is encrypted
+using the Windows password as the encryption key.</p>
+
+<a name="samba2-CHP-1-NOTE-87"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>As a security measure, you might want to check for junk
+<em class="filename">.pwl</em> files on Windows 95/98/Me clients, which
+might have been created by mistakes users made while attempting to
+log on. A <em class="filename">.pwl</em> file is easily cracked and can
+contain valid passwords for Samba accounts and network shares.</p>
+</blockquote>
+
+<p>The first time the network is accessed, Windows attempts to use the
+Windows password as the Windows Networking password. If this is
+successful, the user will not be prompted for two separate passwords,
+and subsequent logins to the Windows system will automatically result
+in logging on to the Windows network as well, making things much
+simpler for the user.</p>
+
+<p>Shared network resources in the workgroup can also have passwords
+assigned to them to limit their accessibility. The first time a user
+attempts to access the resource, she is asked for its password, and a
+checkbox in the password dialog box gives the user the option to add
+the password to her password list. This is the default; if it is
+accepted, Windows will store the password in the
+user's <em class="filename">.pwl</em> file, and all
+further authentication to the resource will be handled automatically
+by Windows.</p>
+
+<p>Samba's approach to workgroup authentication is a
+little different, which is a result of blending the Windows workgroup
+model with that of the Unix host upon which Samba runs. This will be
+discussed further in <a href="ch09.html">Chapter 9</a>. <a name="INDEX-145"/></p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-5.2"/>
+
+<h3 class="head2">Windows NT Domains</h3>
+
+<p><a name="INDEX-146"/>The
+peer-to-peer networking model of
+<a name="INDEX-147"/>workgroups functions fairly well as long as
+the number of computers on the network is small and there is a
+close-knit community of users. However, in larger networks the
+simplicity of workgroups becomes a limiting factor. Workgroups offer
+only the most basic level of security, and because each resource can
+have its own password, it is inconvenient (to say the least) for
+users to remember the password for each resource in a large network.
+Even if that were not a problem, many people find it frustrating to
+have to interrupt their creative workflow to enter a shared password
+into a dialog box every time another network resource is accessed.</p>
+
+<p>To support the needs of larger networks, such as those found in
+departmental computing environments, Microsoft introduced domains
+with Windows NT 3.51. A <em class="firstterm">Windows NT domain</em> is
+essentially a workgroup of SMB computers that has one addition: a
+server acting as a <em class="firstterm">domain
+controller</em><a name="INDEX-148"/> (see <a href="ch01.html#samba2-CHP-1-FIG-12">Figure 1-12</a>).</p>
+
+<div class="figure"><a name="samba2-CHP-1-FIG-12"/><img src="figs/sam2_0112.gif"/></div><h4 class="head4">Figure 1-12. A simple Windows domain</h4>
+
+
+<div class="sect3"><a name="samba2-CHP-1-SECT-5.2.1"/>
+
+<h3 class="head3">Domain controllers</h3>
+
+<p>A domain controller in a Windows NT domain functions much like a
+<a name="INDEX-149"/><a name="INDEX-150"/>Network
+Information Service (NIS) server in a Unix network, maintaining a
+domain-wide database of user and group information, as well as
+performing related services. The responsibilities of a domain
+controller are mainly centered around security, including
+<em class="firstterm">authentication</em><a name="INDEX-151"/>,
+the process of granting or denying a user access to the resources of
+the domain. This is typically done through the use of a username and
+password. The service that maintains the database on the domain
+controllers is called the <a name="INDEX-152"/><a name="INDEX-153"/>Security Account Manager (SAM).</p>
+
+<p>The <a name="INDEX-154"/>Windows NT security model revolves
+around <em class="firstterm">security
+identifiers</em><a name="INDEX-155"/><a name="INDEX-156"/> (SIDs) and <em class="firstterm">access
+control lists</em><a name="INDEX-157"/><a name="INDEX-158"/>
+(ACLs). Security identifiers are used to represent objects in the
+domain, which include (but are not limited to) users, groups,
+computers, and processes. SIDs are commonly written in ASCII form as
+hyphen-separated fields, like this:</p>
+
+<blockquote><pre class="code">S-1-5-21-1638239387-7675610646-9254035128-545</pre></blockquote>
+
+<p>The part of the SID starting with the
+&quot;S&quot; and leading up to the rightmost
+hyphen identifies a domain. The number after the rightmost hyphen is
+called a <a name="INDEX-159"/>relative identifier (RID) and is a unique
+number within the domain that identifies the user, group, computer,
+or other object. The RID is the analog of a <a name="INDEX-160"/>user ID (UID) or
+<a name="INDEX-161"/>group ID
+(GID) on a Unix system or within an NIS domain.</p>
+
+<p>ACLs supply the same function as
+&quot;rwx&quot;
+<a name="INDEX-162"/><a name="INDEX-163"/><a name="INDEX-164"/><a name="INDEX-165"/><a name="INDEX-166"/>file permissions that are common in Unix
+systems. However, ACLs are more versatile. Unix file permissions only
+set permissions for the owner and group to which the file belongs,
+and &quot;other,&quot; meaning everyone else.
+Windows NT/2000/XP ACLs allow permissions to be set individually for
+any number of arbitrary users and/or groups. ACLs are made up of one
+or more <em class="firstterm">access control
+entries</em><a name="INDEX-167"/> (ACEs), each of which contains an SID
+and the access rights associated with it.</p>
+
+<p>ACL support has been added as a standard feature for some Unix
+variants and is available as an add-on for others. Samba supports
+mappings between Windows and Unix ACLs, and this will be covered in
+<a href="ch08.html">Chapter 8</a>.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-1-SECT-5.2.2"/>
+
+<h3 class="head3">Primary and backup domain controllers</h3>
+
+<p>You've already read about master and backup
+browsers. Domain controllers are similar in that a domain has a
+<em class="firstterm">primary domain
+controller</em><a name="INDEX-168"/><a name="INDEX-169"/><a name="INDEX-170"/> (PDC) and can have
+one or more <em class="firstterm">backup domain
+controllers</em><a name="INDEX-171"/> (BDCs) as well. If the PDC fails or
+becomes inaccessible, its duties are automatically taken over by one
+of the BDCs. BDCs frequently synchronize their SAM data with the PDC
+so if the need arises, any one of them can immediately begin
+performing domain-controller services without impacting the clients.
+However, note that BDCs have read-only copies of the SAM database;
+they can update their data only by synchronizing with a PDC. A server
+in a Windows domain can use the SAM of any PDC or BDC to authenticate
+a user who attempts to access its resources and log on to the domain.</p>
+
+<p>All recent versions of Windows can log on to a domain as clients to
+access the resources of the domain servers. The systems that are
+considered members of the domain are a more exclusive class, composed
+of the PDC and BDCs, as well as domain member servers, which are
+systems that have joined a domain as members, and are known to the
+domain controllers by having a computer account in the SAM database.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-1-SECT-5.2.3"/>
+
+<h3 class="head3">Authentication</h3>
+
+<p><a name="INDEX-172"/>When
+a user logs on to a Windows domain by typing in a username and
+password, a secure challenge and response protocol is invoked between
+the client computer and a domain controller to verify that the
+username and password are valid. Then the domain controller sends a
+SID back to the client, which uses it to create a
+<a name="INDEX-173"/>Security Access Token (SAT) that is valid
+only for that system, to be used for further authentication. This
+access token has information about the user coded into it, including
+the username, the group, and the rights the user has within the
+domain. At this point, the user is logged on to the domain.</p>
+
+<p>Subsequently, when the client attempts to access a shared resource
+within the domain, the client system enters into a secure challenge
+and response exchange with the server of the resource. The server
+then enters into another secure challenge and response conversation
+with a domain controller to check that the client is valid. (What
+actually happens is that the server uses information it gets from the
+client to pretend to be the client and authenticate itself with the
+domain controller. If the domain controller validates the
+credentials, it sends an SID back to the server, which uses the SID
+to create its own SAT for the client to enable access to its local
+resources on the client's behalf.) At this point,
+the client is authenticated for resources on the server and is
+allowed to access them. The server then uses the SID in the access
+token to determine what permissions the client has to use and modify
+the requested resource by comparing them to entries in the ACL of the
+resource.</p>
+
+<p>Although this method of authentication might seem overly complicated,
+it allows clients to authenticate without having plain-text passwords
+travel through the network, and it is much more difficult to crack
+than the relatively weak workgroup security we described earlier.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-1-SECT-5.2.4"/>
+
+<h3 class="head3">Name service with WINS and DNS</h3>
+
+<p>The <a name="INDEX-174"/><a name="INDEX-175"/>Windows
+Internet Name Service (WINS) is Microsoft's
+implementation of a NetBIOS name server (NBNS). As such, WINS
+inherits much of NetBIOS's characteristics. First,
+WINS is flat; you can have only simple machine names such as
+<tt class="literal">inca</tt>, <tt class="literal">mixtec</tt>, or
+<tt class="literal">navaho</tt>, and workgroups such as PERU, MEXICO, or
+USA. In addition, WINS is dynamic: when a client first comes online,
+it is required to report its hostname, its address, and its workgroup
+to the local WINS server. This WINS server will retain the
+information so long as the client periodically refreshes its WINS
+registration, which indicates that it's still
+connected to the network. Note that WINS servers are not workgroup-
+or domain-specific; they can contain information for multiple domains
+and/or workgroups, which might exist on more than one subnet.</p>
+
+<p>Multiple <a name="INDEX-176"/>WINS
+servers can be set to synchronize with each other. This allows
+entries for computers that come online and go offline in the network
+to propagate from one WINS server to another. While in theory this
+seems efficient, it can quickly become cumbersome if several WINS
+servers are covering a network. Because WINS services can cross
+multiple subnets (you'll either hardcode the address
+of a WINS server in each of your clients or obtain it via DHCP), it
+is often more efficient to have each Windows client, regardless of
+the number of Windows domains, point themselves to the same WINS
+server. That way, only one authoritative WINS server will have the
+correct information, instead of several WINS servers continually
+struggling to synchronize themselves with the most recent changes.</p>
+
+<p>The currently active WINS server is known as the <em class="firstterm">primary
+WINS server</em><a name="INDEX-177"/><a name="INDEX-178"/>. You can also install a secondary WINS
+server, which will take over if the primary WINS server fails or
+becomes inaccessible. Both the primary and any other WINS servers
+will synchronize their address databases on a periodic basis.</p>
+
+<p>In the Windows family of operating systems, only a server edition of
+Windows NT/2000 can act as a WINS server. Samba 2.2 can function as a
+primary WINS server, but cannot <a name="INDEX-179"/><a name="INDEX-180"/>synchronize
+its database with other WINS servers. It therefore cannot act as a
+secondary WINS server or as a primary WINS server for a Windows
+secondary WINS server.</p>
+
+<p>WINS handles name service by default, although Microsoft added DNS
+starting with Windows NT 4 Server. It is compatible with DNS that is
+standard on virtually every Unix system, and a Unix server (such as
+the Samba host) can also be used for DNS.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-1-SECT-5.2.5"/>
+
+<h3 class="head3">Trust relationships</h3>
+
+<p>One additional aspect of Windows NT domains not yet supported in
+Samba 2.2 is that it is possible to set up a <em class="emphasis">trust
+relationship</em><a name="INDEX-181"/><a name="INDEX-182"/><a name="INDEX-183"/> between domains, allowing clients
+within one domain to access the resources within another without the
+user having to go through additional authentication. The protocol
+that is followed is called <em class="emphasis">pass-through authentication</em>,
+<a name="INDEX-184"/><a name="INDEX-185"/>in which the
+user's credentials are passed from the client system
+in the first domain to the server in the second domain, which
+consults a domain controller in the first (trusted) domain to check
+that the user is valid before granting access to the resource.</p>
+
+<p>Note that in many aspects, the behaviors of a Windows workgroup and a
+Windows NT domain overlap. For example, the master and backup
+browsers in a domain are always the PDC and BDC, respectively.
+Let's update our Windows domain diagram to include
+both a local master and local backup browser. The result is shown in
+<a href="ch01.html#samba2-CHP-1-FIG-13">Figure 1-13</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-1-FIG-13"/><a name="INDEX-186"/><img src="figs/sam2_0113.gif"/></div><h4 class="head4">Figure 1-13. A Windows domain with a local master and local backup browser</h4>
+
+<p>The similarity between workgroups and NT domains is not accidental
+because the concept of Windows domains did not evolve until Windows
+NT 3.5 was introduced, and Windows domains were forced to remain
+backward-compatible with the workgroups present in Windows for
+Workgroups.</p>
+
+<p>Samba can function as a primary domain controller for Windows
+95/98/Me and Windows NT/2000/XP clients with the limitation that it
+can act as a PDC only, and not as a BDC.</p>
+
+<p>Samba can also function as a <em class="firstterm">domain member
+server</em><a name="INDEX-187"/><a name="INDEX-188"/>, meaning that it has a computer account
+in the PDC's account database and is therefore
+recognized as being part of the domain. A domain member server does
+not authenticate users logging on to the domain, but still handles
+security functions (such as file permissions) for domain users
+accessing its resources.</p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-5.3"/>
+
+<h3 class="head2">Active Directory Domains</h3>
+
+<p>Starting with Windows 2000, Microsoft has introduced
+<a name="INDEX-189"/><a name="INDEX-190"/>Active
+Directory, the next step beyond Windows NT domains. We
+won't go into much detail concerning Active
+Directory because it is a huge topic. <a name="INDEX-191"/>Samba 2.2 doesn't
+support Active Directory at all, and support in Samba 3.0 is limited
+to acting as a client. For now, be aware that with Active Directory,
+the authentication model is centered around
+<a name="INDEX-192"/>Lightweight Directory
+Access Protocol (LDAP), and name service is provided by DNS instead
+of WINS. Domains in Active Directory can be organized in a
+hierarchical tree structure, in which each domain controller operates
+as a peer, with no distinction between primary and backup controllers
+as in Windows NT domains.</p>
+
+<p>Windows 2000/XP systems can be set up as simple workgroup or Windows
+NT domain clients (which will function with Samba). The server
+editions of Windows 2000 can be set up to run Active Directory and
+support Windows NT domains for backward compatibility
+(<em class="firstterm">mixed mode</em>). In this case, Samba 2.2 works
+with Windows 2000 servers in the same way it works with Windows NT
+4.0 servers. When set up to operate in <em class="firstterm">native mode,
+</em><a name="INDEX-193"/>Windows 2000 servers support only
+Active Directory. Even so, <a name="INDEX-194"/>Samba 2.2 can operate as a server
+in a domain hosted by a native-mode Windows 2000 server, using the
+<a name="INDEX-195"/>Windows 2000 server's
+<em class="firstterm">PDC emulation mode</em>. However, it is not
+possible for Samba 2.2 or 3.0 to operate as a domain controller in a
+Windows 2000 Active Directory domain.</p>
+
+<p>If you want to know more about Active Directory, we encourage you to
+obtain a copy of the O'Reilly book,
+<em class="emphasis">Windows 2000 Active Directory</em>. <a name="INDEX-196"/></p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-5.4"/>
+
+<h3 class="head2">Can a Windows Workgroup Span Multiple Subnets?</h3>
+
+<p><a name="INDEX-197"/><a name="INDEX-198"/>Yes, but most people who have
+done it have had their share of headaches. Spanning multiple subnets
+was not part of the initial design of Windows NT 3.5 or Windows for
+Workgroups. As a result, a Windows domain that spans two or more
+subnets is, in reality, the
+&quot;gluing&quot; together of two or more
+workgroups that share an identical name. The good news is that you
+can still use a PDC to control authentication across each subnet. The
+bad news is that things are not as simple with browsing.</p>
+
+<p>As mentioned previously, each subnet must have its own local master
+browser. When a Windows domain spans multiple subnets, a system
+administrator will have to assign one of the computers as the
+<em class="firstterm">domain master
+browser</em><a name="INDEX-199"/><a name="INDEX-200"/>. The domain master browser will keep a
+browse list for the entire Windows domain. This browse list is
+created by periodically synchronizing the browse lists of each local
+master browser with the browse list of the domain master browser.
+After the synchronization, the local master browser and the domain
+master browser should contain identical entries. See <a href="ch01.html#samba2-CHP-1-FIG-14">Figure 1-14</a> for an illustration.</p>
+
+<div class="figure"><a name="samba2-CHP-1-FIG-14"/><img src="figs/sam2_0114.gif"/></div><h4 class="head4">Figure 1-14. A workgroup that spans more than one subnet</h4>
+
+<p>Sound good? <a name="INDEX-201"/>Well, it's not quite
+nirvana for the following reasons:</p>
+
+<ul><li>
+<p>If it exists, a PDC always plays the role of the domain master
+browser. By Microsoft design, the two always share the NetBIOS
+resource type <tt class="literal">&lt;1B&gt;</tt> and (unfortunately)
+cannot be separated.</p>
+</li><li>
+<p>Windows 95/98/Me computers cannot become <em class="emphasis">or</em>
+<em class="emphasis">even contact</em> a domain master browser. This means
+that it is necessary to have at least one Windows NT/2000/XP system
+(or Samba server) on each subnet of a multisubnet workgroup.</p>
+</li></ul>
+<p>Each subnet's local master browser continues to
+maintain the browse list for its subnet, for which it becomes
+authoritative. So if a computer wants to see a list of servers within
+its own subnet, the local master browser of that subnet will be
+queried. If a computer wants to see a list of servers outside the
+subnet, it can still go only as far as the local master browser. This
+works because at appointed intervals, the authoritative browse list
+of a subnet's local master browser is synchronized
+with the domain master browser, which is synchronized with the local
+master browser of the other subnets in the domain. This is called
+<em class="firstterm">browse list propagation</em>.</p>
+
+<p>Samba can act as a domain master browser in a Windows NT domain, or
+it can act as a local master browser for a subnet, synchronizing its
+browse list with the domain master browser.</p>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-1-SECT-6"/>
+
+<h2 class="head1">What's New in Samba 2.2?</h2>
+
+<p><a name="INDEX-202"/><a name="INDEX-203"/>In
+Version 2.2, Samba has more advanced support for Windows networking,
+including the ability to perform the more important tasks necessary
+for acting in a Windows NT domain. In addition, Samba 2.2 has some
+support for technologies that Microsoft introduced in Windows 2000,
+although the Samba team has saved Active Directory support for
+Version 3.0.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-6.1"/>
+
+<h3 class="head2">PDC Support for Windows 2000/XP Clients</h3>
+
+<p>Samba previously could act as a PDC to authenticate Windows 95/98/Me
+and Windows NT 4 systems. This functionality has been extended in
+Release 2.2 to include Windows 2000 and Windows XP. Thus, it is
+possible to have a Samba server supporting domain logons for a
+network of Windows clients, including the most recent releases from
+Microsoft. This can result in a very stable, high-performance, and
+more secure network, and gives you the added benefit of not having to
+purchase per-seat Windows CALs from Microsoft.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-6.2"/>
+
+<h3 class="head2">Microsoft Dfs Support</h3>
+
+<p><a name="INDEX-204"/>Microsoft Dfs allows shared resources that
+are dispersed among a number of servers in the network to be gathered
+together and appear to users as if they all exist in a single
+directory tree on one server. This method of organization makes life
+much simpler for users. Instead of having to browse around the
+network on a treasure hunt to locate the resource they want to use,
+they can go directly to the Dfs server and grab what they want. Samba
+2.2 offers support for serving Dfs, so a Windows server is no longer
+needed for this purpose.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-6.3"/>
+
+<h3 class="head2">Windows NT/2000/XP Printing Support</h3>
+
+<p>Windows NT/2000/XP has a different Remote Procedure Call (RPC)-based
+printer interface than Windows 95/98/Me does. In Samba 2.2, the
+Windows NT/2000/XP interface is supported. Along with this, the Samba
+team has been adding support for automatically downloading the
+printer driver from the Samba server while adding a new printer to a
+Windows client.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-6.4"/>
+
+<h3 class="head2">ACLs</h3>
+
+<p>Samba now supports
+<a name="INDEX-205"/>ACLs on its Unix host for Unix variants
+that support them. The list includes Solaris 2.6, 7, and 8, Irix,
+AIX, Linux (with either the ACL patch for the
+<a name="INDEX-206"/>ext2/ext3 filesystem from <a href="http://acl.bestbits.at">http://acl.bestbits.at</a> or when using the
+<a name="INDEX-207"/>XFS
+filesystem), and FreeBSD (Version 5.0 and later). When using ACL
+support, Samba translates between Unix ACLs and Windows NT/2000/XP
+ACLs, making the Samba host look and act more like a Windows
+NT/2000/XP server from the point of view of Windows clients.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-6.5"/>
+
+<h3 class="head2">Support for Windows Client Administration Tools</h3>
+
+<p>Windows comes with tools that can be used from a client to manage
+shared resources remotely on a Windows server. Samba 2.2 allows these
+tools to operate on shares on the Samba server as well.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-6.6"/>
+
+<h3 class="head2">Integration with Winbind</h3>
+
+<p><a name="INDEX-208"/>Winbind is a
+facility that allows users whose account information is stored in a
+Windows domain database to authenticate on a Unix system. The result
+is a unified logon environment, in which a user account can be kept
+on either the Unix system or a Windows NT/2000 domain controller.
+This greatly facilitates account management because administrators no
+longer need to keep the two systems synchronized, and it is possible
+for users whose accounts are held in a Windows domain to authenticate
+when accessing Samba shares.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-6.7"/>
+
+<h3 class="head2">Unix CIFS Extensions</h3>
+
+<p>The <a name="INDEX-209"/><a name="INDEX-210"/>Unix CIFS extensions were developed
+at Hewlett-Packard and introduced in Samba 2.2.4. They allow Samba
+servers to support Unix filesystem attributes, such as links and
+permissions, when sharing files with other Unix systems. This allows
+Samba to be used as an alternative to network file sharing (NFS) for
+Unix-to-Unix file sharing. An advantage of using Samba is that it
+authenticates individual users, whereas NFS authenticates only
+clients (based on their IP addresses, which is a poor security
+model). This gives Samba an edge in the area of security, along with
+its much greater configurability. See <a href="ch05.html">Chapter 5</a>
+for information on how to operate Unix systems as Samba clients.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-1-SECT-6.8"/>
+
+<h3 class="head2">And More...</h3>
+
+<p>As usual, the code has numerous improvements that do not show up at
+the administrative level in an immediate or obvious way. Samba now
+functions better on systems that employ <a name="INDEX-211"/>PAM
+(Pluggable Authentication Modules), and there is new support for
+profiling. Samba's support for oplocks has been
+strengthened, offering better integration with NFS server-terminated
+leases (currently on Irix and Linux only) and in the local filesystem
+with SMB locks mapped to POSIX locks (which is dependent on each Unix
+variant's implementation of POSIX locks). And of
+course there have been the usual bug fixes.</p>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-1-SECT-7"/>
+
+<h2 class="head1">What's New in Samba 3.0?</h2>
+
+<p>The main distinguishing feature of <a name="INDEX-212"/><a name="INDEX-213"/>Samba 3.0
+is that it includes support for <a name="INDEX-214"/>Kerberos 5 authentication and
+<a name="INDEX-215"/>LDAP, which are
+required to act as clients in an Active Directory domain. Another
+feature that appeared in Samba 3.0 is support for Unicode, which
+greatly simplifies supporting international languages.</p>
+
+<p>In later Version 3 releases, the Samba team plans to develop support
+for
+<a name="INDEX-216"/>WINS
+replication, allowing Samba to act as a secondary WINS server or as a
+primary WINS server with Windows or Samba secondary WINS servers.
+Also planned are support for acting as a Windows NT BDC and support
+for Windows NT domain trust relationships.</p>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-1-SECT-8"/>
+
+<h2 class="head1">What Can Samba Do?</h2>
+
+<p>Now let's wrap up by showing where Samba can help
+out and where it is limited. <a href="ch01.html#samba2-CHP-1-TABLE-9">Table 1-9</a> summarizes
+which roles Samba can and cannot play in a Windows NT or Active
+Directory domain or a Windows workgroup. Many of the Windows domain
+protocols are proprietary and have not been documented by Microsoft
+and therefore must be reverse-engineered by the Samba team before
+Samba can support them. As of Version 3.0, Samba cannot act as a
+backup in most roles and does not yet fully support Active Directory.</p>
+
+<a name="samba2-CHP-1-TABLE-9"/><h4 class="head4">Table 1-9. Samba roles (as of Version 3.0)</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Role</p>
+</th>
+<th>
+<p>Can perform?</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><a name="INDEX-217"/>File server</p>
+</td>
+<td>
+<p>Yes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Printer server</p>
+</td>
+<td>
+<p>Yes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Microsoft Dfs server</p>
+</td>
+<td>
+<p>Yes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Primary domain controller</p>
+</td>
+<td>
+<p>Yes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Backup domain controller</p>
+</td>
+<td>
+<p>No</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Active Directory domain controller</p>
+</td>
+<td>
+<p>No</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Windows 95/98/Me authentication</p>
+</td>
+<td>
+<p>Yes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Windows NT/2000/XP authentication</p>
+</td>
+<td>
+<p>Yes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Local master browser</p>
+</td>
+<td>
+<p>Yes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Local backup browser</p>
+</td>
+<td>
+<p>Yes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Domain master browser</p>
+</td>
+<td>
+<p>Yes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Primary WINS server</p>
+</td>
+<td>
+<p>Yes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Secondary WINS server</p>
+</td>
+<td>
+<p>No</p>
+</td>
+</tr>
+
+</table>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-1-SECT-9"/>
+
+<h2 class="head1">An Overview of the Samba Distribution</h2>
+
+<p><a name="INDEX-218"/>As mentioned earlier, Samba actually
+contains several programs that serve different but related purposes.
+These programs are documented more fully in <a href="appc.html">Appendix C</a>. For now, we will introduce each of them
+briefly and describe how they work together.</p>
+
+<p>The majority of the programs that come with Samba center on its two
+daemons. Let's take a refined look at the
+responsibilities of each daemon:</p>
+
+<dl>
+<dt><b><em class="emphasis">nmbd</em></b></dt>
+<dd>
+<p>The <em class="emphasis">nmbd</em><a name="INDEX-219"/> daemon is a simple name server that
+supplies WINS functionality. This daemon listens for name-server
+requests and provides the appropriate IP addresses when called upon.
+It also provides browse lists for the Network Neighborhood and
+participates in browsing elections.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">smbd</em></b></dt>
+<dd>
+<p>The <em class="emphasis">smbd</em><a name="INDEX-220"/> daemon manages the shared resources
+between the Samba server and its clients. It provides file, print,
+and browse services to <span class="acronym">SMB</span> clients across one or
+more networks and handles all notifications between the Samba server
+and the network clients. In addition, it is responsible for user
+authentication, resource locking, and data sharing through the
+<span class="acronym">SMB</span> protocol.</p>
+</dd>
+
+</dl>
+
+<p>New with Version 2.2, there is an additional daemon:</p>
+
+<dl>
+<dt><b><a name="INDEX-221"/><em class="emphasis">winbindd</em></b></dt>
+<dd>
+<p>This daemon is used along with the name service switch to get
+information on users and groups from a Windows NT server and allows
+Samba to authorize users through a Windows NT/2000 server.</p>
+</dd>
+
+</dl>
+
+<p>The Samba distribution also comes with a small set of Unix
+command-line tools:</p>
+
+<dl>
+<dt><b><em class="emphasis">findsmb</em><a name="INDEX-222"/></b></dt>
+<dd>
+<p>A program that searches the local network for computers that respond
+to SMB protocol and prints information on them.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">make_smbcodepage</em><a name="INDEX-223"/></b></dt>
+<dd>
+<p>A program used when working with Samba's
+internationalization features for telling Samba how to convert
+between upper- and lowercase in different character sets.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">make_unicodemap</em><a name="INDEX-224"/></b></dt>
+<dd>
+<p>Another internationalization program used with Samba for compiling
+Unicode map files that Samba uses to translate DOS codepages or Unix
+character sets into 16-bit unicode.</p>
+</dd>
+
+
+
+<dt><b><a name="INDEX-225"/><em class="emphasis">net</em></b></dt>
+<dd>
+<p>A new program distributed with Samba 3.0 that can be used to perform
+remote administration of servers.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">nmblookup</em><a name="INDEX-226"/></b></dt>
+<dd>
+<p>A program that provides NBT name lookups to find a
+computer's IP address when given its machine name.</p>
+</dd>
+
+
+
+<dt><b><a name="INDEX-227"/><em class="emphasis">pdbedit</em></b></dt>
+<dd>
+<p>A new program distributed with Samba 3.0 that is helpful for managing
+user accounts held in SAM databases.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">rpcclient</em><a name="INDEX-228"/></b></dt>
+<dd>
+<p>A program that can be used to run MS-RPC functions on Windows clients.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">smbcacls</em><a name="INDEX-229"/></b></dt>
+<dd>
+<p>A program that is used to set or show ACLs on Windows NT filesystems.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">smbclient</em><a name="INDEX-230"/></b></dt>
+<dd>
+<p>An <em class="emphasis">ftp</em>-like Unix client that can be used to connect to
+SMB shares and operate on them. The <em class="emphasis">smbclient</em>
+command is discussed in detail in <a href="ch05.html">Chapter 5</a>.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">smbcontrol</em><a name="INDEX-231"/></b></dt>
+<dd>
+<p>A simple administrative utility that sends messages to <em class="emphasis">nmbd</em>
+or <em class="emphasis">smbd</em>.</p>
+</dd>
+
+
+
+<dt><b><a name="INDEX-232"/><em class="emphasis">smbgroupedit</em></b></dt>
+<dd>
+<p>A command that can be used to define mappings between Windows NT
+groups and Unix groups. It is new in Samba 3.0.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">smbmnt</em><a name="INDEX-233"/></b></dt>
+<dd>
+<p>A helper utility used along with <em class="emphasis">smbmount.</em></p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">smbmount</em><a name="INDEX-234"/></b></dt>
+<dd>
+<p>A program that mounts an smbfs filesystem, allowing remote SMB shares
+to be mounted in the filesystem of the Samba host.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">smbpasswd</em><a name="INDEX-235"/></b></dt>
+<dd>
+<p>A program that allows an administrator to change the passwords used
+by Samba.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">smbsh</em><a name="INDEX-236"/></b></dt>
+<dd>
+<p>A tool that functions like a command shell to allow access to a
+remote SMB filesystem and allow Unix utilities to operate on it. This
+command is covered in <a href="ch05.html">Chapter 5</a>.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">smbspool</em><a name="INDEX-237"/></b></dt>
+<dd>
+<p>A print-spooling program used to send files to remote printers that
+are shared on the SMB network.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">smbstatus</em><a name="INDEX-238"/></b></dt>
+<dd>
+<p>A program that reports the current network connections to the shares
+on a Samba server.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">smbtar</em><a name="INDEX-239"/></b></dt>
+<dd>
+<p>A program similar to the Unix <em class="filename">tar</em> command, for
+backing up data in SMB shares.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">smbumount</em><a name="INDEX-240"/></b></dt>
+<dd>
+<p>A program that works along with <em class="emphasis">smbmount</em> to unmount
+smbfs filesystems.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">testparm</em><a name="INDEX-241"/></b></dt>
+<dd>
+<p>A simple program for checking the Samba configuration file.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">testprns</em><a name="INDEX-242"/></b></dt>
+<dd>
+<p>A program that tests whether printers on the Samba host are
+recognized by the <em class="filename">smbd</em> daemon.</p>
+</dd>
+
+
+
+<dt><b><em class="emphasis">wbinfo</em><a name="INDEX-243"/></b></dt>
+<dd>
+<p>A utility used to query the <em class="filename">winbindd
+</em><a name="INDEX-244"/>daemon.</p>
+</dd>
+
+</dl>
+
+<p>Each major release of Samba goes through an exposure test before
+it's announced. In addition, it is quickly updated
+afterward if problems or unwanted side effects are found. The latest
+stable distribution as of this writing is Samba 2.2.6, and this book
+focuses mainly on the functionality supported in Samba 2.2.6, as
+opposed to older versions of Samba.</p>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-1-SECT-10"/>
+
+<h2 class="head1">How Can I Get Samba?</h2>
+
+<p><a name="INDEX-245"/><a name="INDEX-246"/>Source
+and binary distributions of Samba are available from mirror sites
+across the Internet. The primary web site for Samba is located at
+<a href="http://www.samba.org/">http://www.samba.org/</a>. From there, you
+can select a mirror site that is geographically near you.</p>
+
+<p>Most Linux and many Unix vendors provide binary packages. These can
+be more convenient to install and maintain than the Samba
+team's source or binary packages, due to the
+vendor's efforts to supply a package that matches
+its specific products. <a name="INDEX-247"/></p>
+
+
+</div>
+
+<hr/><h4 class="head4">Footnotes</h4><blockquote><a name="FOOTNOTE-1"/> <p><a href="#FNPTR-1">[1]</a> You
+can also right-click the shared resource in the Network Neighborhood
+and then select the Map Network Drive menu item.</p> <a name="FOOTNOTE-2"/> <p><a href="#FNPTR-2">[2]</a> Be
+warned that many end-user license agreements forbid installing a
+program on a network so that multiple clients can access it. Check
+the legal agreements that accompany the product to be absolutely
+sure.</p> <a name="FOOTNOTE-3"/> <p><a href="#FNPTR-3">[3]</a> You
+might also see the abbreviation NetBT, which is common in Microsoft
+literature.</p> <a name="FOOTNOTE-4"/>
+<p><a href="#FNPTR-4">[4]</a> See
+<a href="http://www.samba.org/cifs/docs/what-is-smb.html">http://www.samba.org/cifs/docs/what-is-smb.html</a>
+for Richard's excellent summary of
+<a name="INDEX-93"/>SMB.</p> <a name="FOOTNOTE-5"/> <p><a href="#FNPTR-5">[5]</a> This
+was originally called <a name="INDEX-126"/><a name="INDEX-127"/><a name="INDEX-128"/>Network Neighborhood in Windows 95/98/NT,
+but Microsoft has changed the name to My Network Places in the more
+recent Windows Me/2000/XP. We will continue to call it Network
+Neighborhood, and if you're using a new version of
+Windows, be aware that My Network Places can act a little differently
+in some ways.</p> </blockquote>
+
+
+<hr/><h4 class="head4"><a href="toc.html">TOC</a></h4>
+</body></html>
diff --git a/docs/htmldocs/using_samba/ch02.html b/docs/htmldocs/using_samba/ch02.html
new file mode 100644
index 0000000000..ecefb2fb7d
--- /dev/null
+++ b/docs/htmldocs/using_samba/ch02.html
@@ -0,0 +1,1849 @@
+<html>
+<body bgcolor="#ffffff">
+
+<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
+hspace="10" align="left" />
+
+<h1 class="head0">Chapter 2. Installing Samba on a Unix System</h1>
+
+<p><a name="INDEX-1"/>Now
+that you know what Samba can do for you and your users,
+it's time to get your own network set up.
+Let's start with the installation of Samba. When
+dancing the samba, one learns by taking small steps.
+It's just the same when installing Samba; we need to
+teach it step by step. This chapter will help you start off on the
+right foot.</p>
+
+<p>For illustrative purposes, we will be installing the 2.2.6 version of
+the Samba server on a Linux system running Version 2.4 of the kernel.
+However, the installation steps are essentially the same for all the
+platforms Samba supports.</p>
+
+
+<div class="sect1"><a name="samba2-CHP-2-SECT-1"/>
+
+<h2 class="head1">Bundled Versions</h2>
+
+<p><a name="INDEX-2"/><a name="INDEX-3"/>Samba is in such
+popular use that many Unix distributions come with it already
+installed. If you choose to use a bundled version of Samba, you can
+breeze through most of this chapter, but you'll be
+stuck with the Samba version and compile-time options your vendor
+selected for you. That version of Samba can't be any
+newer than the operating system release, so you're
+likely to be pretty far behind the latest developments. On the other
+hand, you can be fairly sure that a bundled version has been
+installed properly, and perhaps it will take only a few simple
+modifications to your <em class="emphasis">smb.conf</em> file for you to
+be off and running. Samba is mature enough that you probably
+don't need the latest release to meet your basic
+needs, so you might be perfectly happy running a bundled version.</p>
+
+<p>If you choose this option, be aware that your Samba files, including
+the very important
+<em class="emphasis">smb.conf</em>,<a name="INDEX-4"/> might be in different places
+than they would be if you were to install from a binary or source
+distribution. For example, with the Red Hat, Debian, and Mandrake
+Linux distributions, <em class="emphasis">smb.conf</em> and some other
+Samba-related files are in the <em class="emphasis">/etc/samba</em>
+directory.</p>
+
+<p>If Samba is already installed on your system, you can check to see
+what version you have by using the command:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>smbd -V</b></tt>
+Version 2.2.6</pre></blockquote>
+
+<p>(If this doesn't work, it might be because
+<em class="emphasis">smbd</em> is not in your shell's
+search path. If you have the <em class="emphasis">locate</em> or
+<em class="emphasis">whereis</em> command in your Unix variant, you can
+use it to locate the <em class="emphasis">smbd</em> executable.)</p>
+
+<p>You might also be able to use a system-specific tool to query a
+software-package maintenance utility. On Red Hat Linux, you can use
+the <em class="emphasis">rpm</em><a name="INDEX-5"/> command to query the installed packages
+for Samba:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>rpm -qa | grep samba</b></tt>
+samba-client-2.0.8-1.7.1
+samba-2.0.8-1.7.1
+samba-common-2.0.8-1.7.1</pre></blockquote>
+
+<p>This shows we have Samba 2.0.8, divided into three Red Hat Package
+Manager (RPM) packages, bundled with Red Hat 7.1. If your version of
+Samba is old, you might at the very least want to check with your
+vendor for an update.</p>
+
+<p>Otherwise, if you're sure you are going to install
+from a binary or source distribution, you can remove the RPM packages
+as follows:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>rpm -e samba</b></tt>
+# <tt class="userinput"><b>rpm -e samba-client</b></tt>
+# <tt class="userinput"><b>rpm -e samba-common</b></tt></pre></blockquote>
+
+<p>If you are not using Red Hat Linux, consult your
+system's documentation to find the method that works
+for you.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-2-SECT-1.1"/>
+
+<h3 class="head2">Binary or Source?</h3>
+
+<p><a name="INDEX-6"/>Precompiled
+&quot;binary&quot; packages are also
+available for a large number of Unix platforms. These packages
+contain binaries for each Samba executable, as well as the standard
+Samba documentation. Note that while installing a binary distribution
+can save you a fair amount of time and trouble, you should keep a
+couple of issues in mind when deciding whether to use the binary or
+compile the source yourself:</p>
+
+<ul><li>
+<p>The binary packages can lag behind the latest version of the software
+by one or two (maybe more) minor releases, especially after a series
+of small changes and for less popular platforms. Compare the release
+notes for the source and binary packages to make sure there
+aren't any new features that you need on your
+platform.</p>
+</li><li>
+<p>If you use a precompiled binary that is dynamically linked, you will
+need to ensure that you have the correct libraries required by the
+executables. If your system does not already have the required
+version of a library, you might have to install a new version. The
+<em class="filename">README</em> file or <em class="filename">makefile</em>
+that accompanies the binary distribution should list any special
+requirements.</p>
+
+<p>Many systems with shared libraries come with a nifty tool called
+<em class="emphasis">ldd</em>. This tool will tell you which libraries a
+specific binary requires and which libraries on the system satisfy
+that requirement. For example, checking the <em class="emphasis">smbd</em>
+program on our test machine gave us:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>ldd smbd</b></tt>
+        libdl.so.2 =&gt; /lib/libdl.so.2 (0x40026000)
+        libnsl.so.1 =&gt; /lib/libnsl.so.1 (0x4002a000)
+        libpam.so.0 =&gt; /lib/libpam.so.0 (0x40041000)
+        libc.so.6 =&gt; /lib/libc.so.6 (0x40049000)
+        /lib/ld-linux.so.2 =&gt; /lib/ld-linux.so.2 (0x40000000)</pre></blockquote>
+
+<p>If there are any incompatibilities between Samba and specific
+libraries on your machine, the distribution-specific documentation
+should highlight them.</p>
+</li><li>
+<p>If your precompiled binary is statically linked, it is still possible
+to have problems. There have been cases in which the statically
+linked C library calls in Samba programs have been out of sync with
+the operating-system kernel, even though this is
+&quot;not supposed to happen.&quot;</p>
+</li><li>
+<p>Keep in mind that each binary distribution carries preset values
+about the target platform, such as default directories and
+configuration option values. Again, check the documentation and the
+makefile included in the source directory to see which directives and
+variables were used when the binary was compiled. In some cases,
+these will not be appropriate for your situation.</p>
+
+<p>A few configuration items can be reset with command-line options at
+runtime rather than at compile time. For example, if your binary
+tries to place any log, lock, or status files in the
+&quot;wrong&quot; place (for example, in
+<em class="filename">/usr/local</em> ), you can override this without
+recompiling.</p>
+</li></ul>
+<p>One point worth mentioning is that the Samba source requires an
+<a name="INDEX-7"/><a name="INDEX-8"/><a name="INDEX-9"/>ANSI C
+compiler. If you are on a legacy platform with a non-ANSI compiler,
+such as the <em class="emphasis">cc</em> compiler on SunOS Version 4,
+you'll have to install an ANSI-compliant compiler
+such as <em class="emphasis">gcc</em> <a name="INDEX-10"/>before you do anything else.<a name="FNPTR-1"/><a href="#FOOTNOTE-1">[1]</a>
+If installing a compiler isn't something you want to
+wrestle with, you can start off with a binary package. However, for
+the most flexibility and compatibility on your system, we always
+recommend compiling from the latest stable or production source.</p>
+
+<p>A typical installation will take about an hour to complete, including
+downloading the source files and compiling them, setting up the
+configuration files, and testing the server.</p>
+
+<p>Here is an overview of the steps:</p>
+
+<ol><li>
+<p><a name="INDEX-11"/>Download the source or binary files.</p>
+</li><li>
+<p>Read the installation documentation.</p>
+</li><li>
+<p>Configure a makefile.</p>
+</li><li>
+<p>Compile the server and utility programs.</p>
+</li><li>
+<p>Install the server files.</p>
+</li><li>
+<p>Create a Samba configuration file.</p>
+</li><li>
+<p>Test the configuration file.</p>
+</li><li>
+<p>Start the Samba daemons.</p>
+</li><li>
+<p>Test the Samba daemons. <a name="INDEX-12"/></p>
+</li></ol>
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-2-SECT-2"/>
+
+<h2 class="head1">Downloading the Samba Distribution</h2>
+
+<p><a name="INDEX-13"/>If
+you would like to download the latest version of the Samba software,
+the primary web site is <a href="http://www.samba.org">http://www.samba.org</a>. Once connected to this
+page, you'll see links to several Samba mirror sites
+across the world, both for the standard Samba web pages and for sites
+devoted exclusively to downloading Samba. For the best performance,
+choose a site that is closest to your own geographic location.</p>
+
+<p>The standard Samba web sites have Samba
+<a name="INDEX-14"/>documentation and
+<a name="INDEX-15"/>tutorials,
+<a name="INDEX-16"/>mailing-list
+archives, and the latest Samba <a name="INDEX-17"/>news, as well as source and binary
+distributions of Samba. The download sites (sometimes called
+<em class="emphasis">F T P sites</em>) have only the source and binary
+distributions. Unless you specifically want an older version of the
+Samba server or are going to install a binary distribution, download
+the latest source distribution from the closest mirror site. This
+distribution is always named:</p>
+
+<blockquote><pre class="code">samba-latest.tar.gz</pre></blockquote>
+
+<p>which for the 2.2.6 release is an approximately 5MB file.</p>
+
+<p>The source distribution has been archived with
+<em class="emphasis">tar</em> and then compressed with the GNU
+<em class="emphasis">gzip</em> program. To unpack it, move the file to the
+directory in which you want the Samba source directory to be located,
+then <em class="emphasis">cd</em> to that directory and run the command:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>tar xvfz samba-latest.tar.gz</b></tt></pre></blockquote>
+
+<p>Or, if you do not have the GNU <em class="emphasis">tar</em> program
+(which also handles the unzipping):</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>gunzip samba-latest.tar.gz</b></tt>
+$ <tt class="userinput"><b>tar xvf samba-latest.tar</b></tt></pre></blockquote>
+
+<p>In that latter case, you might need to install the GNU
+<em class="emphasis">gunzip</em> program first. While the
+<em class="emphasis">tar</em> command runs, it will print out a list of
+the files it installs.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-2-SECT-2.1"/>
+
+<h3 class="head2">Read the Documentation</h3>
+
+<p><a name="INDEX-18"/>This
+part might seem obvious, but at one time or other you probably
+uncompressed a package, blindly typed:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>configure; make; make install</b></tt></pre></blockquote>
+
+<p>and walked away to get another cup of coffee. Do yourself a favor and
+be a little more careful this time.</p>
+
+<p>In the top-level directory that you just installed, there is a file
+named <em class="filename">WHATSNEW.txt</em>, which contains the latest
+news about the release. If you are upgrading, you can find important
+information about bug fixes or configuration parameters that have
+been added or are no longer supported.</p>
+
+<p>With both source and binary packages you'll find a
+large number of documents in the <em class="filename">docs</em> directory,
+in a variety of formats. One file is especially important:</p>
+
+<blockquote><pre class="code">docs/htmldocs/UNIX_INSTALL.html</pre></blockquote>
+
+<p>This is the Samba Team's official instructions on
+installing Samba on a Unix system, which you might like to use as
+another perspective besides what we are telling you here.</p>
+
+<p>In general, we expect you'll find to be most useful
+the files in the following directories:</p>
+
+<dl>
+<dt><b>docs/faq</b></dt>
+<dd>
+<p>This is the Samba Frequently Asked Questions (FAQ) files.</p>
+</dd>
+
+
+
+<dt><b>docs/htmldocs</b></dt>
+<dd>
+<p>This is the miscellaneous documentation in HTML format.</p>
+</dd>
+
+
+
+<dt><b>docs/textdocs</b></dt>
+<dd>
+<p>Here is more documentation, in simple text format.</p>
+</dd>
+
+
+
+<dt><b>docs/manpages</b></dt>
+<dd>
+<p>You don't need to worry about these yet; during the
+installation, the files will be installed so that you can use the
+<em class="emphasis">man</em> command to read them. But you can take a
+look in the directory to see which manpages are available.</p>
+</dd>
+
+</dl>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-2-SECT-3"/>
+
+<h2 class="head1">Configuring Samba</h2>
+
+<p><a name="INDEX-19"/><a name="INDEX-20"/>Samba automatically configures itself
+prior to compilation. This reduces the likelihood of a
+machine-specific problem, but you might end up wishing for an option
+after Samba has been installed.</p>
+
+<p>The source distribution of Samba 2.2 and above
+doesn't initially have a
+<a name="INDEX-21"/>makefile. Instead, one is
+generated through a <a name="INDEX-22"/><a name="INDEX-23"/>GNU <em class="filename">configure</em>
+script, which is located in the <em class="filename">samba-2.2.x
+/source/</em> directory. The <em class="firstterm">configure</em>
+script takes care of the machine-specific issues of building Samba.</p>
+
+<a name="samba2-CHP-2-NOTE-88"/><blockquote class="note"><h4 class="objtitle">NOTE</h4>
+
+
+
+<p>Before running the <em class="filename">configure</em> script, it is
+important that you become the root user on the system. Otherwise, you
+might get a warning such as:</p>
+
+
+<blockquote><pre class="code">configure: warning: running as non-root will disable some tests</pre></blockquote>
+
+
+<p>You don't want any test to be disabled when the
+Samba makefile is being created; it would leave the potential for
+errors down the road when compiling or running Samba on your system.</p>
+</blockquote>
+
+<p>When the <em class="filename">configure </em>script is run, it prints out
+messages telling what it is doing, and error messages might be mixed
+in. To make sure you see those very important error messages, we
+suggest you run <em class="filename">configure </em>with its standard
+output passed through some filter to capture the output and keep it
+from scrolling out of sight. One method is using the
+<em class="filename">more</em> command:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>./configure | more</b></tt></pre></blockquote>
+
+<p>We will show you another in a moment.</p>
+
+<p>Although you can run <em class="filename">configure </em>as previously
+with no options, you might want to add support for extra features by
+passing options on the command line. For example:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>./configure --with-winbind</b></tt></pre></blockquote>
+
+<p>will configure the Samba makefile with support for winbind
+authentication. If you would like a complete list of options, type
+the following:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>./configure --help</b></tt></pre></blockquote>
+
+<p>Each option enables or disables various features. You typically
+enable a feature by specifying the
+<tt class="literal">--</tt><a name="INDEX-24"/><a name="INDEX-25"/><a name="INDEX-26"/><a name="INDEX-27"/><tt class="literal">with-</tt><em class="replaceable">feature</em>
+option, which will cause the feature to be compiled and installed.
+Likewise, if you specify a
+<tt class="literal">--without-</tt><em class="replaceable">feature</em>
+option, the feature will be disabled. A full list of configuration
+options is provided in <a href="appe.html">Appendix E</a>, but for now we
+want to point out three of them, which are features we cover later in
+this book:</p>
+
+<dl>
+<dt><b><tt class="literal">--with-msdfs</tt><a name="INDEX-28"/><a name="INDEX-29"/></b></dt>
+<dd>
+<p>Include support for Microsoft Distributed filesystem (Dfs), which
+allows dispersed network resources to be clumped together into one
+easy-to-navigate directory tree. See <a href="ch08.html">Chapter 8</a>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-smbwrapper</tt><a name="INDEX-30"/><a name="INDEX-31"/></b></dt>
+<dd>
+<p>Include SMB wrapper support, which allows programs running on the
+Unix host to access SMB shared folders as if they were Unix
+filesystems. We recommend using this option. See <a href="ch05.html">Chapter 5</a>.</p>
+</dd>
+
+
+
+<dt><b><tt class="literal">--with-smbmount</tt><a name="INDEX-32"/><a name="INDEX-33"/></b></dt>
+<dd>
+<p>Include <em class="emphasis">smbmount</em> support, which allows SMB
+shared folders to be mounted in the Unix filesystem. At the time of
+this writing, support for this feature exists only for Linux. This is
+also covered in <a href="ch05.html">Chapter 5</a>.</p>
+</dd>
+
+</dl>
+
+<p>Each option is disabled by default, and none of the features is
+essential to Samba. However, you may want to include them in your
+configuration (as we will in our example) at least to be able to try
+out the options in later chapters.</p>
+
+<p>In addition, <a href="ch02.html#samba2-CHP-2-TABLE-1">Table 2-1</a> shows some other parameters
+that you can give the <em class="filename">configure</em> script if you
+wish to store parts of the Samba distribution in different places,
+perhaps to make use of multiple disks or partitions. Note that the
+defaults sometimes refer to a prefix specified earlier in the table.</p>
+
+<a name="samba2-CHP-2-TABLE-1"/><h4 class="head4">Table 2-1. Additional configure options</h4><table border="1">
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Meaning</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">--prefix</tt><a name="INDEX-34"/><a name="INDEX-35"/>=<em class="replaceable">directory</em></p>
+</td>
+<td>
+<p>Install architecture-independent files at the base directory
+specified.</p>
+</td>
+<td>
+<p><em class="filename">/usr/local/samba</em></p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--eprefix</tt><a name="INDEX-36"/><a name="INDEX-37"/>=<em class="replaceable">directory</em></p>
+</td>
+<td>
+<p>Install architecture-dependent files at the base directory specified.</p>
+</td>
+<td>
+<p><em class="filename">/usr/local/samba</em></p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--bindir</tt><a name="INDEX-38"/><a name="INDEX-39"/>=<em class="replaceable">directory</em></p>
+</td>
+<td>
+<p>Install user executables in the directory specified.</p>
+</td>
+<td>
+<p><em class="replaceable">eprefix</em><em class="filename">/bin</em></p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--sbindir</tt><a name="INDEX-40"/><a name="INDEX-41"/>=<em class="replaceable">directory</em></p>
+</td>
+<td>
+<p>Install administrator executables in the directory specified.</p>
+</td>
+<td>
+<p><em class="replaceable">eprefix</em><em class="filename">/bin</em></p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--libexecdir</tt><a name="INDEX-42"/><a name="INDEX-43"/>=<em class="replaceable">directory</em></p>
+</td>
+<td>
+<p>Install program executables in the directory specified.</p>
+</td>
+<td>
+<p><em class="replaceable">eprefix</em><em class="filename">/libexec</em></p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--datadir</tt><a name="INDEX-44"/><a name="INDEX-45"/>=<em class="replaceable">directory</em></p>
+</td>
+<td>
+<p>Install read-only architecture-independent data in the directory
+specified.</p>
+</td>
+<td>
+<p><em class="replaceable">prefix</em><em class="filename">/share</em></p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--libdir</tt><a name="INDEX-46"/><a name="INDEX-47"/>=<em class="replaceable">directory</em></p>
+</td>
+<td>
+<p>Install program libraries in the directory specified.</p>
+</td>
+<td>
+<p><em class="replaceable">eprefix</em><em class="filename">/lib</em></p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--includedir</tt><a name="INDEX-48"/><a name="INDEX-49"/>=<em class="replaceable">directory</em></p>
+</td>
+<td>
+<p>Install package-include files in the directory specified.</p>
+</td>
+<td>
+<p><em class="replaceable">prefix</em><em class="filename">/include</em></p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--infodir</tt><a name="INDEX-50"/><a name="INDEX-51"/>=<em class="replaceable">directory</em></p>
+</td>
+<td>
+<p>Install additional information files in the directory specified.</p>
+</td>
+<td>
+<p><em class="replaceable">prefix</em><em class="filename">/info</em></p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">--mandir</tt><a name="INDEX-52"/><a name="INDEX-53"/>=<em class="replaceable">directory</em></p>
+</td>
+<td>
+<p>Install manual pages in the directory specified.</p>
+</td>
+<td>
+<p><em class="replaceable">prefix</em><em class="filename">/man</em></p>
+</td>
+</tr>
+
+</table>
+
+<p>Here is a sample execution of the
+<em class="filename">configure</em><a name="INDEX-54"/>
+script, which creates a Samba 2.2.6 makefile for the Linux platform.
+Note that you must run the configure script in the
+<em class="emphasis">source</em> directory and that we are showing you yet
+another way to capture the output of the script:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>cd samba-2.2.6/source/</b></tt>
+$ <tt class="userinput"><b>su</b></tt>
+Password:
+# <tt class="userinput"><b>./configure --with-smbwrapper --with-smbmount \</b></tt>
+<tt class="userinput"><b>--with-msdfs --with-syslog --with-utmp 2&gt;&amp;1 | tee config.my.log</b></tt>
+loading cache ./config.cache
+checking for gcc... (cached) gcc
+checking whether the C compiler (gcc -O ) works... yes
+checking whether the C compiler (gcc -O ) is a cross-compiler... no
+checking whether we are using GNU C... (cached) yes
+checking whether gcc accepts -g... (cached) yes
+checking for a BSD-compatible install... (cached) /usr/bin/install -c
+
+<i class="lineannotation">...(content omitted)...</i>
+
+checking configure summary
+configure OK
+creating ./config.status
+creating include/stamp-h
+creating Makefile
+creating include/config.h</pre></blockquote>
+
+<p>In general, any message from <em class="filename">configure</em> that
+doesn't begin with the words
+<tt class="literal">checking</tt><a name="INDEX-55"/> or
+<tt class="literal">creating</tt><a name="INDEX-56"/> is an
+<a name="INDEX-57"/>error; it often helps to redirect the
+output of the configure script to a file so that you can quickly
+search for errors, as we did with the <em class="filename">tee</em>
+command earlier. If there was an error during configuration, more
+detailed information about it can be found in the
+<em class="filename">config.log</em><a name="INDEX-58"/> file, which is written to the local
+directory by the <em class="filename">configure</em> script, as well as in
+the <em class="filename">config.my.log</em> file, which we created by
+piping through the <em class="filename">tee</em> command. These files are
+very similar in both name and content, but be careful to check both
+of them for error messages before continuing!</p>
+
+<p>If the configuration works, you'll see a
+<tt class="literal">checking</tt> <tt class="literal">configure</tt>
+<tt class="literal">summary</tt> message followed by a
+<tt class="literal">configure</tt> <tt class="literal">OK</tt> message and four
+or five file-creation messages. So far, so good. <a name="INDEX-59"/></p>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-2-SECT-4"/>
+
+<h2 class="head1">Compiling and Installing Samba</h2>
+
+<p><a name="INDEX-60"/><a name="INDEX-61"/><a name="INDEX-62"/><a name="INDEX-63"/>At this point you should be ready to build
+the Samba executables. Compiling is also easy: in the
+<em class="filename">source</em> directory, type <tt class="literal">make</tt>
+on the command line. The
+<em class="filename">make</em><a name="INDEX-64"/> utility will produce a stream of
+explanatory and success messages, beginning with:</p>
+
+<blockquote><pre class="code">Using FLAGS = -O -Iinclude ...</pre></blockquote>
+
+<p>This build includes compiles for both <em class="emphasis">smbd</em> and
+<em class="emphasis">nmbd</em> and ends in a linking command for
+<em class="filename">bin/nmblookup</em>. For example, here is a sample
+make of Samba Version 2.2.6 on a Linux server:</p>
+
+<blockquote><pre class="code"># make 2&gt;&amp;1 | tee make.log
+Using FLAGS =  -O  -Iinclude -I./include -I./ubiqx -I./smbwrapper -D_LARGEFILE64
+_SOURCE -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE  -DLOGFILEBASE=&quot;/usr/local/samba/va
+r&quot; -DCONFIGFILE=&quot;/usr/local/samba/lib/smb.conf&quot; -DLMHOSTSFILE=&quot;/usr/local/samba/
+lib/lmhosts&quot;   -DSWATDIR=&quot;/usr/local/samba/swat&quot; -DSBINDIR=&quot;/usr/local/samba/bin
+&quot; -DLOCKDIR=&quot;/usr/local/samba/var/locks&quot; -DCODEPAGEDIR=&quot;/usr/local/samba/lib/cod
+epages&quot; -DDRIVERFILE=&quot;/usr/local/samba/lib/printers.def&quot; -DBINDIR=&quot;/usr/local/sa
+mba/bin&quot;  -DHAVE_INCLUDES_H -DPASSWD_PROGRAM=&quot;/bin/passwd&quot; -DSMB_PASSWD_FILE=&quot;/u
+sr/local/samba/private/smbpasswd&quot; -DTDB_PASSWD_FILE=&quot;/usr/local/samba/private/sm
+bpasswd.tdb&quot;
+Using FLAGS32 =  -O  -Iinclude -I./include -I./ubiqx -I./smbwrapper -D_LARGEFILE
+64_SOURCE -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE  -DLOGFILEBASE=&quot;/usr/local/samba/
+var&quot; -DCONFIGFILE=&quot;/usr/local/samba/lib/smb.conf&quot; -DLMHOSTSFILE=&quot;/usr/local/samb
+a/lib/lmhosts&quot;   -DSWATDIR=&quot;/usr/local/samba/swat&quot; -DSBINDIR=&quot;/usr/local/samba/b
+in&quot; -DLOCKDIR=&quot;/usr/local/samba/var/locks&quot; -DCODEPAGEDIR=&quot;/usr/local/samba/lib/c
+odepages&quot; -DDRIVERFILE=&quot;/usr/local/samba/lib/printers.def&quot; -DBINDIR=&quot;/usr/local/
+samba/bin&quot;  -DHAVE_INCLUDES_H -DPASSWD_PROGRAM=&quot;/bin/passwd&quot; -DSMB_PASSWD_FILE=&quot;
+/usr/local/samba/private/smbpasswd&quot; -DTDB_PASSWD_FILE=&quot;/usr/local/samba/private/
+smbpasswd.tdb&quot;
+Using LIBS = -ldl -lnsl -lpam
+Compiling smbd/server.c
+Compiling smbd/files.c
+Compiling smbd/chgpasswd.c
+Compiling smbd/connection.c
+Compiling smbd/utmp.c
+Compiling smbd/session.c
+Compiling smbd/dfree.c
+Compiling smbd/dir.c
+
+<i class="lineannotation">...(content omitted)...</i>
+
+Compiling rpc_server/srv_srvsvc.c
+Compiling rpc_server/srv_srvsvc_nt.c
+Compiling rpc_server/srv_util.c
+Compiling rpc_server/srv_wkssvc.c
+Compiling rpc_server/srv_wkssvc_nt.c
+Compiling rpc_server/srv_pipe.c
+Compiling rpc_server/srv_dfs.c
+Compiling rpc_server/srv_dfs_nt.c
+Compiling rpc_server/srv_spoolss.c
+Compiling rpc_server/srv_spoolss_nt.c
+Compiling lib/util_getent.c
+Compiling rpc_parse/parse_lsa.c
+Compiling rpc_parse/parse_net.c
+Compiling rpc_parse/parsen/smbmount
+Compiling client/smbmnt.c
+Linking bin/smbmnt
+Compiling client/smbumount.c
+Linking bin/smbumount
+Compiling utils/nmblookup.c
+Linking bin/nmblookup</pre></blockquote>
+
+<p>If you encounter a problem when compiling, first check the Samba
+documentation to see if it is easily fixable. Another possibility is
+to search or post to the Samba mailing lists, which are given at the
+end of <a href="ch12.html">Chapter 12</a> and on the Samba home page. Most
+compilation issues are system-specific and almost always easy to
+overcome.</p>
+
+<p>Now that the files have been compiled, you can install them into the
+directories you identified with the command:</p>
+
+<blockquote><pre class="code">#<tt class="userinput"><b> make install</b></tt></pre></blockquote>
+
+<p>If you happen to be <a name="INDEX-65"/>upgrading, your old Samba files will be
+saved with the extension
+<em class="emphasis">.old</em>,<a name="INDEX-66"/> and you can go back to that previous
+version with the command
+<tt class="literal">make</tt><a name="INDEX-67"/> <tt class="literal">revert</tt>. After doing a
+<tt class="literal">make</tt><a name="INDEX-68"/> <tt class="literal">install</tt>, you should
+copy the <em class="emphasis">.old</em> files (if they exist) to a new
+location or name. Otherwise, the next time you install Samba, the
+original <em class="emphasis">.old</em> will be overwritten without
+warning and you could lose your earlier version. If you configured
+Samba to use the default locations for files, the new files will be
+installed in the directories listed in <a href="ch02.html#samba2-CHP-2-TABLE-2">Table 2-2</a>.
+Remember that you need to perform the installation from an account
+that has write privileges on these target directories; this is
+typically the root account.</p>
+
+<a name="samba2-CHP-2-TABLE-2"/><h4 class="head4">Table 2-2. Samba installation directories</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Directory</p>
+</th>
+<th>
+<p>Description</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><em class="emphasis">/usr/local/samba</em></p>
+</td>
+<td>
+<p>Main tree</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><em class="emphasis">/usr/local/samba/bin</em></p>
+</td>
+<td>
+<p>Binaries</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><em class="emphasis">/usr/local/samba/lib</em></p>
+</td>
+<td>
+<p><em class="emphasis">smb.conf</em>, <em class="emphasis">lmhosts</em>,
+configuration files, etc.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><em class="emphasis">/usr/local/samba/man</em></p>
+</td>
+<td>
+<p>Samba documentation</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><em class="emphasis">/usr/local/samba/private</em></p>
+</td>
+<td>
+<p>Samba-encrypted password file</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><em class="emphasis">/usr/local/samba/swat</em></p>
+</td>
+<td>
+<p>SWAT files</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><em class="emphasis">/usr/local/samba/var</em></p>
+</td>
+<td>
+<p>Samba log files, lock files, browse list info, shared memory files,
+process ID files</p>
+</td>
+</tr>
+
+</table>
+
+<p>Throughout the remainder of the book, we occasionally refer to the
+location of the main tree as <em class="filename">/usr/local/samba</em>.
+In most configurations, this is the base directory of the installed
+Samba package; however, it can vary from system to system<em class="filename">
+</em>.</p>
+
+<a name="samba2-CHP-2-NOTE-90"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>Watch out if you've made <em class="filename">/usr</em> a
+read-only partition. You will want to put the logs, locks, and
+password files somewhere else.</p>
+</blockquote>
+
+<p>Here is the installation that we performed on our machine. You can
+see that we used <em class="filename">/usr/local/samba</em> as the base
+directory for the distribution:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>make install 2&gt;&amp;1 | tee make-install.log</b></tt>
+Using FLAGS =  -O  -Iinclude -I./include -I./ubiqx -I./smbwrapper -D_LARGEFILE64
+_SOURCE -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE  -DLOGFILEBASE=&quot;/usr/local/samba/va
+r&quot; -DCONFIGFILE=&quot;/usr/local/samba/lib/smb.conf&quot;
+
+<i class="lineannotation">...(content omitted)...</i>
+
+The binaries are installed. You can restore the old binaries (if there
+were any) using the command &quot;make revert&quot;. You can uninstall the binaries
+using the command &quot;make uninstallbin&quot; or &quot;make uninstall&quot; to uninstall
+binaries, manpages and shell scripts.
+
+<i class="lineannotation">...(content omitted)...</i>
+
+======================================================================
+The SWAT files have been installed. Remember to read the swat/README
+for information on enabling and using SWAT.
+======================================================================</pre></blockquote>
+
+<p>If the last message is about SWAT, you've
+successfully installed all the files. Congratulations! You now have
+Samba on your system!</p>
+
+
+<div class="sect2"><a name="samba2-CHP-2-SECT-4.1"/>
+
+<h3 class="head2">Upgrading Your Installation</h3>
+
+<p><a name="INDEX-70"/><a name="INDEX-71"/>Eventually a new version of
+Samba will be released, and you will want to upgrade. This is simple;
+just repeat the same steps you used to install your current version.
+Download the source distribution from the Samba web site and install
+it, then run the <tt class="literal">./configure</tt>,
+<tt class="literal">make</tt>, and <tt class="literal">make</tt>
+<tt class="literal">install</tt> commands as before. If
+you've forgotten which options you used with the
+<a name="INDEX-72"/><a name="INDEX-73"/><a name="INDEX-74"/><a name="INDEX-75"/><em class="emphasis">configure</em>
+script, take a look at the
+<em class="filename">source/config.status</em><a name="INDEX-76"/><a name="INDEX-77"/> file in your previous
+version's source distribution. The first few lines
+of this file show the options used the last time
+<em class="emphasis">configure</em> was run.</p>
+
+<p>When you run the <tt class="literal">make
+install</tt><a name="INDEX-78"/> command to install your new
+version, the files of the previous version are replaced with the new
+ones, and then all you have to do is restart the Samba daemons to get
+your new version running. See <a href="ch02.html#samba2-CHP-2-SECT-8">Section 2.8</a> later in this chapter for directions on how to do this.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-2-SECT-4.2"/>
+
+<h3 class="head2">Reconfiguring Samba</h3>
+
+<p><a name="INDEX-79"/>If you
+have already compiled Samba and wish to recompile the same source
+code with different <em class="emphasis">configure</em> options, you
+should run the following three commands in the
+<em class="emphasis">source</em> directory before rerunning the
+<em class="emphasis">configure</em> script:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>autoconf</b></tt>
+# <tt class="userinput"><b>make clean</b></tt>
+# <tt class="userinput"><b>rm config.cache</b></tt></pre></blockquote>
+
+<p>This ensures that you are starting with a clean slate and that your
+previous <em class="emphasis">configure</em> command does not leave any
+data around that can affect your new build. From here, you can rerun
+<tt class="literal">./configure</tt> and then <tt class="literal">make</tt> and
+<tt class="literal">make install</tt>.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-2-SECT-4.3"/>
+
+<h3 class="head2">Setting Search Paths</h3>
+
+<p><a name="INDEX-80"/>You
+will probably want to run commands included in the Samba distribution
+without having to specify their full directory paths. For that to
+work, the directory in which the Samba executables are located,
+<em class="filename">/usr/local/samba/bin</em> by default, must be added
+to your shell's <a name="INDEX-81"/>PATH environment variable. This
+environment variable is usually set in one or more of the
+shell's startup files, which in the case of
+<em class="emphasis">bash</em> are <em class="filename">/etc/profile</em>
+(systemwide) and the <em class="filename">.bash_profile</em> and
+<em class="filename">.bashrc</em> files in each user's
+home directory.</p>
+
+<p>To be able to read the <a name="INDEX-82"/><a name="INDEX-83"/><a name="INDEX-84"/>Samba manual pages using the
+<em class="emphasis">man</em> command, the directory where
+Samba's manual pages reside,
+<em class="filename">/usr/local/samba/man</em> by default, must be in your
+<a name="INDEX-85"/>MANPATH environment variable. On Red
+Hat Linux, this can be accomplished by adding the following two lines
+to <em class="filename">/etc/man.config</em>:</p>
+
+<a name="INDEX-86"/><a name="INDEX-87"/><blockquote><pre class="code">
+MANPATH            /usr/local/samba/man
+MANPATH_MAP        /usr/local/samba/bin     /usr/local/samba/man</pre></blockquote>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-2-SECT-5"/>
+
+<h2 class="head1">Enabling SWAT</h2>
+
+<p>The <a name="INDEX-88"/><a name="INDEX-89"/>Samba
+Web Administration Tool (SWAT) runs as a daemon under
+<em class="emphasis">inetd</em> or <em class="filename">xinetd </em>and
+provides a forms-based editor in your web browser for creating and
+modifying <a name="INDEX-90"/>Samba's
+configuration file. For SWAT to work, entries must be added for it in
+the <em class="filename">/etc/services</em> and
+<em class="filename">/etc/inetd.conf</em> (or
+<em class="filename">/etc/xinetd.d/swat) </em>configuration files. To add
+the entries, follow these two steps:</p>
+
+<ol><li>
+<p>Check your <em class="filename">/etc/services</em> file, and if it does
+not contain the following line, add it to the end of the file:</p>
+
+<blockquote><pre class="code">swat   901/tcp</pre></blockquote>
+</li>
+<li>
+<p>Now for <em class="filename">inetd </em><a name="INDEX-91"/>or <em class="filename">xinetd.
+</em><a name="INDEX-92"/>These are &quot;Internet
+super daemons&quot; that handle starting daemons on
+demand, instead of letting them sit around in memory consuming system
+resources. Most systems use <em class="filename">inetd, </em>but
+<em class="filename">xinetd </em>is also used in some versions of Unix,
+notably the Red Hat Linux (Versions 7 and newer) that we use in our
+examples. You can use the <em class="emphasis">ps</em> command to see
+which of the two your system is running.</p>
+</li></ol>
+<p>For <em class="filename">inetd, </em>add a line to the
+<em class="emphasis">/etc/</em><em class="filename">inetd.conf </em>file.
+(Check your <em class="filename">inetd.conf</em> manual page to see the
+exact format of the<em class="filename"> inetd.conf</em> file if it
+differs from the following example.) Don't forget to
+change the path to the SWAT binary if you installed it in a different
+location from the default <em class="filename">/usr/local/samba</em>:</p>
+
+<blockquote><pre class="code">swat   stream  tcp  nowait  root  /usr/local/samba/bin/swat  swat</pre></blockquote>
+
+<p>Then force <em class="filename">inetd</em> to reread its configuration
+file by sending it a SIGHUP (hangup) signal:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>/bin/kill -HUP -a inetd</b></tt></pre></blockquote>
+
+<p>Notice that we are using a version of the <em class="emphasis">kill</em>
+command that supports the <em class="emphasis">-a</em> option, so as to
+allow us to specify the process by name. On FreeBSD and Linux, you
+can use the <em class="emphasis">killall</em> command<a name="FNPTR-2"/><a href="#FOOTNOTE-2">[2]</a> as follows:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>killall -HUP inetd</b></tt></pre></blockquote>
+
+<p>If you are not running Linux or FreeBSD and your version of
+<em class="emphasis">kill</em> doesn't have the
+<em class="emphasis">-a</em> option, you will need to use the
+<em class="emphasis">ps</em> command to find the process ID and then
+supply that to <em class="emphasis">kill</em>:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>ps ax | grep inetd</b></tt>
+  780 ?        S      0:00 inetd
+ 1981 pts/4    S      0:00 grep inetd                                         
+# <tt class="userinput"><b>kill -HUP 780</b></tt></pre></blockquote>
+
+<p>If your system is using <em class="filename">xinet, </em>add a file named
+<em class="emphasis">swat</em> in your <em class="filename">/etc/xinetd.d
+</em>directory, containing the following:</p>
+
+<blockquote><pre class="code"># description: swat is the Samba Web Administration Tool, which
+#       allows an administrator to configure Samba using a web
+#       browser interface, with the URL http://localhost:901
+service swat.
+{
+        socket_type             = stream
+        wait                    = no
+        protocol                = tcp
+        only_from               = localhost
+        user                    = root
+        log_on_failure          += USERID
+        server                  = /usr/local/samba/bin/swat
+        port                    = 901
+        disable                 = no
+}</pre></blockquote>
+
+<p>Then <em class="emphasis">xinetd</em> needs to be sent a signal<a name="FNPTR-3"/><a href="#FOOTNOTE-3">[3]</a> to make it reread its configuration files:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>/bin/kill -HUP -a xinetd</b></tt></pre></blockquote>
+
+<p>And that's pretty much it for the installation.
+Before you can start up Samba, however, you need to create a
+configuration file for it.</p>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-2-SECT-6"/>
+
+<h2 class="head1">A Basic Samba Configuration File</h2>
+
+<p><a name="INDEX-93"/>The
+key to configuring Samba is its configuration file,
+<em class="filename">smb.conf</em>. This configuration file can be very
+simple or extremely complex, and the rest of this book is devoted to
+helping you get deeply personal with this file. For now, however,
+we'll show you how to set up a single file service,
+which will allow you to fire up the Samba daemons and see that
+everything is running as it should be. In later chapters, you will
+see how to configure Samba for more complicated and interesting
+tasks.</p>
+
+<p>The installation process does not automatically create an
+<em class="filename">smb.conf</em> configuration file, although several
+example files are included in the Samba distribution. To test the
+server software, though, we'll use the following
+file, which you can create in a text editor. It should be named
+<em class="filename">smb.conf</em> and placed in the
+<em class="emphasis">/usr/local/samba/lib</em> directory:<a name="FNPTR-4"/><a href="#FOOTNOTE-4">[4]</a></p>
+
+<blockquote><pre class="code">[global]
+    workgroup = METRAN 
+[test] 
+    comment = For testing only, please
+    path = /usr/local/samba/tmp
+    read only = no
+    guest ok = yes</pre></blockquote>
+
+<p>This brief configuration file tells the Samba server to offer the
+<em class="filename">/usr/local/samba/tmp</em> directory on the server as
+an SMB share called <em class="emphasis">test</em>. The server also
+becomes part of the METRAN workgroup, of which each client must also
+be a part. If you have already chosen a name for your own workgroup,
+use the name of your workgroup instead of METRAN in the previous
+example. In case you are connecting your Samba system into an
+existing network and need to know the workgroup name, you can ask
+another system administrator or go to a Windows system in the
+workgroup and follow these instructions:</p>
+
+<ul><li>
+<p>Windows 95/98/Me/NT: open the Control Panel, then double-click the
+Network icon. Click the Identification tab, and look for the
+&quot;Workgroup:&quot; label.</p>
+</li><li>
+<p>Windows 2000: open the Control Panel and double-click the System
+icon. Click the Network Identification tab. The workgroup name will
+appear below the computer name.</p>
+</li><li>
+<p>Windows XP: open the Control Panel in Classic View mode and
+double-click the System icon. Then click the Computer Name tab.</p>
+</li></ul>
+<p>We'll use the <tt class="literal">[test]</tt> share in the
+next chapter to set up the Windows clients. For now, you can complete
+the setup by performing the following commands as root on your Unix
+server:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>mkdir /usr/local/samba/tmp</b></tt>
+# <tt class="userinput"><b>chmod 777 /usr/local/samba/tmp</b></tt></pre></blockquote>
+
+<p>You might also want to put a file or two in the
+<em class="filename">/usr/local/samba/tmp</em> directory so that after
+your Windows systems are initially configured, you will have
+something to use to check that everything works.</p>
+
+<p>We should point out that in terms of system security, this is the
+worst setup possible. For the moment, however, we only wish to test
+Samba, so we'll leave security out of the picture.
+In addition, we will encounter some encrypted password issues with
+Windows clients later on, so this setup will afford us the least
+amount of headaches.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-2-SECT-6.1"/>
+
+<h3 class="head2">Encrypted Passwords</h3>
+
+<p><a name="INDEX-94"/><a name="INDEX-95"/><a name="INDEX-96"/>If your Windows clients are using Windows
+98 or Windows NT 4 Service Pack 3 or above (including Windows 2000
+and Windows XP) and you are using a version of Samba earlier than
+3.0, you must add the following entry to the
+<tt class="literal">[global]</tt> section of the Samba configuration file:</p>
+
+<blockquote><pre class="code">[global]
+    encrypt passwords = yes</pre></blockquote>
+
+<p>In addition, you must use the
+<em class="filename">smbpasswd</em><a name="INDEX-97"/> program (typically located in the
+directory <em class="filename">/usr/local/samba/bin/ </em>) to enter the
+username/password combinations of the Samba users into
+Samba's encrypted password database. For example, if
+you wanted to allow Unix user <tt class="literal">steve</tt> to access
+shares from a client system, you would use this command:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>smbpasswd -a steve</b></tt>
+New SMB password:
+Retype new SMB password:
+Added user steve.</pre></blockquote>
+
+<p>When the first user is added, the program will output a message
+saying that the encrypted password database does not exist.
+Don't worry: it will then create the database for
+you. Make sure that the username/password combinations you add to the
+encrypted database match the usernames and passwords you intend to
+use on the Windows client side. You must run
+<em class="emphasis">smbpasswd</em> for each client user.</p>
+
+<p>In Samba 3.0, passwords are encrypted by default, so the
+<tt class="literal">encrypt</tt> <tt class="literal">passwords</tt>
+<tt class="literal">=</tt> <tt class="literal">yes</tt> parameter in the
+configuration file is optional. However, you will still need to run
+the <em class="emphasis">smbpasswd</em> command to add users to the
+encrypted password file.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-2-SECT-6.2"/>
+
+<h3 class="head2">Using SWAT</h3>
+
+<p><a name="INDEX-98"/>Creating
+a configuration file with SWAT is even easier than writing a
+configuration file by hand. To invoke SWAT, use your web browser to
+connect to <em class="emphasis">http://localhost:901</em>, and log on as
+root with the root password, as shown in <a href="ch02.html#samba2-CHP-2-FIG-1">Figure 2-1</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-2-FIG-1"/><a name="INDEX-99"/><img src="figs/sam2_0201.gif"/></div><h4 class="head4">Figure 2-1. SWAT login</h4>
+
+<p>After logging in, click the GLOBALS button at the top of the screen.
+You should see the Global Variables page shown in <a href="ch02.html#samba2-CHP-2-FIG-2">Figure 2-2</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-2-FIG-2"/><img src="figs/sam2_0202.gif"/></div><h4 class="head4">Figure 2-2. SWAT Global Variables page</h4>
+
+<p>In this example, notice that SWAT retrieved the workgroup name from
+the <em class="emphasis">smb.conf</em> file that you created. (If it
+didn't, go back and perform that step correctly.)
+Make sure that the <tt class="literal">security</tt> field is set to
+<tt class="literal">USER</tt>.</p>
+
+<p>If you are running Samba 2.2 and your Windows clients are at least
+Windows 98 or Windows NT 4 SP 3 or later versions, find
+<tt class="literal">encrypt</tt> <tt class="literal">passwords</tt> in the
+Security Options section and select <tt class="literal">yes</tt>.</p>
+
+<p>The only other option you need to change from the menu is one
+determining which system on the LAN resolves NetBIOS addresses; this
+system is called the <em class="emphasis">WINS server</em>. At the very
+bottom of the page, set the <tt class="literal">wins</tt>
+<tt class="literal">support</tt> field to <tt class="literal">Yes</tt>, unless
+you already have a WINS server on your network. If you do, put the
+WINS server's IP address in the
+<tt class="literal">wins</tt> <tt class="literal">server</tt> field instead. Then
+return to the top of the screen, and press the Commit Changes button
+to write the changes out to the <em class="emphasis">smb.conf</em> file.</p>
+
+<p>Next, click the SHARES icon. You should see a page similar to <a href="ch02.html#samba2-CHP-2-FIG-3">Figure 2-3</a>. Select <tt class="literal">test</tt> (to the right
+of the Choose Share button), and click the Choose Share button. You
+will see the Share Parameters screen, as shown in <a href="ch02.html#samba2-CHP-2-FIG-3">Figure 2-3</a>, with the <tt class="literal">comment</tt> and
+<tt class="literal">path</tt> fields filled in from your
+<em class="emphasis">smb.conf</em> file.</p>
+
+<div class="figure"><a name="samba2-CHP-2-FIG-3"/><img src="figs/sam2_0203.gif"/></div><h4 class="head4">Figure 2-3. SWAT Share Parameters screen</h4>
+
+<p>If you specified that you want to use encrypted passwords on the
+GLOBALS page, click the PASSWORD button. Near the top of the screen,
+you will see the Server Password Management section. Enter your Unix
+username and password in the spaces, and click the Add New User
+button. This functions the same as the <em class="emphasis">smbpasswd</em>
+utility and creates an entry in the
+<em class="emphasis">/usr/local/samba/private/smbpasswd</em> file to allow
+you to authenticate from a Windows client.</p>
+
+<p>Now click the VIEW button at the top, and SWAT shows you the
+following <em class="filename">smb.conf</em> file:</p>
+
+<blockquote><pre class="code"># Samba config file created using SWAT
+# from localhost (127.0.0.1)
+# Date: 2002/09/05 04:56:43
+
+# Global parameters
+        workgroup = METRAN
+        encrypt passwords = Yes
+        wins support = Yes
+
+[test]
+        comment = For testing only!
+        path = /usr/local/samba/tmp
+        read only = No</pre></blockquote>
+
+<p>Once this configuration file is completed, you can skip the next step
+because the output of SWAT is guaranteed to be syntactically correct.
+<a name="INDEX-100"/></p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-2-SECT-6.3"/>
+
+<h3 class="head2">Disabling Oplocks</h3>
+
+<p>The <em class="filename">smb.conf</em><a name="INDEX-101"/><a name="INDEX-102"/>
+file you have just created is certainly good enough for the purpose
+of initial setup and testing, and you can use it as a starting point
+from which to develop the configuration of your production Samba
+server. But before you get too far with that, we want to bring one
+thing to your attention.</p>
+
+<p>If you are the type of administrator who is highly concerned about
+data integrity, you might want to make the following modification to
+your <em class="filename">smb.conf</em> file before continuing:</p>
+
+<blockquote><pre class="code">[global]
+    oplocks = no</pre></blockquote>
+
+<p>That is, use a text editor to add the line <tt class="literal">oplocks</tt>
+<tt class="literal">=</tt> <tt class="literal">no</tt> to the
+<tt class="literal">[global]</tt> section of your
+<em class="filename">smb.conf</em> file. With this example, as with other
+examples we will present throughout this book, you do not need to
+enter the <tt class="literal">[global]</tt> line again in your
+configuration file. We include it only to indicate in which section
+the parameter belongs.</p>
+
+<p>The <tt class="literal">oplocks</tt> <tt class="literal">=</tt>
+<tt class="literal">no</tt> parameter disables opportunistic locking by
+clients. This will result in significantly poorer performance, but
+will help ensure that flaky Windows clients and/or unreliable network
+hardware will not lead to corrupted files on the Samba server.</p>
+
+<p>We will cover opportunistic locking (oplocks) in more detail in the
+section &quot;Locks and Oplocks&quot; in
+<a href="ch08.html">Chapter 8</a>, and recommend that you understand the
+ideas presented there before implementing a production Samba server
+that serves database files or other valuable data.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-2-SECT-6.4"/>
+
+<h3 class="head2">Testing the Configuration File</h3>
+
+<p><a name="INDEX-103"/>If you
+didn't use SWAT to create your configuration file,
+you should probably test it to ensure that it is syntactically
+correct. It might seem silly to run a test program against an
+eight-line configuration file, but it's good
+practice for the real ones that we'll be writing
+later on.</p>
+
+<p>The test parser,
+<em class="filename">testparm</em><a name="INDEX-104"/>, examines an
+<em class="filename">smb.conf</em> file for syntax errors and reports any
+it finds along with a list of the services enabled on your machine.
+An example follows; you'll notice that in our haste
+to get the server running we mistyped <tt class="literal">workgroup</tt> as
+<tt class="literal">workgrp</tt> (the output is often lengthy, so we
+recommend capturing it with the <em class="emphasis">tee</em> command):</p>
+
+<blockquote><pre class="code">Load smb config files from smb.conf
+Unknown parameter encountered: &quot;workgrp&quot;
+Ignoring unknown parameter &quot;workgrp&quot;
+Processing section &quot;[test]&quot;
+Loaded services file OK.
+Press Enter to see a dump of your service definitions
+# Global parameters
+[global]
+    workgroup = WORKGROUP
+    netbios name = 
+    netbios aliases = 
+    server string = Samba 2.2.6
+    interfaces = 
+    bind interfaces only = No
+
+<i class="lineannotation">...(content omitted)...</i>
+
+[test]
+    comment = For testing only!
+    path = /usr/local/samba/tmp
+    read only = No</pre></blockquote>
+
+<p>The interesting parts are at the top and bottom. The top of the
+output will flag any syntax errors that you might have made, and the
+bottom lists the services that the server thinks it should offer. A
+word of advice: make sure you and the server have the same
+expectations. <a name="INDEX-105"/></p>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-2-SECT-7"/>
+
+<h2 class="head1">Firewall Configuration</h2>
+
+<p><a name="INDEX-106"/>As
+with any services that run on TCP/IP, the SMB networking services
+offered by Samba can be accessed from across the Internet unless your
+organization's firewall is properly configured. The
+following ports are used by Samba for SMB networking and SWAT:</p>
+
+<dl>
+<dt><b>Port 137</b></dt>
+<dd>
+<p>Used for NetBIOS network browsing</p>
+</dd>
+
+
+
+<dt><b>Port 138</b></dt>
+<dd>
+<p>Used for NetBIOS name service</p>
+</dd>
+
+
+
+<dt><b>Port 139</b></dt>
+<dd>
+<p>Used for file and printer sharing and other operations</p>
+</dd>
+
+
+
+<dt><b>Port 445</b></dt>
+<dd>
+<p>Used by Windows 2000/XP when NetBIOS over TCP/IP is disabled</p>
+</dd>
+
+
+
+<dt><b>Port 901</b></dt>
+<dd>
+<p>Used by SWAT</p>
+</dd>
+
+</dl>
+
+<p>At the minimum, your organization's Internet
+firewall should shut down all the ports in the list to traffic in
+both directions. Do not assume that preventing incoming connections
+is sufficient; there are cracks that trick Windows clients into
+sending data out of the local area network and into the Internet by
+SMB protocol, even from a local network that uses private IP
+addresses not forwarded by routers. If you want SMB traffic to travel
+across the Internet to remote sites, the best way is to use a virtual
+private network (VPN). See the O'Reilly book,
+<em class="citetitle">Virtual Private Networks</em>, for more information
+on this subject.</p>
+
+<p>In addition, you might wish to configure a firewall on the Samba host
+system to keep SMB packets from traveling further than necessary
+within your organization's network. For example,
+port 901 can be shut down for remote accesses so that SWAT can be run
+only on the Samba host system. If you are using Samba to serve only a
+fraction of the client systems within your organization, consider
+allowing SMB packets (i.e., packets on ports 137-139 and 445) to go
+to or come from only those clients.</p>
+
+<p>For more information on configuring firewalls, see the
+O'Reilly book <em class="citetitle">Building Internet
+Firewalls</em>.</p>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-2-SECT-8"/>
+
+<h2 class="head1">Starting the Samba Daemons</h2>
+
+<p>Two Samba processes,
+<em class="emphasis">smbd</em><a name="INDEX-107"/> and
+<em class="emphasis">nmbd</em><a name="INDEX-108"/>, need to be running for Samba to work
+correctly. There are three ways to start them:</p>
+
+<ul><li>
+<p>Manually</p>
+</li><li>
+<p>Automatically, during system boot</p>
+</li><li>
+<p>From <em class="emphasis">inetd or xinetd</em></p>
+</li></ul>
+
+<div class="sect2"><a name="samba2-CHP-2-SECT-8.1"/>
+
+<h3 class="head2">Starting the Daemons Manually</h3>
+
+<p><a name="INDEX-109"/><a name="INDEX-110"/>If you're in a
+hurry, you can start the Samba daemons by hand. As root, simply enter
+the following commands:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>/usr/local/samba/bin/smbd -D</b></tt>
+# <tt class="userinput"><b>/usr/local/samba/bin/nmbd -D</b></tt></pre></blockquote>
+
+<p>Samba will now be running on your system and is ready to accept
+connections. However, keep in mind that if either of the daemons exit
+for any reason (including system reboots), they will need to be
+restarted manually.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-2-SECT-8.2"/>
+
+<h3 class="head2">Automatic Startup</h3>
+
+<p><a name="INDEX-111"/><a name="INDEX-112"/>To have the Samba daemons
+started automatically when the system boots, you need to add the
+commands listed in the previous section to your standard Unix startup
+scripts. The exact method varies depending on the flavor of Unix
+you're using.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-2-SECT-8.2.1"/>
+
+<h3 class="head3">BSD Unix</h3>
+
+<p><a name="INDEX-113"/><a name="INDEX-114"/><a name="INDEX-115"/>With a BSD-style Unix, you need to append
+the following code to the <em class="filename">rc.local </em>file, which
+is typically found in the <em class="filename">/etc</em> or
+<em class="filename">/etc/rc.d</em> directories:</p>
+
+<blockquote><pre class="code">if [ -x /usr/local/samba/bin/smbd]; then
+    echo &quot;Starting smbd...&quot;
+    /usr/local/samba/bin/smbd -D
+    echo &quot;Starting nmbd...&quot;
+    /usr/local/samba/bin/nmbd -D
+fi</pre></blockquote>
+
+<p>This code is very simple: it checks to see if the
+<em class="filename">smbd</em> file exists and has execute permissions,
+and if it does, it starts up both of the Samba daemons on system
+boot.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-2-SECT-8.2.2"/>
+
+<h3 class="head3">System V Unix</h3>
+
+<p><a name="INDEX-116"/><a name="INDEX-117"/><a name="INDEX-118"/>With System V, things can get a little
+more complex. Depending on your Unix version, you might be able to
+get away with making a simple change to an
+<em class="filename">rc.local</em> file as with BSD Unix, but System V
+typically uses directories containing links to scripts that control
+daemons on the system. Hence, you need to instruct the system how to
+start and stop the Samba daemons. The first step to implement this is
+to modify the contents of the <em class="filename">/etc/rc.d/init.d</em>
+directory by adding something similar to the following shell script,
+which for this example we will name <em class="filename">smb </em>:</p>
+
+<blockquote><pre class="code">#!/bin/sh
+
+# Check that the Samba configuration file exists
+[ -f /usr/local/samba/lib/smb.conf ] || exit 0
+
+start(  )
+{
+        echo -n &quot;Starting SMB services: &quot;
+        /usr/local/samba/bin/smbd -D
+        ERROR=$?
+        echo
+
+        echo -n &quot;Starting NMB services: &quot;
+        /usr/local/samba/bin/nmbd -D
+        ERROR2=$?
+        if [ $ERROR2 -ne 0 ]
+        then
+                ERROR=1
+        fi
+        echo
+
+        return $ERROR
+}
+
+stop(  )
+{
+        echo -n &quot;Shutting down SMB services: &quot;
+        /bin/kill -TERM -a smbd
+        ERROR=$?
+        echo
+
+        echo -n &quot;Shutting down NMB services: &quot;
+        /bin/kill -TERM -a nmbd
+        ERROR2=$?
+        if [ $ERROR2 -ne 0 ]
+        then
+                ERROR=1
+        fi
+        echo
+
+        return $ERROR
+}
+
+case &quot;$1&quot; in
+  start)
+        start
+        ;;
+  stop)
+        stop
+        ;;
+  *)
+        echo &quot;Usage: $0 {start|stop}&quot;
+        exit 1
+esac
+
+exit $?</pre></blockquote>
+
+<p>With this script, you can start and stop <em class="emphasis">smbd</em>
+and <em class="emphasis">nmbd</em> like this:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>/etc/rc.d/init.d/smb start</b></tt>
+Starting SMB services:
+Starting NMB services:
+# <tt class="userinput"><b>ps ax | grep mbd</b></tt>
+ 1268 ?        S      0:00 /usr/local/samba/bin/smbd -D
+ 1270 ?        S      0:00 /usr/local/samba/bin/nmbd -D
+ 1465 pts/2    S      0:00 grep mbd
+# <tt class="userinput"><b>/etc/rc.d/init.d/smb stop</b></tt>
+Shutting down SMB services:
+Shutting down NMB services:</pre></blockquote>
+
+<p>If you are having trouble writing a startup script for your system,
+check to see if there is a packaged release of Samba (available from
+your Unix vendor or the Samba FTP site). If so, you might be able to
+extract a startup script from it to use as a starting point.
+Typically, this script doesn't change much (if at
+all) from release to release, so using a script from an older Samba
+version should not be a problem. Another possibility is to check the
+<em class="filename">packaging</em> directory in the Samba source
+distribution. In that directory, there are subdirectories for many
+Unix versions in which you can find a startup script for those
+versions. Even if your version isn't included, you
+can probably find a startup script for a similar version to use as a
+starting point.</p>
+
+<p>Finally, we need to add symbolic links to the
+<em class="filename">smb</em> script in the
+<em class="emphasis">/etc/rc.d/rcX.d</em> directories:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>ln -s /etc/rc.d/init.d/smb /etc/rc.d/rc3.d/S35smb</b></tt>
+# <tt class="userinput"><b>ln -s /etc/rc.d/init.d/smb /etc/rc.d/rc5.d/S35smb</b></tt>
+
+# <tt class="userinput"><b>ln -s /etc/rc.d/init.d/smb /etc/rc.d/rc0.d/K35smb</b></tt>
+# <tt class="userinput"><b>ln -s /etc/rc.d/init.d/smb /etc/rc.d/rc1.d/K35smb</b></tt>
+# <tt class="userinput"><b>ln -s /etc/rc.d/init.d/smb /etc/rc.d/rc2.d/K35smb</b></tt>
+# <tt class="userinput"><b>ln -s /etc/rc.d/init.d/smb /etc/rc.d/rc4.d/K35smb</b></tt>
+# <tt class="userinput"><b>ln -s /etc/rc.d/init.d/smb /etc/rc.d/rc6.d/K35smb</b></tt></pre></blockquote>
+
+<p>The first two commands, with link names starting with an
+&quot;S&quot;, cause Samba to be started when
+entering runlevels 3 or 5, which are the runlevels in which network
+file sharing (NFS) is normally enabled. The second group of commands,
+with link names starting with a
+&quot;K&quot;, cause Samba to be shut down
+when entering any of the other runlevels (0, 1, 2, 4, or 6).</p>
+
+<p>The links starting with &quot;S&quot; are
+used to start the daemons, and the links starting with
+&quot;K&quot; are used for killing them. When
+the runlevel is changed, the links starting with
+&quot;K&quot; in the corresponding directory
+(e.g., the <em class="filename">rc3.d</em> directory for runlevel 3) are
+executed, followed by the links starting with
+&quot;S&quot;. If we wanted, we could have
+Samba restarted when switching between runlevels 3 and 5 by adding a
+<em class="filename">K35smb</em> link to each <em class="filename">rc3.d</em>
+and <em class="filename">rc5.d </em>directory.</p>
+
+<p>The number after the K or S in the link names is used to set the
+order in which all the daemons with links in the directory are
+started or killed off. Get a long listing of the
+<em class="emphasis">rc3.d</em> or <em class="emphasis">rc5.d</em> directories
+to see how this is set up on your system. We use 35 to match the
+behavior of Red Hat's Samba RPM package. The
+important thing is to make sure when starting Samba that all services
+it requires are started before it. When shutting down, it is a good
+idea to shut down Samba before services it requires to avoid excess
+error messages in the log files, but the order is not as crucial.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-2-SECT-8.2.3"/>
+
+<h3 class="head3">Darwin and Mac OS X</h3>
+
+<p><a name="INDEX-119"/><a name="INDEX-120"/><a name="INDEX-121"/><a name="INDEX-122"/>An installation of Samba is bundled with the
+Darwin distribution, which is included in Mac OS X.<a name="FNPTR-5"/><a href="#FOOTNOTE-5">[5]</a> </p>
+
+<p>The Samba daemons are started during system
+boot by the script
+<em class="filename">/System/Library/StartupItems/Samba/Samba</em>. To
+trigger the execution of this script, edit the file
+<em class="filename">/etc/hostconfig</em> and change the SMBSERVER
+parameter to look like this:</p>
+
+<blockquote><pre class="code">SMBSERVER=-YES-</pre></blockquote>
+
+<p>On Mac OS X, the graphical user interface (GUI) provides an
+alternative to using the command line. Launch the System Preferences
+application, and select Sharing (see <a href="ch02.html#samba2-CHP-2-FIG-4">Figure 2-4</a>).
+Under the Services tab, turn on Windows File Sharing. This will make
+the aforementioned change to <em class="filename">/etc/hostconfig</em> and
+immediately execute the startup item.</p>
+
+<div class="figure"><a name="samba2-CHP-2-FIG-4"/><img src="figs/sam2_0204.gif"/></div><h4 class="head4">Figure 2-4. Mac OS X sharing preferences</h4>
+
+<p>If you decide to install Samba yourself on Mac OS X,
+it's best not to stomp on the installation provided
+with the OS. Use the procedures detailed earlier in this chapter to
+install the software into <em class="filename">/usr/local/samba</em> or
+some other area unaffected by OS upgrades. (Remember to set up users
+with <em class="emphasis">smbpasswd</em> if you're using
+encrypted passwords, as described earlier in this chapter. This step
+is handled automatically with entries in
+<em class="filename">/var/db/samba/hash</em> if you're
+using the built-in server on Mac OS X.) Once you've
+got that working, you can edit the Samba startup item script to refer
+to your installation, like this:</p>
+
+<blockquote><pre class="code">    #!/bin/sh
+    # Start Samba
+
+    . /etc/rc.common
+
+    if [ &quot;${SMBSERVER:=-NO-}&quot; = &quot;-YES-&quot; ]; then
+        ConsoleMessage &quot;Starting SMB server&quot;
+
+        if [ -f /usr/local/samba/lib/smb.conf ]; then
+            /usr/local/samba/bin/smbd -D
+            /usr/local/samba/bin/nmbd -D
+        fi
+    fi</pre></blockquote>
+
+<p>However, beware of OS updates, which can wipe out your changes. One
+solution is to make the script immutable, like this:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>chflags uchg /System/Library/StartupItems/Samba/Samba</b></tt></pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-2-SECT-8.2.4"/>
+
+<h3 class="head3">Testing automatic startup</h3>
+
+<p><a name="INDEX-123"/><a name="INDEX-124"/>If you can afford a few minutes of
+downtime, reboot your system and again use the
+<em class="emphasis">ps</em> command to check that the
+<em class="emphasis">smbd</em> and <em class="emphasis">nmbd</em> daemons are
+running. And if you are managing a 24/7 server, we highly recommend
+that you find some downtime in which to reboot and perform this
+check. Otherwise, your next unscheduled downtime might surprise you
+with a mysterious absence of SMB networking services when the system
+comes up again! <a name="INDEX-125"/><a name="INDEX-126"/></p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-2-SECT-8.3"/>
+
+<h3 class="head2">Starting from inetd</h3>
+
+<p><a name="INDEX-127"/><a name="INDEX-128"/><a name="INDEX-129"/>The <em class="emphasis">inetd</em>
+<em class="emphasis"><a name="FNPTR-6"/><a href="#FOOTNOTE-6">[6]</a></em> daemon is a Unix
+system's Internet &quot;super
+daemon.&quot; It listens on ports defined in
+<em class="filename">/etc/services</em> and executes the appropriate
+program for each port, which is defined in
+<em class="filename">/etc/inetd.conf</em>. The advantage of this scheme is
+that you can have a large number of daemons ready to answer queries,
+but they don't all have to be running all the time.
+Instead, <em class="emphasis">inetd</em> listens for connection requests
+and starts the appropriate daemon when it is needed. The penalty is a
+small overhead cost of creating a new daemon process, as well as the
+fact that you need to edit two files rather than one to set things
+up. The <em class="emphasis">inetd</em> daemon is handy if you have only
+one or two Samba users or your machine is running too many daemons
+already. It's also easier to perform an upgrade
+without disturbing an existing connection.</p>
+
+<p>If you wish to start from <em class="filename">inetd</em>, first open
+<em class="filename">/etc/services</em> in your text editor. If you
+don't already have them defined, add the following
+two lines:</p>
+
+<blockquote><pre class="code">netbios-ssn     139/tcp
+netbios-ns      137/udp</pre></blockquote>
+
+<p>Next, edit <em class="filename">/etc/inetd.conf</em>. Look for the
+following two lines and add them if they don't
+exist. If you already have <tt class="literal">smbd</tt> and
+<tt class="literal">nmbd</tt> lines in the file, edit them to point at the
+new <em class="emphasis">smbd</em> and <em class="emphasis">nmbd</em>
+you've installed. Your brand of Unix might use a
+slightly different syntax in this file; use the existing entries and
+the <em class="filename">inetd.conf </em> manual
+page as a guide:</p>
+
+<blockquote><pre class="code">netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd 
+netbios-ns  dgram  udp wait   root /usr/local/samba/bin/nmbd nmbd</pre></blockquote>
+
+<p>Finally, kill any <em class="emphasis">smbd</em> or
+<em class="emphasis">nmbd</em> processes and send the
+<em class="emphasis">inetd</em> process a hangup (HUP) signal to tell it
+to reread its configuration file:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>/bin/kill -TERM -a smbd</b></tt>
+# <tt class="userinput"><b>/bin/kill -TERM -a nmbd</b></tt>
+# <tt class="userinput"><b>/bin/kill -HUP -a inetd</b></tt></pre></blockquote>
+
+<p>After that, Samba should be up and running.</p>
+
+<p>As we've pointed out before, Red Hat and perhaps
+other Unix vendors supply <em class="emphasis">xinetd</em> rather than
+<em class="emphasis">inetd</em>. If you need to use
+<em class="emphasis">xinetd</em>, you will need to supply a configuration
+file in the <em class="emphasis">/etc/xinetd.d</em> directory.
+<a name="INDEX-130"/></p>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-2-SECT-9"/>
+
+<h2 class="head1">Testing the Samba Daemons</h2>
+
+<p><a name="INDEX-131"/><a name="INDEX-132"/>We're
+nearly done with the Samba server setup. All that's
+left to do is to make sure everything is working as we think it
+should. A convenient way to do this is to use the
+<em class="filename">smbclient</em><a name="INDEX-133"/> program to examine what the server is
+offering to the network. If everything is set up properly, you should
+be able to do the following:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>/usr/local/samba/bin/smbclient -U% -L localhost</b></tt>
+added interface ip=172.16.1.1 bcast=172.16.1.255 nmask=255.255.255.0
+Domain=[METRAN] OS=[Unix] Server=[Samba 2.2.6]
+
+        Sharename      Type      Comment
+        ---------      ----      -------
+        test           Disk      For testing only, please
+        IPC$           IPC       IPC Service (Samba 2.2.6)
+        ADMIN$         Disk      IPC Service (Samba 2.2.6)
+        
+        Server               Comment
+        ---------            -------
+        TOLTEC               Samba 2.2.6 on toltec
+
+        Workgroup            Master
+        ---------            -------
+        METRAN               TOLTEC</pre></blockquote>
+
+<p>If there is a problem, don't panic! Try to start the
+daemons manually, and check the system output or the debug files at
+<em class="filename">/usr/local/samba/var/log.smb</em><a name="INDEX-134"/><a name="INDEX-135"/><a name="INDEX-136"/> to see if you can determine what happened.
+If you think it might be a more serious problem, skip to <a href="ch12.html">Chapter 12</a> for help on troubleshooting the Samba daemons.</p>
+
+<p>If it worked, congratulations! You now have successfully set up the
+Samba server with a disk share. It's a simple one,
+but we can use it to set up and test the Windows 95/98/Me and
+NT/2000/XP clients in the next chapter. Then we will start making it
+more interesting by adding services such as home directories,
+printers, and security, and by seeing how to integrate the server
+into a larger Windows domain. <a name="INDEX-137"/></p>
+
+
+</div>
+
+<hr/><h4 class="head4">Footnotes</h4><blockquote><a name="FOOTNOTE-1"/>
+<p><a href="#FNPTR-1">[1]</a> <em class="emphasis">gcc</em> binaries are available for almost
+every modern machine. See <a href="http://www.gnu.org/">http://www.gnu.org/</a> for a list of sites with
+<em class="emphasis">gcc</em> and other GNU software.</p> <a name="FOOTNOTE-2"/> <p><a href="#FNPTR-2">[2]</a> Do
+not confuse this with the Solaris <em class="emphasis">killall</em>
+command, which performs part of the system shutdown sequence!</p>
+<a name="FOOTNOTE-3"/>
+<p><a href="#FNPTR-3">[3]</a> Depending on the version of <em class="emphasis">xinetd</em> you
+have and how it was compiled, you might need to send a USR1 or some
+other signal rather than the HUP signal. Check the manual page for
+<em class="emphasis">xinetd (8)</em> on your system for details.</p>
+<a name="FOOTNOTE-4"/>
+<p><a href="#FNPTR-4">[4]</a> If you did not compile Samba, but instead downloaded a binary,
+check with the documentation for the package to find out where it
+expects the <em class="filename">smb.conf</em> file to be. Or, try running
+the <em class="emphasis">testparm</em> program and look for the location
+of <em class="filename">smb.conf</em> in the first line of output. If
+Samba came preinstalled with your Unix system, an
+<em class="filename">smb.conf</em> file is probably already somewhere on
+your system.</p> <a name="FOOTNOTE-5"/>
+<p><a href="#FNPTR-5">[5]</a> In this book, we cover Darwin Version 6.0 and OS X Version
+10.2.</p> <a name="FOOTNOTE-6"/> <p><a href="#FNPTR-6">[6]</a> With early releases of Samba 2.2, there were reports
+of intermittent errors when starting from <em class="emphasis">inetd</em>.
+We provide this information so that it will be available for later
+releases when the problem will hopefully have been identified and
+corrected.</p> </blockquote>
+
+
+<hr/><h4 class="head4"><a href="toc.html">TOC</a></h4>
+</body></html>
diff --git a/docs/htmldocs/using_samba/ch03.html b/docs/htmldocs/using_samba/ch03.html
new file mode 100644
index 0000000000..16e86f4f6d
--- /dev/null
+++ b/docs/htmldocs/using_samba/ch03.html
@@ -0,0 +1,2086 @@
+<html>
+<body bgcolor="#ffffff">
+
+<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
+hspace="10" align="left" />
+
+<h1 class="head0">Chapter 3. Configuring Windows Clients</h1>
+
+
+<p><a name="INDEX-1"/><a name="INDEX-2"/>Configuring Windows to use
+your new Samba server is really quite simple. SMB is
+Microsoft's native language for resource sharing on
+a local area network, so much of the installation and setup on the
+Windows client side have been taken care of already.</p>
+
+
+<div class="sect1"><a name="samba2-CHP-3-SECT-1"/>
+
+<h2 class="head1">Windows Networking Concepts</h2>
+
+<p><a name="INDEX-3"/><a name="INDEX-4"/>Windows is different from Unix in
+many ways, including how it supports networking. Before we get into
+the hands-on task of clicking our way through the dialog boxes to
+configure each version of Windows, we need to provide you with a
+common foundation of networking technologies and concepts that apply
+to the entire family of Windows operating systems.</p>
+
+<p>For each Windows version, these are the main issues we will be
+dealing with:</p>
+
+<ul><li>
+<p>Making sure required networking components are installed and bound to
+the network adapter</p>
+</li><li>
+<p>Configuring networking with a valid IP address, netmask and gateway,
+and WINS and DNS name servers</p>
+</li><li>
+<p>Assigning workgroup and computer names</p>
+</li><li>
+<p>Setting the username(s) and password(s)</p>
+</li></ul>
+<p>In addition, some minor issues involving communication and
+coordination between Windows and Unix are different among Windows
+versions.</p>
+
+<p>One can go crazy thinking about the ways in which Unix is different
+from Windows, or the ways in which members of the Windows family are
+different from each other in underlying technology, behavior, or
+appearance. For now let's just focus on their
+similarities and see if we can find some common ground.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-3-SECT-1.1"/>
+
+<h3 class="head2">Components</h3>
+
+<p><a name="INDEX-5"/><a name="INDEX-6"/>Unix
+systems historically have been monolithic in nature, requiring
+recompilation or relinking to create a kernel with a customized
+feature set. However, modern versions have the ability to load or
+unload device drivers or various other operating-system features as
+modules while the system is running, without even needing to reboot.</p>
+
+<p>Windows allows for configuration by installing or uninstalling
+<em class="firstterm">components</em>. As far as networking goes,
+components can be one of three things:<a name="FNPTR-1"/><a href="#FOOTNOTE-1">[1]</a></p>
+
+<ul><li>
+<p>Protocols</p>
+</li><li>
+<p>Clients</p>
+</li><li>
+<p>Services</p>
+</li></ul>
+<p>Since Samba works using the TCP/IP protocol, of course
+we'll want to have that installed. In some cases, we
+also will want to find protocols to <em class="emphasis">uninstall</em>.
+For example, if Netware protocol (IPX/SPX) is not required on the
+network, it might as well be removed.</p>
+
+<p><a name="INDEX-7"/><a name="INDEX-8"/>NetBEUI protocol should be removed if
+possible. Having NetBEUI running at the same time as NetBIOS over
+TCP/IP causes the system to look for services under two different
+protocols, only one of which is likely to be in use. When Windows is
+configured with one or more unused protocols, 30-second delays will
+result when Windows tries to communicate with the unused protocol.
+Eventually, it times out and tries another one, until it finds one
+that works. This fruitless searching results in terrible performance.</p>
+
+<p>The other two items in the list, client and service components, are
+pretty much what you'd expect. Client components
+perform tasks related to connecting with network servers, and service
+components are for making the local system into a server of resources
+on the network. In <a href="ch01.html">Chapter 1</a> we told you that SMB
+systems can act as both clients and servers, offering resources on
+the network at the same time they request resources. In accordance
+with that, it is possible to install a component for SMB client
+services and, separately, a service component that allows file and
+printer shares on the local system to be accessible from other
+systems on the network.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-1.1.1"/>
+
+<h3 class="head3">Bindings</h3>
+
+<p><a name="INDEX-9"/><a name="INDEX-10"/><a name="INDEX-11"/>Once
+a networking component is installed, it must be
+<em class="firstterm">bound</em> to a hardware interface, or
+<em class="firstterm">adapter</em>, to be used on the network. At first
+this might seem like an odd complication; however, it is a conceptual
+model that allows the associations between hardware and software to
+be clearly displayed and easily modified through a graphical
+interface.</p>
+
+<p>We will want to make sure that your Windows client has both TCP/IP
+and the client component for SMB networking installed and also that
+it is bound to the network adapter that connects to our Samba
+network, which in most cases will be an Ethernet adapter.</p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-3-SECT-1.2"/>
+
+<h3 class="head2">IP Address</h3>
+
+<p>Just like any Unix system (or any other system that is using TCP/IP),
+your Windows systems will need an <a name="INDEX-12"/>IP address. If you are using
+<a name="INDEX-13"/>DHCP
+on your network, you can configure Windows to obtain its IP address
+automatically by using a DHCP server. Otherwise, you will need to
+assign a static IP address manually along with a netmask.<a name="FNPTR-2"/><a href="#FOOTNOTE-2">[2]</a></p>
+
+<p>If you are on a private network where you have the authority to
+assign your own IP addresses, you can select from addresses in one of
+three ranges:<a name="FNPTR-3"/><a href="#FOOTNOTE-3">[3]</a></p>
+
+<ul><li>
+<p>10.0.0.1 through 10.255.255.254</p>
+</li><li>
+<p>172.16.0.1 through 172.31.255.254</p>
+</li><li>
+<p>192.168.0.1 through 192.168.255.254</p>
+</li></ul>
+<p>These address ranges are reserved for private networks not directly
+connected to the Internet. For more information on using these
+private network addresses, see RFC 1918.</p>
+
+<p>If you're not maintaining your own separate network,
+see your system administrator for some available addresses on your
+network, as well as for the proper netmask to use.</p>
+
+<p>You should also be prepared to enter the IP address of the default
+gateway for the network. In some networks, the default gateway is the
+system or router that connects the LAN to the Internet. In other
+cases, the default gateway connects a subnet into a larger
+departmental or enterprise network.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-3-SECT-1.3"/>
+
+<h3 class="head2">Name Resolution</h3>
+
+<p><a name="INDEX-14"/><a name="INDEX-15"/>Name resolution is the function of
+translating human-friendly hostnames, such as
+<em class="emphasis">hopi</em>, or fully qualified domain names (FQDNs),
+such as <tt class="literal">mixtec.metran.cx</tt>, into IP addresses, such
+as 172.16.1.11 or 172.16.1.7.</p>
+
+<p>Unix systems can perform name resolution using an
+<em class="filename">/etc/hosts</em><a name="INDEX-16"/><a name="INDEX-17"/> file at the minimum, and more commonly can
+also incorporate services such as
+<a name="INDEX-18"/>DNS (Domain Name System)
+and <a name="INDEX-19"/>NIS (Network Information Service).
+Thus, name resolution is not necessarily performed by one isolated
+part of the operating system or one daemon, but is a system that can
+have a number of dispersed parts (although the
+<a name="INDEX-20"/>name
+service switch, with its
+<em class="filename">/etc/nsswitch.conf</em><a name="INDEX-21"/><a name="INDEX-22"/> configuration file, helps to tie them
+together).</p>
+
+<p>Although the specific implementation is different, name resolution in
+Windows is also performed by querying a number of resources, some of
+which are similar (or even identical) to their Unix counterparts.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-1.3.1"/>
+
+<h3 class="head3">Broadcast name resolution</h3>
+
+<p>On the other hand, there is one way in which Windows is not at all
+similar to Unix. If a Windows workstation is set up with no WINS name
+server, it will use the broadcast method of
+<a name="INDEX-23"/><a name="INDEX-24"/>name resolution, as described in <a href="ch01.html">Chapter 1</a>,<a name="FNPTR-4"/><a href="#FOOTNOTE-4">[4]</a> probably resulting in a
+very busy network. And even if you provide name servers for your
+Windows system to use, it might still resort to broadcast name
+resolution if it is unsuccessful at querying the name servers. For
+this reason, we recommend that you provide multiple reliable name
+servers for your Windows computers on the network.</p>
+
+<p>If that weren't enough to get you interested in
+setting up WINS and DNS servers, broadcast name resolution is usually
+limited to working on the local subnet because routers are usually
+configured not to forward broadcast packets to other networks.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-1.3.2"/>
+
+<h3 class="head3">WINS</h3>
+
+<p>We've already told you about WINS in <a href="ch01.html">Chapter 1</a>, and we don't have much more
+to say about it here. WINS can translate simple NetBIOS computer
+names such as <em class="emphasis">huastec</em> or
+<em class="emphasis">navajo</em> into IP addresses, as required on an SMB
+network. Of course, the interesting thing here is that Samba can act
+as a WINS server if you include the line:</p>
+
+<blockquote><pre class="code">wins support = yes</pre></blockquote>
+
+<p>in your Samba server's
+<em class="filename">smb.conf</em><a name="INDEX-25"/><a name="INDEX-26"/> file.
+This can be a good thing, to be sure, and we highly recommend it. Not
+only will you have a reliable WINS server to reduce the number of
+broadcast packets, but you won't need to run Windows
+NT/2000/XP to get it.</p>
+<a name="samba2-CHP-3-NOTE-91"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>One caveat about using Samba as a <a name="INDEX-27"/><a name="INDEX-28"/>WINS server is that Samba (up to Version
+2.2, at least) cannot synchronize with other WINS servers. So if you
+specify a Samba server as your Windows system's WINS
+server, you must be careful not to specify any additional (i.e.,
+secondary) WINS servers. If you do, you are likely to run into
+problems because the servers will not be able to synchronize their
+databases with each other. In Samba's defense, if
+you are using a Samba WINS server (running on a typically reliable
+Unix host), you will probably have little need for a secondary WINS
+server anyway.</p>
+</blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-1.3.3"/>
+
+<h3 class="head3">LMHOSTS</h3>
+
+<p>All Windows versions support a backup method of name resolution, in
+the form of a file called
+<em class="filename">LMHOSTS</em><a name="INDEX-29"/> <em class="emphasis"><a name="FNPTR-5"/><a href="#FOOTNOTE-5">[5]</a></em>
+that contains a lookup table of computer names and IP addresses. This
+exists for &quot;historical purposes,&quot;
+and is a rather awkward method of name resolution because it requires
+the administrator (i.e., you!) to keep copies of
+<em class="filename">LMHOSTS</em> up to date on every single Windows
+system on the network. To be fully effective,
+<em class="filename">LMHOSTS</em> would have to be updated every time a
+new system were added to (or removed from) the network. Of course,
+there might be ways to automate that process, but a better option
+would be simply to run a WINS name server that is intentionally
+designed to solve that specific problem.</p>
+
+<p>There are perhaps a couple of reasons why you might want to bother
+with <em class="filename">LMHOSTS</em> files. In rare situations, there
+might be no WINS server on the network. Or maybe a WINS server
+exists, but it's unreliable. In both cases, if the
+Windows system has a valid <em class="filename">LMHOSTS</em> file, it can
+help to avoid your network bogging down from those dreaded broadcast
+name queries.</p>
+
+<p>The format of the <em class="filename">LMHOSTS</em> file is simple and
+similar to the <em class="filename">/etc/hosts</em> file with which you
+might be familiar from running Unix systems. Here are the contents of
+a sample <em class="filename">LMHOSTS</em> file:</p>
+
+<blockquote><pre class="code">172.16.1.1      toltec
+172.16.1.2      aztec
+172.16.1.3      mixtec
+172.16.1.4      zapotec
+172.16.1.5      huastec
+172.16.1.6      maya
+172.16.1.7      olmec
+172.16.1.8      chichimec
+172.16.1.11     hopi
+172.16.1.12     zuni
+172.16.1.13     dine
+172.16.1.14     pima
+172.16.1.15     apache
+172.16.1.21     inca
+172.16.1.22     qero</pre></blockquote>
+
+<p>As you can see, the format is like that of
+<em class="filename">/etc/hosts</em>, except that instead of an FQDN
+(e.g., <tt class="literal">toltec.metran.cx</tt>), only a NetBIOS computer
+name (<tt class="literal">toltec</tt>) is given. One way to create an
+<em class="filename">LMHOSTS</em> file for your Windows systems is to copy
+a <em class="filename">/etc/hosts</em> file and edit out the parts you
+don't need. This will work great if your network
+doesn't have a DNS (or NIS) name server and the Unix
+system is dependent on <em class="filename">/etc/hosts</em> for its own
+name service. But if your Unix system is querying a DNS server (which
+is the most frequent case on anything larger than the very smallest
+networks), you would be better advised to look in the DNS
+server's configuration files for your source of
+computer names and IP addresses.</p>
+
+<p>If you do not have administrative access to your
+network's DNS server, you might be able to use tools
+such as <em class="emphasis">nslookup</em><a name="INDEX-30"/>,
+<em class="emphasis">nmap</em><a name="INDEX-31"/>, and
+<em class="emphasis">dig</em><a name="INDEX-32"/> to query the server and obtain the
+information you need.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-1.3.4"/>
+
+<h3 class="head3">DNS</h3>
+
+<p>The <a name="INDEX-33"/><a name="INDEX-34"/>DNS
+is responsible for translating human-readable, Internet-style
+hostnames such as <tt class="literal">pima.metran.cx</tt> or
+<tt class="literal">sales.oreilly.com</tt> into IP addresses.</p>
+
+<p>On your first reading of this section, you might be wondering what a
+section on DNS is doing in a book about NetBIOS and SMB networking.
+Remember, we told you that Windows can use more than WINS (NetBIOS
+Name Service) in its strategy for performing name resolution. Because
+DNS is also able to supply IP addresses for simple hostnames (which
+are usually the same as NetBIOS computer names), it can be helpful to
+configure Windows to know about a DNS server on your network. This is
+slightly more important for newer Windows versions than older ones,
+and more so for Windows NT/2000/XP than for Windows 95/98/Me, because
+nowadays Microsoft is focusing more on TCP/IP as the standard
+protocol and DNS as the primary name service.</p>
+
+<p>To find the address of your DNS server, look at the file
+<em class="emphasis">/etc/resolv.conf</em><a name="INDEX-35"/><a name="INDEX-36"/> on your Samba server or any other Unix
+system on the local network that is using DNS. It looks like the
+following:</p>
+
+<blockquote><pre class="code">#resolv.conf 
+domain metran.cx
+nameserver 127.0.0.1 
+nameserver 172.16.1.53</pre></blockquote>
+
+<p>In this example, the first name server in the list is 127.0.0.1,
+which indicates that the Samba server is also a DNS server for this
+LAN.<a name="FNPTR-6"/><a href="#FOOTNOTE-6">[6]</a> In that case, you would use its network IP
+address (not <a name="INDEX-37"/><a name="INDEX-38"/>127.0.0.1, its localhost address)
+for your DNS server when configuring Windows. Otherwise, use the
+other addresses you find in the lines beginning with
+<tt class="literal">nameserver</tt>. Try to select ones on your own
+network. Any name servers listed in
+<em class="emphasis">/etc/resolv.conf</em> should work, but
+you'll get better performance by using a server
+nearby.</p>
+
+<p>All versions of Windows can be configured to know of multiple domain
+name servers, and you might wish to take advantage of this for
+increased reliability. If the first domain name server does not
+respond, Windows can try others in its list.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-1.3.5"/>
+
+<h3 class="head3"><em class="filename">HOSTS</em></h3>
+
+<p>Similar to how the <em class="filename">LMHOSTS</em> file can be added to
+supplement WINS, the
+<em class="filename">HOSTS</em><a name="INDEX-39"/> file on a Windows system can be optionally
+added to supplement DNS name resolution. Most of our comments
+regarding <em class="filename">LMHOSTS</em> also apply here.</p>
+
+<p>This time the format of the file is not just similar to that of
+<em class="filename">/etc/hosts</em> found on Unix&mdash;the format is
+<em class="emphasis">exactly</em> the same. You can simply copy
+<em class="filename">/etc/hosts</em> from your Samba server or other Unix
+system to the proper directory on your Windows system.</p>
+
+<p>On Windows 95/98/Me, the <em class="filename">HOSTS</em> file goes in the
+Windows installation directory, which is usually
+<em class="filename">C:\Windows</em>. Note that a file called
+<em class="filename">hosts.sam</em><a name="INDEX-40"/> is already there, which is a sample
+<em class="filename">HOSTS</em> file provided by Microsoft.</p>
+
+<p>On Windows NT/2000/XP, the <em class="filename">HOSTS</em> file goes in
+the <em class="filename">\system32\drivers\etc</em> directory under the
+Windows installation directory, which is usually
+<em class="filename">C:\WINNT</em>.</p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-3-SECT-1.4"/>
+
+<h3 class="head2">Passwords</h3>
+
+<p><a name="INDEX-41"/><a name="INDEX-42"/><a name="INDEX-43"/>Unix systems use
+username and password pairs to authenticate users either on a local
+system or in an NIS domain. Windows NT/2000/XP are very similar; a
+user supplies his username and password to log on to the local system
+or to a Windows domain.</p>
+
+<p>When the SMB network is set up as a workgroup, things are different.
+There is no domain to log on to, although shares on the network can
+be password-protected. In this case, one password is associated with
+each password-protected share, rather than with individual users.</p>
+
+<p>Samba's default user-level
+<a name="INDEX-44"/>authentication in a workgroup is
+different from that of Windows. To access shares on the Samba host,
+users are required to supply a valid username and password for an
+account on the Samba host. This will be discussed in more detail in
+<a href="ch09.html">Chapter 9</a>.</p>
+
+<p><a name="INDEX-45"/>An unfortunate
+complication arises with passwords. In the first release of Windows
+95 and in Windows NT 4.0 with Service Pack 2 (SP2) or less, as well
+as in all previous versions of Windows, passwords are allowed to be
+sent over the network in plain text. But in Windows 95 with the
+network redirector update,<a name="FNPTR-7"/><a href="#FOOTNOTE-7">[7]</a></p>
+
+<p>Windows NT 4.0 SP3 or later, and all subsequent releases of Windows,
+a registry setting must be <a name="INDEX-46"/><a name="INDEX-47"/><a name="INDEX-48"/>modified to enable plain-text
+passwords. These more modern versions of Windows prefer to send
+encrypted passwords, and if you are working with one of them (and
+don't want to have to modify the registry), you must
+have the line:</p>
+
+<blockquote><pre class="code">encrypt passwords = yes</pre></blockquote>
+
+<p>in the <tt class="literal">[global]</tt> section of your
+<em class="filename">smb.conf</em><a name="INDEX-49"/><a name="INDEX-50"/> file. In addition, you must run the
+command:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>smbpasswd -a <em class="replaceable">username</em></b></tt></pre></blockquote>
+
+<p>for each user on the Samba host to add their passwords to
+Samba's collection of encrypted passwords. We showed
+you how to do this in <a href="ch02.html">Chapter 2</a>.</p>
+
+<p>If your first attempt to access a Samba share results in a dialog box
+asking for a password for
+<tt class="literal">IPC$</tt><a name="INDEX-51"/><a name="INDEX-52"/>, as shown in <a href="ch03.html#samba2-CHP-3-FIG-1">Figure 3-1</a>, it is probably because you neglected either
+or both of these two steps, and the Samba server did not recognize
+the encrypted password that the Windows system sent to it. Another
+possible dialog box that might come up is the one shown in <a href="ch03.html#samba2-CHP-3-FIG-2">Figure 3-2</a>, which was presented by a Windows 2000 client.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-1"/><img src="figs/sam2_0301.gif"/></div><h4 class="head4">Figure 3-1. Windows 98 asking for IPC$ password</h4>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-2"/><img src="figs/sam2_0302.gif"/></div><h4 class="head4">Figure 3-2. Windows 2000 logon error dialog</h4>
+
+<p>The rest of this chapter is divided into four sections. The first
+section covers setting up Windows 95/98/Me computers, and the rest of
+the sections cover Windows NT 4.0, Windows 2000, and Windows XP
+individually. Each section roughly parallels the order in which
+we've introduced networking concepts in this
+section. You need to read only the section that applies to the
+Windows version with which you are working, and once you have
+finished reading it, you can continue at the beginning of the next
+chapter where we will start covering more advanced Samba features and
+networking issues.</p>
+
+<a name="samba2-CHP-3-NOTE-92"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>Keep in mind that we are continuing our example from <a href="ch02.html">Chapter 2</a>, in which we are setting up a very simple
+prototype network using a workgroup that has very lax security. After
+you have the basics working, we recommend you continue with later
+chapters to learn how to implement both better security and a Samba
+domain. <a name="INDEX-53"/></p>
+</blockquote>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-3-SECT-2"/>
+
+<h2 class="head1">Setting Up Windows 95/98/Me Computers</h2>
+
+<p>The <a name="INDEX-54"/>Windows 95/98/Me operating systems are very
+similar to each other, and as far as this chapter is concerned, it is
+possible to treat them with a common set of directions.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-3-SECT-2.1"/>
+
+<h3 class="head2">Setting Up the Network</h3>
+
+<p>Samba uses TCP/IP to communicate with clients on the network, so you
+will need to make sure there is support for TCP/IP on each Windows
+client. Unlike Unix operating systems, Windows does not necessarily
+have support for TCP/IP installed. However, when Windows is installed
+on a computer with a network card or a network card is added to a
+system already running Windows, TCP/IP support is installed by
+default, along with the Client for Microsoft Networks, which supports
+SMB file and printer sharing.</p>
+
+<p>To make sure both services are installed on your Windows system,
+double-click the Network icon in the Control Panel to open the
+Network dialog box, as shown in <a href="ch03.html#samba2-CHP-3-FIG-3">Figure 3-3</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-3"/><img src="figs/sam2_0303.gif"/></div><h4 class="head4">Figure 3-3. The Windows 95/98/Me Network dialog</h4>
+
+<p>You should see at least the Client for Microsoft Networks component
+installed on the system, and hopefully a networking device
+(preferably an Ethernet card) bound to the TCP/IP protocol. If there
+is only one networking hardware device, you'll see
+the TCP/IP protocol listed below the device to which it is bound, as
+shown in <a href="ch03.html#samba2-CHP-3-FIG-1">Figure 3-1</a>.</p>
+
+<p>You might also see &quot;File and printer sharing for
+Microsoft Networks,&quot; which is used to make the
+system into a server. In addition, you might see NetBEUI or Novell
+Networking. Definitely remove NetBEUI unless you are sure you need
+it, and if you don't have any Novell servers on your
+network, you can remove Novell (IPX/SPX) as well. To remove a
+service, simply click its name and then click the Remove button.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-2.1.1"/>
+
+<h3 class="head3">Adding TCP/IP</h3>
+
+<p><a name="INDEX-55"/><a name="INDEX-56"/>If
+you don't see TCP/IP listed, you'll
+need to install the protocol.</p>
+
+<p>You can add the protocol by inserting the Windows distribution CD-ROM
+in your CD-ROM drive and clicking the Add button below the component
+window. Indicate that you wish to add a protocol by selecting
+Protocol and clicking &quot;Add...&quot; on
+the following dialog box, which should look similar to <a href="ch03.html#samba2-CHP-3-FIG-4">Figure 3-4</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-4"/><img src="figs/sam2_0304.gif"/></div><h4 class="head4">Figure 3-4. Selecting a component type</h4>
+
+<p>After that, select manufacturer Microsoft, then protocol TCP/IP, as
+shown in <a href="ch03.html#samba2-CHP-3-FIG-3">Figure 3-3</a>, then click OK. After doing so,
+you will be returned to the network dialog. Click OK to close the
+dialog box, and Windows will install the necessary components from
+the CD-ROM and request that the system be rebooted. Go ahead and
+reboot the system, and you're set.</p>
+
+<p>If Client for Microsoft Networks is not in the list, you can add it
+similarly. The only significant difference is that you are adding a
+client instead of a protocol, so make sure to select
+&quot;Client&quot; rather than
+&quot;Protocol&quot; when asked.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-2.1.2"/>
+
+<h3 class="head3">Configuring TCP/IP</h3>
+
+<p><a name="INDEX-57"/><a name="INDEX-58"/>If you have more than one networking
+device (for example, both an Ethernet card and a modem for dial-up
+networking), the protocol to hardware bindings will be indicated by
+arrows, as shown in <a href="ch03.html#samba2-CHP-3-FIG-5">Figure 3-5</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-5"/><img src="figs/sam2_0305.gif"/></div><h4 class="head4">Figure 3-5. Selecting a protocol to install</h4>
+
+<p>Select the TCP/IP protocol linked to the networking device that will
+be accessing the Samba network. If you have only one networking
+device, simply click the TCP/IP item. Now click the Properties button
+to open the TCP/IP Properties dialog. You should see something
+similar to <a href="ch03.html#samba2-CHP-3-FIG-6">Figure 3-6</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-6"/><img src="figs/sam2_0306.gif"/></div><h4 class="head4">Figure 3-6. Selecting the correct TCP/IP protocol</h4>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-2.1.3"/>
+
+<h3 class="head3">IP Address tab</h3>
+
+<p><a name="INDEX-59"/><a name="INDEX-60"/>The
+IP Address tab is shown in <a href="ch03.html#samba2-CHP-3-FIG-7">Figure 3-7</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-7"/><img src="figs/sam2_0307.gif"/></div><h4 class="head4">Figure 3-7. The IP Address tab</h4>
+
+<p>If you use DHCP on your network to provide IP addresses automatically
+to Windows systems, select the &quot;Obtain an IP address
+automatically&quot; radio button. Otherwise, click the
+&quot;Specify an IP address&quot; radio
+button and enter the client's address and subnet
+mask in the space provided. You or your network manager should have
+selected an address for the client on the same subnet (LAN) as the
+Samba server.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-2.1.4"/>
+
+<h3 class="head3">WINS Configuration tab</h3>
+
+<p><a name="INDEX-61"/><a name="INDEX-62"/>If you've
+enabled WINS on Samba or are choosing to make use of another WINS
+server on your network, you must tell Windows the
+server's address. After selecting the WINS
+Configuration tab, you will see the dialog box shown in <a href="ch03.html#samba2-CHP-3-FIG-8">Figure 3-8</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-8"/><img src="figs/sam2_0308.gif"/></div><h4 class="head4">Figure 3-8. The WINS Configuration tab</h4>
+
+<p>This is for Windows 98/Me; Windows 95 is just a little different,
+having separate spaces for the primary and backup WINS server IP
+addresses.</p>
+
+<p>Select the &quot;Enable WINS Resolution&quot;
+radio button, and enter the WINS server's address in
+the space provided, then click the Add button. Do not enter anything
+in the Scope ID field.</p>
+<a name="samba2-CHP-3-NOTE-93"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>A bug in Windows 95/98 sometimes causes the IP address of the WINS
+server to disappear after the OK button is clicked. This happens only
+when only a primary WINS server has been specified. The workaround is
+to fill in the fields for both primary and secondary WINS servers,
+using the same IP address for each.</p>
+</blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-2.1.5"/>
+
+<h3 class="head3">DNS Configuration tab</h3>
+
+<p><a name="INDEX-63"/><a name="INDEX-64"/>Unless you are using DHCP, you
+will need to provide the IP address of one or more DNS servers. Click
+the DNS tab, then click the &quot;Enable
+DNS&quot; radio button, and type the IP address of one or
+more DNS servers into the appropriate field, shown in <a href="ch03.html#samba2-CHP-3-FIG-9">Figure 3-9</a>, to add the server's address
+to the top DNS Server Search Order field.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-9"/><img src="figs/sam2_0309.gif"/></div><h4 class="head4">Figure 3-9. The DNS Configuration tab</h4>
+
+<p>Also, provide the hostname (which is the same as the NetBIOS computer
+name) of the Windows 95/98/Me computer and your Internet domain. (You
+will need to enter the computer name again later, along with the
+workgroup. Make sure to enter the same name each time.) You can
+safely ignore the Domain Suffix Search Order field for anything
+related to Samba.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-2.1.6"/>
+
+<h3 class="head3">LMHOSTS file</h3>
+
+<p><a name="INDEX-65"/><a name="INDEX-66"/>If
+you want to install an <em class="filename">LMHOSTS</em> file, it must be
+placed in your Windows installation directory (usually
+<em class="filename">C:\Windows</em>). In the same directory, Microsoft
+has provided a sample <em class="filename">LMHOSTS</em> file named
+<em class="filename">lmhosts.sam</em>, which you might want to look at for
+further information on the file's format.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-2.1.7"/>
+
+<h3 class="head3">NetBIOS tab</h3>
+
+<p><a name="INDEX-67"/><a name="INDEX-68"/>This tab
+appears in Windows 98/Me, but not in Windows 95. All you need to do
+here is make sure the checkbox is checked, enabling NetBIOS over
+TCP/IP. If TCP/IP is your only protocol installed (as we recommended
+earlier), the selection will be grayed out, with the box checked so
+that you couldn't uncheck it even if you wanted to.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-2.1.8"/>
+
+<h3 class="head3">Bindings tab</h3>
+
+<p><a name="INDEX-69"/><a name="INDEX-70"/>The
+final tab to look at is Bindings, as shown in <a href="ch03.html#samba2-CHP-3-FIG-10">Figure 3-10</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-10"/><img src="figs/sam2_0310.gif"/></div><h4 class="head4">Figure 3-10. The Bindings tab</h4>
+
+<p>You should have a check beside Client for Microsoft Networks,
+indicating that it's using TCP/IP. If you have
+&quot;File and printer sharing for Microsoft
+Networks&quot; in the dialog, it should also be checked,
+as shown in <a href="ch03.html#samba2-CHP-3-FIG-10">Figure 3-10</a>.</p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-3-SECT-2.2"/>
+
+<h3 class="head2">Setting the Computer Name and Workgroup</h3>
+
+<p><a name="INDEX-71"/><a name="INDEX-72"/><a name="INDEX-73"/><a name="INDEX-74"/>Finally, click the OK button in the
+TCP/IP configuration dialog, and you'll be taken
+back to the Network Configuration dialog. Then select the
+Identification tab, which will take you to the dialog box shown in
+<a href="ch03.html#samba2-CHP-3-FIG-11">Figure 3-11</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-11"/><img src="figs/sam2_0311.gif"/></div><h4 class="head4">Figure 3-11. The Identification tab</h4>
+
+<p>This is where you set your system's NetBIOS name
+(which Microsoft likes to call &quot;computer
+name&quot;). Usually, it is best to make this the same as
+your DNS hostname, if you are going to have one for this system. For
+example, if the system's DNS name is
+<tt class="literal">huastec.metran.cx</tt>, give the computer a NetBIOS
+name of <tt class="literal">huastec</tt> on this tab.</p>
+
+<p>You also set your workgroup name here. In our case,
+it's METRAN, but if you used a different one in
+<a href="ch02.html">Chapter 2</a>, when creating the Samba configuration
+file, use that instead. Just don't call it WORKGROUP
+(the default workgroup name) or you'll be in the
+same workgroup as every misconfigured Windows computer on the planet!</p>
+
+<p>You can also enter a comment string for this computer. See if you can
+come up with some way of describing it that will remind you of what
+and where it is when you see the comment in a list displayed on
+another computer. Everyone on the network will be able to see your
+comment, so be careful not to include any information that might be
+useful to crackers.</p>
+
+<p>Finally, click the OK button and follow whatever instructions Windows
+provides. (You might have to insert your Windows distribution CD-ROM
+and/or reboot.)</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-3-SECT-2.3"/>
+
+<h3 class="head2">Username and Password</h3>
+
+<p><a name="INDEX-75"/><a name="INDEX-76"/><a name="INDEX-77"/>You have probably already given
+Windows a username and password by now. However, to authenticate with
+the Samba server, your Windows username and password must match with
+a valid account on the Samba server.</p>
+
+<p>It is simple to add a new user and password to a Windows 95/98/Me
+system. Just reboot or log out, and when you are prompted for a
+username and password, enter your Unix username and password. (If you
+are using encrypted passwords, you must run
+<em class="emphasis">smbpasswd</em> on the Unix host to enter them into
+Samba's password database, if you have not already
+done so.) You can use this method to add as many users as you want,
+so as to allow more than one user to use the Windows system to gain
+access to the Samba shares.</p>
+
+<p>If you mistakenly entered the wrong password or your Unix password
+changes, you can change your password on the Windows system by going
+to the Control Panel and double-clicking the Passwords icon. This
+will bring up the Passwords Properties dialog. Click the Change
+Passwords tab, and you will see the dialog shown in <a href="ch03.html#samba2-CHP-3-FIG-12">Figure 3-12</a>. Now click the &quot;Change
+Windows Password...&quot; button, which will bring up the
+Change Windows Password dialog box, shown in <a href="ch03.html#samba2-CHP-3-FIG-13">Figure 3-13</a>. As indicated by the text entry fields in the
+dialog, enter your old password, and then the new password, and again
+to confirm it. Click the OK button and then the Close button on the
+Password Properties dialog box. Reboot or log out, and use your new
+password when you log in again.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-12"/><img src="figs/sam2_0312.gif"/></div><h4 class="head4">Figure 3-12. The Password Properties dialog</h4>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-13"/><img src="figs/sam2_0313.gif"/></div><h4 class="head4">Figure 3-13. The Change Windows Password dialog</h4>
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-2.3.1"/>
+
+<h3 class="head3">Logging in for the first time</h3>
+
+<p>If you don't have a Change Passwords tab in the
+Passwords Properties window, it is because networking is not fully
+set up yet. Assuming you've followed all the
+directions given so far, you just need to reboot; when the system
+comes up, it will ask you to log in with a username and a password.</p>
+
+<p>Now for the big moment. Your Samba server is running, and you have
+set up your Windows 95/98/Me client to communicate with it.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-2.3.2"/>
+
+<h3 class="head3">Accessing the Samba Server from Windows 95/98</h3>
+
+<p><a name="INDEX-78"/><a name="INDEX-79"/>Double-click the Network Neighborhood
+icon on the desktop. You should see your Samba server listed as a
+member of the workgroup, as shown in <a href="ch03.html#samba2-CHP-3-FIG-14">Figure 3-14</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-14"/><img src="figs/sam2_0314.gif"/></div><h4 class="head4">Figure 3-14. Windows 95/98 Network Neighborhood</h4>
+
+<p>Double-clicking the server name will show the resources that the
+server is offering to the network, as shown in <a href="ch03.html#samba2-CHP-3-FIG-15">Figure 3-15</a> (in this case, the <em class="emphasis">test</em>
+directory).</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-15"/><img src="figs/sam2_0315.gif"/></div><h4 class="head4">Figure 3-15. The test shared folder on the Toltec server</h4>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-2.3.3"/>
+
+<h3 class="head3">Accessing the Samba Server from Windows Me</h3>
+
+<p>Double-click the My Network Places icon on the desktop. You should
+see the test shared directory as shown in <a href="ch03.html#samba2-CHP-3-FIG-16">Figure 3-16</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-16"/><img src="figs/sam2_0316.gif"/></div><h4 class="head4">Figure 3-16. My Network Places on Windows Me</h4>
+
+<p>Double-click the Entire Network icon, and you should see an icon for
+your workgroup, as shown in <a href="ch03.html#samba2-CHP-3-FIG-17">Figure 3-17</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-17"/><img src="figs/sam2_0317.gif"/></div><h4 class="head4">Figure 3-17. Entire Network window, showing the Metran workgroup</h4>
+
+<p>Double-clicking the workgroup icon will bring up a window showing
+every computer in the workgroup, which should include your Samba
+server, as shown in <a href="ch03.html#samba2-CHP-3-FIG-18">Figure 3-18</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-18"/><img src="figs/sam2_0318.gif"/></div><h4 class="head4">Figure 3-18. Computers in Metran workgroup</h4>
+
+<p>Double-click the Samba server's icon, and you will
+get a window showing its shared resources (in this case, the test
+directory) as shown in <a href="ch03.html#samba2-CHP-3-FIG-19">Figure 3-19</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-19"/><img src="figs/sam2_0319.gif"/></div><h4 class="head4">Figure 3-19. View of shares on the Toltec server</h4>
+
+<p>If you don't see the server listed, it might be that
+browsing is not working correctly or maybe the server is just taking
+a few minutes to show up in the browse list. In either case, you can
+click the Start button, then select
+&quot;Run...&quot;. This will give you a
+dialog box into which you can type the name of your server and the
+share name <em class="emphasis">test</em> in the Windows UNC format
+<em class="filename">\\</em><em class="replaceable">server</em><em class="filename">\test</em>,
+as we did in <a href="ch01.html">Chapter 1</a>. This should open a window
+on the desktop showing the contents of the folder. If this does not
+work, there is likely a problem with name resolution, and you can try
+using the server's IP address instead of its
+computer name, like this:</p>
+
+<blockquote><pre class="code">\\172.16.1.1\test</pre></blockquote>
+
+<p>If things still aren't right, go directly to <a href="ch12.html#samba2-CHP-12-SECT-2">Section 12.2</a> to troubleshoot what is wrong
+with the network.</p>
+
+<p>If it works, congratulations! Try copying files to and from the
+server using the Windows drag-and-drop functionality. You might be
+pleasantly surprised how seamlessly everything works. <a name="INDEX-80"/></p>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-3-SECT-3"/>
+
+<h2 class="head1">Setting Up Windows NT 4.0 Computers</h2>
+
+<p>Configuring <a name="INDEX-81"/>Windows NT
+is a little different than configuring Windows 95/98/Me. To use Samba
+with Windows NT, you will need both the Workstation service and the
+TCP/IP protocol. Both come standard with NT, but
+we'll work through installing and configuring them
+to make sure they are configured correctly.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-3-SECT-3.1"/>
+
+<h3 class="head2">Basic Configuration</h3>
+
+<p><a name="INDEX-82"/>This section presents the steps
+to follow for TCP/IP-related configuration on Windows NT to get it to
+cooperate with Samba. If you need more details on Windows NT network
+administration, refer to Craig <a name="INDEX-83"/>Hunt and Robert Bruce
+<a name="INDEX-84"/>Thompson's
+<em class="citetitle">Windows NT TCP/IP Network Administration
+</em>(O'Reilly), an excellent guide.</p>
+
+<p>You should perform the following steps as the
+<tt class="literal">Administrator</tt> or another user in the
+<tt class="literal">Administrators</tt> group.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-3.1.1"/>
+
+<h3 class="head3">Installing the TCP/IP protocol</h3>
+
+<p><a name="INDEX-85"/><a name="INDEX-86"/>From
+the Control Panel, double-click the Network icon, click the Protocols
+tab in the Network dialog box, and look to see if you have the TCP/IP
+protocol installed, as shown in <a href="ch03.html#samba2-CHP-3-FIG-20">Figure 3-20</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-20"/><img src="figs/sam2_0320.gif"/></div><h4 class="head4">Figure 3-20. The Protocols tab</h4>
+
+<p>If the protocol is not installed, you need to add it. Click the Add
+button, which will display the Select Network Protocol dialog box
+shown in <a href="ch03.html#samba2-CHP-3-FIG-21">Figure 3-21</a>. You should immediately see the
+TCP/IP protocol as one of the last protocols listed.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-21"/><img src="figs/sam2_0321.gif"/></div><h4 class="head4">Figure 3-21. Select Network Protocol dialog box</h4>
+
+<p>Select TCP/IP as the protocol and confirm it. If
+possible, install only the TCP/IP protocol. If you see anything other
+than TCP/IP listed in the Protocols tab and it is not a protocol that
+you need, you can remove it. If you try to remove a protocol and get
+an error message saying that the protocol is being used by another
+service, you need to click the Services tab and remove that service
+before you can remove the protocol. For example, to remove the NWLink
+IPX/SPX Compatible Transport protocol, you would need to remove the
+Client Service for Netware first.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-3.1.2"/>
+
+<h3 class="head3">Installing the Workstation service</h3>
+
+<p><a name="INDEX-87"/><a name="INDEX-88"/>After installing TCP/IP, click the
+Services tab in the Network dialog, and check that you have a
+Workstation service, as shown at the end of the list in <a href="ch03.html#samba2-CHP-3-FIG-22">Figure 3-22</a>.<a name="FNPTR-8"/><a href="#FOOTNOTE-8">[8]</a></p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-22"/><img src="figs/sam2_0322.gif"/></div><h4 class="head4">Figure 3-22. Network Services tab</h4>
+
+<p>This service is actually the Microsoft Networking Client, which
+allows the computer to access SMB services. The Workstation service
+is mandatory. The service is installed by default on both Windows NT
+Workstation 4.0 and NT Server 4.0. If it's not
+there, you can install it much like TCP/IP. In this case you need to
+click the Add button and then select Workstation Service, as shown in
+<a href="ch03.html#samba2-CHP-3-FIG-23">Figure 3-23</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-23"/><img src="figs/sam2_0323.gif"/></div><h4 class="head4">Figure 3-23. Select Network Service dialog box</h4>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-3.1.3"/>
+
+<h3 class="head3">Configuring TCP/IP</h3>
+
+<p><a name="INDEX-89"/><a name="INDEX-90"/>After you've installed
+the Workstation service, return to the Protocols tab and select the
+TCP/IP Protocol entry in the window. Then click the Properties button
+below the window. The Microsoft TCP/IP Protocol dialog will be
+displayed. There are five tabs in the dialog, and you will need to
+work with four of them:</p>
+
+<ul><li>
+<p>IP Address</p>
+</li><li>
+<p>WINS Address</p>
+</li><li>
+<p>DNS</p>
+</li><li>
+<p>Bindings</p>
+</li></ul>
+
+<div class="sect4"><a name="samba2-CHP-3-SECT-3.1.1.1"/>
+
+<h4 class="head4">IP Address tab</h4>
+
+<p><a name="INDEX-91"/><a name="INDEX-92"/>The IP
+Address tab is shown in <a href="ch03.html#samba2-CHP-3-FIG-24">Figure 3-24</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-24"/><img src="figs/sam2_0324.gif"/></div><h4 class="head4">Figure 3-24. Microsoft TCP/IP Properties dialog for Windows NT</h4>
+
+<p>Select the &quot;Specify an IP address&quot;
+radio button, and enter the computer's IP address
+and netmask in the space provided for the proper adapter (Ethernet
+card). You or your network manager should have selected an address
+for the client on the same subnet (LAN) as the Samba server. For
+example, if the server's address is 172.16.1.1 and
+its network mask is 255.255.255.0, you might use the address
+172.16.1.13 (if it is available) for the NT workstation, along with
+the same netmask. If you use DHCP on your network, select the
+&quot;Obtain an IP Address from a DHCP
+server&quot; button instead.</p>
+
+<p>The gateway field refers to a system typically known as a
+<em class="emphasis">router</em>. If you have routers connecting multiple
+networks, you should enter the IP address of the one on your subnet.
+In our example, the gateway happens to be the same system as the
+Samba server, but they do not by any means have to be the same.</p>
+
+
+</div>
+
+
+
+<div class="sect4"><a name="samba2-CHP-3-SECT-3.1.1.2"/>
+
+<h4 class="head4">WINS Address tab</h4>
+
+<p><a name="INDEX-93"/><a name="INDEX-94"/>Click the
+WINS Address tab, shown in <a href="ch03.html#samba2-CHP-3-FIG-25">Figure 3-25</a>, and you can
+begin to enter information about name servers. Enter the address of
+your WINS server in the space labeled Primary WINS Server. If your
+Samba server is providing WINS service (in other words, you have the
+line <tt class="literal">wins</tt> <tt class="literal">support</tt>
+<tt class="literal">=</tt> <tt class="literal">yes</tt> in the
+<em class="emphasis">smb.conf</em> file of your Samba server), provide the
+Samba server's IP address here. Otherwise, provide
+the address of another WINS server on your network.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-25"/><img src="figs/sam2_0325.gif"/></div><h4 class="head4">Figure 3-25. The WINS Address tab</h4>
+
+<p>You probably noticed that there is a field here for the network
+adapter. This field must specify the Ethernet adapter on which
+you're running TCP/IP so that WINS will provide name
+service on the correct network. For example, if you have both a LAN
+and a dial-up adapter, make sure you have the LAN's
+network card specified here.</p>
+
+<p>The checkboxes in the lower half of the dialog are for enabling two
+other methods of name resolution that Windows can incorporate into
+its name service. Samba doesn't require either of
+them, but you might want to enable them to increase the reliability
+or functionality of name service for your client. See <a href="ch07.html">Chapter 7</a> for further information on name resolution
+issues.</p>
+
+<p>If you'd like to use a DNS server, select the Enable
+DNS for Windows Resolution checkbox. In addition, you will need to do
+some configuration to allow the Windows system to find the DNS
+server, unless you're using DHCP.</p>
+
+
+</div>
+
+
+
+<div class="sect4"><a name="samba2-CHP-3-SECT-3.1.1.3"/>
+
+<h4 class="head4">DNS tab</h4>
+
+<p><a name="INDEX-95"/><a name="INDEX-96"/>Click
+the tab for DNS, as shown in <a href="ch03.html#samba2-CHP-3-FIG-26">Figure 3-26</a>. Enter the
+IP addresses for one or more DNS servers in the space provided. Also,
+enter the hostname (which should be the same as the NetBIOS computer
+name). You will enter this again later in another control panel, so
+make sure they match. Finally, enter the DNS domain on which this
+system resides. For example, if your workstation has a domain name
+such as <em class="emphasis">metran.cx</em>, enter it here. You can safely
+ignore the other options.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-26"/><img src="figs/sam2_0326.gif"/></div><h4 class="head4">Figure 3-26. The DNS tab</h4>
+
+
+</div>
+
+
+
+<div class="sect4"><a name="samba2-CHP-3-SECT-3.1.1.4"/>
+
+<h4 class="head4">The LMHOSTS file</h4>
+
+<p>If you want to install an
+<em class="filename">LMHOSTS</em><a name="INDEX-97"/><a name="INDEX-98"/> file, it
+must be placed in the directory
+<em class="filename">\system32\drivers\etc</em> under your Windows
+installation directory (usually <em class="filename">C:\WINNT</em>). The
+easy way to make sure it gets to the proper location is to use the
+Import LMHOSTS button on the WINS Address tab. (But if you want to do
+it over the network, you will have to do that after file sharing is
+configured!) Remember to click the Enable LMHOSTS Lookup checkbox on
+the WINS Address tab to enable this functionality.</p>
+
+<p>When you are satisfied with your settings for IP Address, WINS
+Address, and DNS, click OK to return to the Network dialog box.</p>
+
+
+</div>
+
+
+
+<div class="sect4"><a name="samba2-CHP-3-SECT-3.1.1.5"/>
+
+<h4 class="head4">Bindings</h4>
+
+<p><a name="INDEX-99"/><a name="INDEX-100"/>Now click the
+Bindings tab, and check the bindings of network hardware, services,
+and protocols. Set the &quot;Show Bindings
+for&quot; field to &quot;all
+services,&quot; and click all the + buttons in the tree.
+You should see a display similar to <a href="ch03.html#samba2-CHP-3-FIG-27">Figure 3-27</a>,
+which shows that the NetBIOS, Server, and Workstation interface
+services are connected to the WINS client running TCP/IP protocol,
+and that the WINS client is bound to the Ethernet adapter of the
+local area network.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-27"/><img src="figs/sam2_0327.gif"/></div><h4 class="head4">Figure 3-27. The Bindings tab</h4>
+
+<p>You can safely leave the default values for the remainder of the tabs
+in the Network dialog box. Click the OK button to complete the
+configuration. Once the proper files are loaded (if any), you might
+need to reboot for your changes to take effect.</p>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-3-SECT-3.2"/>
+
+<h3 class="head2">Computer Name and Workgroup</h3>
+
+<p><a name="INDEX-101"/><a name="INDEX-102"/><a name="INDEX-103"/><a name="INDEX-104"/>The next
+thing you need to do is to give the system a NetBIOS computer name.
+From the Control Panel, double-click the Network icon to open the
+Network dialog box. The first tab in this dialog box should be the
+Identification tab, as illustrated in <a href="ch03.html#samba2-CHP-3-FIG-28">Figure 3-28</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-28"/><img src="figs/sam2_0328.gif"/></div><h4 class="head4">Figure 3-28. The Identification tab</h4>
+
+<p>Here, you need to identify your computer with a name and change the
+default workgroup to the one you specified in the
+<em class="emphasis">smb.conf</em> file of your Samba server. Click the
+Change button below the two text fields. This will open an
+Identification Changes dialog box, where you can set the workgroup
+and the computer name, as shown in <a href="ch03.html#samba2-CHP-3-FIG-29">Figure 3-29</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-29"/><img src="figs/sam2_0329.gif"/></div><h4 class="head4">Figure 3-29. The Identification Changes dialog</h4>
+<a name="samba2-CHP-3-NOTE-94"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>You entered the computer name earlier as a DNS hostname while
+configuring TCP/IP, so be sure that the two names match. The name you
+set here is the NetBIOS name. You're allowed to make
+it different from the TCP/IP hostname, but doing so is usually not a
+good idea. Don't worry that Windows NT forces the
+computer name and the workgroup to be all capital letters;
+it's smart enough to figure out what you mean when
+it connects to the network.</p>
+</blockquote>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-3-SECT-3.3"/>
+
+<h3 class="head2">Adding a User</h3>
+
+<p><a name="INDEX-105"/><a name="INDEX-106"/>In all
+the previous steps, you were logged into your Windows NT system as
+<tt class="literal">Administrator</tt> or another user in the
+<tt class="literal">Administrators</tt> group. To access resources on the
+Samba server, you will need to have a username and password that the
+Samba server recognizes as valid. Generally, the best way to do this
+is to add a user to your NT system, with the same username and
+password as a user on the Samba host system.</p>
+
+<a name="samba2-CHP-3-NOTE-95"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>The directions in this section assume that your network is set up as
+a workgroup. If you have already set up your network as a domain, as
+we describe in <a href="ch04.html">Chapter 4</a>, you do not need to
+follow the instructions here for adding a local user on the Windows
+NT client system. Simply log on to the domain from the client using a
+username and password in Samba's
+<em class="filename">smbpasswd</em> account database, and continue with
+the next section, <a href="ch03.html#samba2-CHP-3-SECT-3.4">Section 3.3.4</a>.</p>
+</blockquote>
+
+<p>To add a new user, open the Start menu, navigate through the Programs
+submenu to Administrative Tools (Common), and select User Manager for
+Domains. Click the User menu and select the first item, Add User...,
+shown in <a href="ch03.html#samba2-CHP-3-FIG-30">Figure 3-30</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-30"/><img src="figs/sam2_0330.gif"/></div><h4 class="head4">Figure 3-30. User Manager for Domains window</h4>
+
+<p>This brings up the New User dialog box shown in <a href="ch03.html#samba2-CHP-3-FIG-31">Figure 3-31</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-31"/><img src="figs/sam2_0331.gif"/></div><h4 class="head4">Figure 3-31. The New User dialog</h4>
+
+<p>Fill it out as shown, using the username and password that were added
+in the previous chapter, and make sure that only the checkbox labeled
+Password Never Expires is checked. (This is not the default!) Click
+the Add button to add the user, and then click the Close button. You
+should now see your new account added to the list in the User Manager
+dialog box.</p>
+
+<p>Now open the Start menu, select Shut Down, and select the
+&quot;Close all programs and log on as a different
+user?&quot; radio button. Click the Yes button, then log
+in as the user you just added.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-3-SECT-3.4"/>
+
+<h3 class="head2">Connecting to the Samba Server</h3>
+
+<p>Now for the big moment. Your <a name="INDEX-107"/><a name="INDEX-108"/>Samba
+server is running, and you have set up your NT client to communicate
+with it. Double-click the Network Neighborhood icon on the desktop,
+and you should see your Samba server listed as a member of the
+workgroup, as shown in <a href="ch03.html#samba2-CHP-3-FIG-32">Figure 3-32</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-32"/><img src="figs/sam2_0332.gif"/></div><h4 class="head4">Figure 3-32. The Windows NT Network Neighborhood</h4>
+
+<p>Double-clicking the server name will show the resources that the
+server is offering to the network, as shown in <a href="ch03.html#samba2-CHP-3-FIG-33">Figure 3-33</a>. In this case, the <em class="filename">test</em>
+directory and the default printer are offered to the Windows NT
+workstation.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-33"/><img src="figs/sam2_0333.gif"/></div><h4 class="head4">Figure 3-33. Shares offered by the Toltec server</h4>
+
+<p>If you don't see the server listed,
+don't panic. Select Run... from the Start menu. A
+dialog box appears that allows you to type the name of your server
+and its share directory in Windows format. For example, you would
+enter
+<em class="filename">\\</em>toltec<em class="filename">\</em><tt class="literal">test</tt>,
+as shown in <a href="ch03.html#samba2-CHP-3-FIG-34">Figure 3-34</a>, and use your
+server's hostname instead of
+&quot;toltec&quot;.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-34"/><img src="figs/sam2_0334.gif"/></div><h4 class="head4">Figure 3-34. Opening a shared directory, using the server's NetBIOS name in the UNC</h4>
+
+<p>This will work even if browsing services are not set up right, which
+is a common problem. You can also work around a name-service problem
+by entering the server's IP Address (such as
+172.16.1.1 in our example) instead of the Samba
+server's hostname, as shown in <a href="ch03.html#samba2-CHP-3-FIG-35">Figure 3-35</a>. Go back and check your configuration, and if
+things still aren't right, go to <a href="ch12.html#samba2-CHP-12-SECT-2">Section 12.2</a> to troubleshoot what is wrong with the
+network.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-35"/><img src="figs/sam2_0335.gif"/></div><h4 class="head4">Figure 3-35. Opening a shared directory, using the server's IP address in the UNC</h4>
+
+<p>If it works, congratulations! Try copying files to and from the
+server by dragging their icons to and from the folder on the Samba
+share. You might be pleasantly surprised how seamlessly everything
+works. <a name="INDEX-109"/></p>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-3-SECT-4"/>
+
+<h2 class="head1">Setting Up Windows 2000 Computers</h2>
+
+<p><a name="INDEX-110"/>Although
+Windows 2000 is based on NT technology and is similar to Windows NT
+in many respects, configuring it for use with Samba is quite
+different.</p>
+
+<p>You should perform the following steps as the
+<tt class="literal">Administrator</tt> or another user in the
+<tt class="literal">Administrators</tt> group.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-3-SECT-4.1"/>
+
+<h3 class="head2">Networking Components</h3>
+
+<p><a name="INDEX-111"/><a name="INDEX-112"/>Go to the Control Panel and
+double-click the Network and Dial-up Connections icon. You should see
+at least one Local Area Connection icon. If there is more than one,
+identify the one that corresponds to the network adapter that is
+connected to your Samba network. Right-click the Local Area
+Connection icon, and click the Properties button. (Or double-click
+the Local Area Connection icon, and then click the Properties button
+in the dialog box that comes up.) You should now be looking at the
+Local Area Connection Properties dialog box, as shown in <a href="ch03.html#samba2-CHP-3-FIG-36">Figure 3-36</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-36"/><img src="figs/sam2_0336.gif"/></div><h4 class="head4">Figure 3-36. Windows 2000 Local Area Connection Properties dialog</h4>
+
+<p>First of all, you might want to click the Configure button under the
+field for the network adapter, to make sure you see the message
+&quot;This device is working properly&quot;
+in the Device status window. If there is a problem, make sure to
+correct it before continuing. You should also see the message
+&quot;Use this device (enable)&quot; in the
+Device usage field of the dialog box. Make sure to set it this way if
+it is not already. Click OK or Cancel to get back to the Local Area
+Connection Properties dialog box.</p>
+
+<p>You should see at least the following two components:</p>
+
+<ul><li>
+<p>Client for Microsoft Networks</p>
+</li><li>
+<p>Internet Protocol (TCP/IP)</p>
+</li></ul>
+<p>If you do not see either Client for Microsoft Networks or Internet
+Protocol (TCP/IP) in your list, you will need to add them. For
+either, the method is to click the Install... button, click the type
+of component (Client or Protocol), and then click the Add... button.
+Next, click the component you want to add, and click the OK button.
+You should see the component added to the list with the others.</p>
+
+<p>Some components should be removed if you see them in the list:</p>
+
+<ul><li>
+<p>NetBEUI Protocol</p>
+</li><li>
+<p>NWLink NetBIOS</p>
+</li><li>
+<p>NWLink IPX/SPX/NetBIOS Compatible Transport Protocol</p>
+</li><li>
+<p>Client Service for Netware</p>
+</li></ul>
+<p>If you see anything other than TCP/IP listed as a protocol, and it is
+not a protocol that you need, you can remove it. Uninstall NetBEUI,
+unless you are sure you need it, and the other three if you do not
+need to support Netware. If you try to remove a protocol and get an
+error message saying that the protocol is being used by another
+service, you need to remove that service before you can remove the
+protocol. For example, to remove the NWLink IPX/SPX Compatible
+Transport Protocol, you would need to remove the Client Service for
+Netware first.</p>
+
+<p>To remove a component, click the component in the list, click the
+Uninstall button, and then click Yes in the dialog box that pops up.
+In some cases, Windows might need to reboot to put the change into
+effect.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-3-SECT-4.2"/>
+
+<h3 class="head2">Bindings</h3>
+
+<p><a name="INDEX-113"/><a name="INDEX-114"/>Next to each
+client, service, or protocol listed in the window in the Local Area
+Connections Properties dialog box, you will see a checkbox. Make sure
+the checkbox is checked for both Client for Microsoft Networks and
+Internet Protocol (TCP/IP). The check marks indicate the networking
+components are bound to the network adapter shown at the top of the
+dialog box.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-3-SECT-4.3"/>
+
+<h3 class="head2">Configuring TCP/IP</h3>
+
+<p><a name="INDEX-115"/><a name="INDEX-116"/>Now click Internet Protocol (TCP/IP),
+and then click Properties to open the Internet Protocol (TCP/IP)
+Properties dialog box, shown in <a href="ch03.html#samba2-CHP-3-FIG-37">Figure 3-37</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-37"/><img src="figs/sam2_0337.gif"/></div><h4 class="head4">Figure 3-37. Internet Protocol (TCP/IP) Properties dialog</h4>
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-4.3.1"/>
+
+<h3 class="head3">IP address</h3>
+
+<p><a name="INDEX-117"/><a name="INDEX-118"/>If
+you are using DHCP on your network to assign IP addresses
+dynamically, select the &quot;Obtain IP address
+automatically&quot; radio button. Otherwise, select the
+&quot;Use the following address:&quot; radio
+button, and fill in the computer's IP address and
+netmask in the spaces provided. You or your network manager should
+have selected an address for the client on the same subnet (LAN) as
+the Samba server. For example, if the server's
+address is 172.16.1.1 and its network mask is 255.255.255.0, you
+might use the address 172.16.1.14, if it is available, along with the
+same netmask. You can also fill in the IP address of the default
+gateway.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-4.3.2"/>
+
+<h3 class="head3">DNS server</h3>
+
+<p><a name="INDEX-119"/><a name="INDEX-120"/>In
+the lower part of the dialog box, click the &quot;Use the
+following DNS server addresses:&quot; radio button, and
+fill in the IP address of your DNS server.</p>
+
+<p>Now click the Advanced... button to bring up the Advanced TCP/IP
+Settings dialog box, and then click the WINS tab.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-4.3.3"/>
+
+<h3 class="head3">WINS server</h3>
+
+<p><a name="INDEX-121"/><a name="INDEX-122"/>Enter the
+address of your WINS server in the space labeled
+&quot;WINS addresses, in order of use:&quot;.
+If your Samba server is providing WINS service (in other words, you
+have the line <tt class="literal">wins</tt> <tt class="literal">service</tt>
+<tt class="literal">=</tt> <tt class="literal">yes</tt> in the
+<em class="emphasis">smb.conf</em> file of your Samba server), provide the
+Samba server's IP address here. Otherwise, provide
+the address of another WINS server on your network.</p>
+
+<p>Near the bottom of the dialog box, select the radio button labeled
+&quot;Enable NetBIOS over TCP/IP&quot;. <a href="ch03.html#samba2-CHP-3-FIG-38">Figure 3-38</a> shows what your Advanced TCP/IP Settings
+dialog box should look like at this point.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-38"/><img src="figs/sam2_0338.gif"/></div><h4 class="head4">Figure 3-38. Advanced TCP/IP Settings dialog, showing WINS tab</h4>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-4.3.4"/>
+
+<h3 class="head3">The LMHOSTS file</h3>
+
+<p>If you want to install an
+<em class="filename">LMHOSTS</em><a name="INDEX-123"/><a name="INDEX-124"/> file,
+it must be placed in the <em class="filename">\system32\drivers\etc</em>
+directory under your Windows installation directory (usually
+<em class="filename">C:\WINNT</em> ). The easy way to make sure it gets to
+the proper location is to use the Import LMHOSTS... button on the
+WINS Address tab. (But if you want to do it over the network, you
+will have to do that after file sharing is configured!) Remember to
+click the Enable LMHOSTS Lookup checkbox on the WINS Address tab to
+enable this functionality.</p>
+
+<p>When you are satisfied with your settings for IP Address, WINS
+Address, and DNS, click the OK buttons in each open dialog box to
+complete the configuration. Windows might need to load some files
+from the Windows 2000 distribution CD-ROM, and you might need to
+reboot for your changes to take effect.</p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-3-SECT-4.4"/>
+
+<h3 class="head2">Computer and Workgroup Names</h3>
+
+<p><a name="INDEX-125"/><a name="INDEX-126"/><a name="INDEX-127"/><a name="INDEX-128"/>From
+the Control Panel, double-click the System icon to open the System
+Properties dialog box. Click the Network Identification tab, and your
+System Properties dialog box will look similar to <a href="ch03.html#samba2-CHP-3-FIG-39">Figure 3-39</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-39"/><img src="figs/sam2_0339.gif"/></div><h4 class="head4">Figure 3-39. System Properties dialog, showing Network Identification tab</h4>
+
+<p>To give your system computer a name and a workgroup, click the
+Properties button, which will bring up the Identification Changes
+dialog box, as in <a href="ch03.html#samba2-CHP-3-FIG-40">Figure 3-40</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-40"/><img src="figs/sam2_0340.gif"/></div><h4 class="head4">Figure 3-40. Identification Changes dialog</h4>
+
+<p>You need to identify your computer with a name and change the
+workgroup to the one you specified in the
+<em class="emphasis">smb.conf</em> file of your Samba server.
+Don't worry that Windows forces the computer name
+and the workgroup to be all capital letters; it's
+smart enough to figure out what you mean when it connects to the
+network.</p>
+
+<p>Click the More... button to bring up the DNS Suffix and NetBIOS
+Computer Name dialog box, shown in <a href="ch03.html#samba2-CHP-3-FIG-41">Figure 3-41</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-41"/><img src="figs/sam2_0341.gif"/></div><h4 class="head4">Figure 3-41. DNS Suffix and NetBIOS Computer Name dialog</h4>
+
+<p>Enter the DNS domain name of this computer in the text field labeled
+Primary DNS Suffix for this computer:, and then click OK. You should
+now see the FQDN of this system underneath the label
+&quot;Full computer name:&quot;. Click the OK
+button and then reboot when requested to put your configuration
+changes into effect. Once again, log in using your administrative
+account.</p>
+<a name="samba2-CHP-3-NOTE-96"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>There have been reports of authentication problems with Samba when a
+username on a Windows 2000 system is the same as its computer name.</p>
+</blockquote>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-3-SECT-4.5"/>
+
+<h3 class="head2">Adding a Samba-Enabled User</h3>
+
+<p><a name="INDEX-129"/><a name="INDEX-130"/>So far,
+you have been logged into your Windows 2000 system as a user in the
+<tt class="literal">Administrators</tt> group. To access resources on the
+Samba server, you will need a username and password that the Samba
+server recognizes as valid. If your administrative account has such a
+username and password, you can use it, but you might want to access
+your system and the network from a nonadministrative user account
+instead.</p>
+<a name="samba2-CHP-3-NOTE-97"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>The directions in this section assume that your network is set up as
+a workgroup. If you have already set up your network as a domain, as
+we describe in <a href="ch04.html">Chapter 4</a>, you do not need to
+follow the instructions here for adding a local user on the Windows
+2000 client system. Simply log on to the domain from the client using
+a username and password in Samba's
+<em class="filename">smbpasswd</em> account database, and continue with
+the next section, <a href="ch03.html#samba2-CHP-3-SECT-4.6">Section 3.4.6</a>.</p>
+</blockquote>
+
+<p>To add a new user, open the Control Panel, and double-click the Users
+and Passwords icon to open the Users and Passwords dialog box, shown
+in <a href="ch03.html#samba2-CHP-3-FIG-42">Figure 3-42</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-42"/><img src="figs/sam2_0342.gif"/></div><h4 class="head4">Figure 3-42. Users and Passwords dialog</h4>
+
+<p>The first thing to do is make sure the checkbox labeled
+&quot;Users must enter a user name and password to use
+this computer.&quot; is checked. Next, click the Add...
+button to bring up the first dialog box of the User Wizard, shown in
+<a href="ch03.html#samba2-CHP-3-FIG-43">Figure 3-43</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-43"/><img src="figs/sam2_0343.gif"/></div><h4 class="head4">Figure 3-43. Adding a new user</h4>
+
+<p>Fill out the fields, using the username of a valid user account on
+the Samba host, and then click the Next &gt; button to enter and
+confirm the user's password. This password must be
+the same as the user's password on the Samba host.
+If you are using encrypted passwords, make sure this username and
+password are the same as what you used when you ran the
+<em class="emphasis">smbpasswd</em> program. Click the Next &gt; button,
+which brings up the final dialog box, shown in <a href="ch03.html#samba2-CHP-3-FIG-44">Figure 3-44</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-44"/><img src="figs/sam2_0344.gif"/></div><h4 class="head4">Figure 3-44. Specifying a group for the new user</h4>
+
+<p>Pick a group for the user (the default Standard User should do), and
+click the Finish button. You should now see your new account added to
+the list in the Users and Passwords dialog box. Click the OK button
+to complete the process.</p>
+
+<p>Now return to the Users and Passwords control panel window, click the
+Advanced tab, then click on the Advanced button. Click the Users
+folder in the left side of the Local Users and Groups window that
+appears, and then double-click the account you just added in the
+right side of the window. In the Properties window that opens, click
+the checkbox labeled Password never expires. You are done! Click the
+OK buttons in all the dialog boxes, and close all open windows.</p>
+
+<p>Open the Start menu, select Shut Down, and select Log off
+<em class="emphasis">username</em> from the drop-down menu. Click the OK
+button, then log on with the username and password you just added.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-3-SECT-4.6"/>
+
+<h3 class="head2">Connecting to the Samba Server</h3>
+
+<p>Now for the big moment. Your Samba server is running, and you have
+set up your <a name="INDEX-131"/><a name="INDEX-132"/>Windows 2000 client to communicate with
+it. Double-click the My Network Places icon on the desktop, and then
+double-click the Computers Near Me icon to browse the workgroup. You
+should see your Samba server listed as a member of the workgroup, as
+shown in <a href="ch03.html#samba2-CHP-3-FIG-45">Figure 3-45</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-45"/><img src="figs/sam2_0345.gif"/></div><h4 class="head4">Figure 3-45. The Computers Near Me window, showing computers in the workgroup</h4>
+
+<p>Double-clicking the server name will show the resources that the
+server is offering to the network, as shown in <a href="ch03.html#samba2-CHP-3-FIG-46">Figure 3-46</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-46"/><img src="figs/sam2_0346.gif"/></div><h4 class="head4">Figure 3-46. Shares offered by the Toltec server</h4>
+
+<p>In this case, the <em class="filename">test</em> directory and the default
+printer are offered to the Windows 2000 workstation. If you
+don't see the server listed, don't
+panic. Select Run from the Start menu. A dialog box appears that
+allows you to type the name of your server and its share directory in
+Windows format. For example, you would enter
+<em class="filename">\\toltec\</em><tt class="literal">test</tt>, as shown in
+<a href="ch03.html#samba2-CHP-3-FIG-47">Figure 3-47</a>, and use your server's
+hostname instead of &quot;toltec&quot;.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-47"/><img src="figs/sam2_0347.gif"/></div><h4 class="head4">Figure 3-47. Opening a shared directory, using the server's NetBIOS name in the UNC</h4>
+
+<p>This will work even if browsing services are not set up right, which
+is a common problem. You can also work around a name-service problem
+by entering the server's IP address (such as
+172.16.1.1 in our example) instead of the Samba
+server's hostname, as shown in <a href="ch03.html#samba2-CHP-3-FIG-48">Figure 3-48</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-48"/><img src="figs/sam2_0348.gif"/></div><h4 class="head4">Figure 3-48. Opening a shared directory, using the server's IP address in the UNC</h4>
+
+<p>If things still aren't right, go directly to <a href="ch12.html#samba2-CHP-12-SECT-2">Section 12.2</a> to troubleshoot what is wrong
+with the network.</p>
+
+<p>If it works, congratulations! Try copying files to and from the
+server. You will be pleasantly surprised how seamlessly everything
+works. Now that you've finished setting up the Samba
+server and its clients, you can proceed to the next chapter.
+<a name="INDEX-133"/></p>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-3-SECT-5"/>
+
+<h2 class="head1">Setting Up Windows XP Computers</h2>
+
+<p>Although <a name="INDEX-134"/>Windows XP
+is very similar to Windows 2000, it has a very different user
+interface, and there are a number of subtle differences. For example,
+getting to the Control Panel is different than in any previous
+version of Windows&mdash;one must click the Control Panel item from
+the Start menu (there is no Settings item in the Start menu in XP).
+By default, XP will display the Control Panel in Category View mode.
+If you see this, click the Switch to Classic View item in the
+upper-left corner of the window. All of our directions are for using
+the Control Panel in Classic View mode.</p>
+
+<p>You should perform the following steps as the
+<tt class="literal">Administrator</tt> or another user in the
+Administrators group.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-3-SECT-5.1"/>
+
+<h3 class="head2">Networking Components</h3>
+
+<p><a name="INDEX-135"/><a name="INDEX-136"/>Go to the Control Panel and
+double-click the Network and Dial-up Connections icon. You should see
+at least one Local Area Connection icon. If there is more than one,
+identify the one that corresponds to the network adapter that is
+connected to your Samba network. Right-click the Local Area
+Connection icon and click the Properties button. (Or double-click the
+Local Area Connection icon and then click the Properties button in
+the dialog box that comes up.) You should now be looking at the Local
+Area Connection Properties dialog box, as shown in <a href="ch03.html#samba2-CHP-3-FIG-49">Figure 3-49</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-49"/><img src="figs/sam2_0349.gif"/></div><h4 class="head4">Figure 3-49. The Local Area Connection Properties dialog</h4>
+
+<p>First of all, you might want to click the Configure button under the
+field for the network adapter to make sure you see the message
+&quot;This device is working properly&quot;
+in the Device status window. If there is a problem, make sure to
+correct it before continuing. You should also see the message
+&quot;Use this device (enable)&quot; in the
+Device usage field of the dialog box. Make sure to set it this way if
+it is not already. Click OK or Cancel to close this dialog box, then
+reopen the Local Area Connection Properties dialog box.</p>
+
+<p>You should see at least the following two components:</p>
+
+<ul><li>
+<p>Client for Microsoft Networks</p>
+</li><li>
+<p>Internet Protocol (TCP/IP)</p>
+</li></ul>
+<p>If you do not see either Client for Microsoft Networks or Internet
+Protocol (TCP/IP) in your list, you will need to add them. For
+either, the method is to click the Install... button, click the type
+of component (Client or Protocol), and then click the Add... button.
+Next, click the component you want to add, and click the OK button.
+You should see the component added to the list with the others.</p>
+
+<p>If you see anything other than TCP/IP listed as a protocol, and it is
+not a protocol that you need, you can remove it. If NetBEUI appears
+in the list, uninstall it if you possibly can. Also uninstall any
+Netware-related components if you do not need to support Netware. If
+you try to remove a protocol and get an error message saying that the
+protocol is being used by another service, you need to remove that
+service before you can remove the protocol. For example, to remove
+the NWLink IPX/SPX Compatible Transport Protocol, you would need to
+remove the Client Service for Netware first.</p>
+
+<p>To remove a component, click the component in the list, click the
+Uninstall button, and then click Yes in the dialog box that pops up.
+In some cases, Windows might need to reboot to put the change into
+effect.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-5.1.1"/>
+
+<h3 class="head3">Bindings</h3>
+
+<p><a name="INDEX-137"/><a name="INDEX-138"/>Next to each client, service, or protocol
+listed in the window in the Local Area Connections Properties dialog
+box, you will see a checkbox. Make sure the checkbox is checked for
+both Client for Microsoft Networks and Internet Protocol (TCP/IP).
+The check marks indicate that the networking components are bound to
+the network adapter shown at the top of the dialog box.</p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-3-SECT-5.2"/>
+
+<h3 class="head2">Configuring TCP/IP</h3>
+
+<p><a name="INDEX-139"/><a name="INDEX-140"/>Now click Internet Protocol
+(TCP/IP) and then click Properties to open the Internet Protocol
+(TCP/IP) Properties dialog box, shown in <a href="ch03.html#samba2-CHP-3-FIG-50">Figure 3-50</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-50"/><img src="figs/sam2_0350.gif"/></div><h4 class="head4">Figure 3-50. The Internet Protocol (TCP/IP) Properties dialog</h4>
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-5.2.1"/>
+
+<h3 class="head3">IP address</h3>
+
+<p><a name="INDEX-141"/><a name="INDEX-142"/>If
+you are using DHCP on your network to assign IP addresses
+dynamically, select the &quot;Obtain IP address
+automatically&quot; radio button. Otherwise, select the
+&quot;Use the following address:&quot; radio
+button, and fill in the computer's IP address and
+netmask in the spaces provided. You or your network manager should
+have selected an address for the client on the same subnet (LAN) as
+the Samba server. For example, if the server's
+address is 172.16.1.1 and its network mask is 255.255.255.0, you
+might use the address 172.16.1.12 (if it is available) along with the
+same netmask. You can also fill in the IP address of the default
+gateway.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-5.2.2"/>
+
+<h3 class="head3">DNS server</h3>
+
+<p><a name="INDEX-143"/><a name="INDEX-144"/>In the lower part of the dialog box, click
+the &quot;Use the following DNS server
+addresses:&quot; radio button, and fill in the IP address
+of your DNS server.</p>
+
+<p>Now click the Advanced... button to bring up the Advanced TCP/IP
+Settings dialog box, and then click the WINS tab.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-5.2.3"/>
+
+<h3 class="head3">WINS server</h3>
+
+<p><a name="INDEX-145"/><a name="INDEX-146"/>Enter
+the address of your WINS server in the space labeled
+&quot;WINS addresses, in order of use:&quot;.
+If your Samba server is providing WINS service (in other words, you
+have the line <tt class="literal">wins</tt> <tt class="literal">support</tt>
+<tt class="literal">=</tt> <tt class="literal">yes</tt> in the
+<em class="emphasis">smb.conf</em> file of your Samba server), provide the
+Samba server's IP address here. Otherwise, provide
+the address of another WINS server on your network.</p>
+
+<p>Near the bottom of the dialog box, select the radio button labeled
+Enable NetBIOS over TCP/IP. <a href="ch03.html#samba2-CHP-3-FIG-51">Figure 3-51</a> shows what
+your Advanced TCP/IP Settings dialog box should look like at this
+point.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-51"/><img src="figs/sam2_0351.gif"/></div><h4 class="head4">Figure 3-51. The Advanced TCP/IP Settings dialog, showing the WINS tab</h4>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-3-SECT-5.2.4"/>
+
+<h3 class="head3">The LMHOSTS file</h3>
+
+<p>If you want to install an
+<em class="filename">LMHOSTS</em><a name="INDEX-147"/><a name="INDEX-148"/> file, it
+must be placed in the <em class="filename">\system32\drivers\etc</em>
+directory under your Windows installation directory (usually
+<em class="filename">C:\WINNT</em> ). The easy way to make sure it gets to
+the proper location is to use the Import LMHOSTS... button on the
+WINS Address tab. (But if you want to do it over the network, you
+will have to do that after file sharing is configured!) Remember to
+click the Enable LMHOSTS Lookup checkbox on the WINS Address tab to
+enable this functionality.</p>
+
+<p>When you are satisfied with your settings for IP Address, WINS
+Address, and DNS, click the OK buttons in each open dialog box (and
+the Close button in the Local Area Connection Properties dialog box)
+to complete the configuration. Windows might need to load some files
+from the Windows XP distribution CD-ROM, and you might need to reboot
+for your changes to take effect.</p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-3-SECT-5.3"/>
+
+<h3 class="head2">Computer and Workgroup Names</h3>
+
+<p><a name="INDEX-149"/><a name="INDEX-150"/><a name="INDEX-151"/><a name="INDEX-152"/>From the
+Control Panel, double-click the System icon to open the System
+Properties dialog box. Click the Computer Name tab, and your System
+Properties dialog box will look similar to <a href="ch03.html#samba2-CHP-3-FIG-52">Figure 3-52</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-52"/><img src="figs/sam2_0352.gif"/></div><h4 class="head4">Figure 3-52. The System Properties dialog, showing the Computer Name tab</h4>
+
+<p>To give your system computer a name and a workgroup, click the
+Change... button, which will bring up the Computer Name Changes
+dialog box, as in <a href="ch03.html#samba2-CHP-3-FIG-53">Figure 3-53</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-53"/><img src="figs/sam2_0353.gif"/></div><h4 class="head4">Figure 3-53. The Computer Name Changes dialog</h4>
+
+<p>You need to identify your computer with a name and change the
+workgroup to the one you specified in the
+<em class="emphasis">smb.conf</em> file of your Samba server.
+Don't worry that Windows forces the workgroup to be
+all capital letters; it's smart enough to figure out
+what you mean when it connects to the network.</p>
+
+<p>Click the More... button to bring up the DNS Suffix and NetBIOS
+Computer Name dialog box, shown in <a href="ch03.html#samba2-CHP-3-FIG-54">Figure 3-54</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-54"/><img src="figs/sam2_0354.gif"/></div><h4 class="head4">Figure 3-54. The DNS Suffix and NetBIOS Computer Name dialog</h4>
+
+<p>Enter the DNS domain name of this computer in the text field labeled
+Primary DNS Suffix for this computer:, and then click OK. You should
+now see the FQDN of this system underneath the label Full computer
+name: in the Computer Name Changes dialog box. Click the OK button
+and then reboot when requested to put your configuration changes into
+effect. Once again, log in using your administrative account.</p>
+<a name="samba2-CHP-3-NOTE-98"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>There have been reports of authentication problems with Samba when a
+username on a Windows XP system is the same as its computer name.</p>
+</blockquote>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-3-SECT-5.4"/>
+
+<h3 class="head2">Adding a Samba-Enabled User</h3>
+
+<p><a name="INDEX-153"/><a name="INDEX-154"/>So far,
+you have been logged into your Windows XP system as a user in the
+Administrators group. To access resources on the Samba server, you
+will need to have a username and password that the Samba server
+recognizes as valid. If your administrative account has such a
+username and password, you can use it, but you might want to access
+your system and the network from a nonadministrative user account
+instead.</p>
+
+<a name="samba2-CHP-3-NOTE-99"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>The directions in this section assume that your network is set up as
+a workgroup. If you have already set up your network as a domain, as
+we describe in <a href="ch04.html">Chapter 4</a>, you do not need to
+follow the instructions here for adding a local user on the Windows
+XP client system. Simply log on to the domain from the client using a
+username and password in Samba's
+<em class="filename">smbpasswd</em> account database, and continue with
+the next section, <a href="ch03.html#samba2-CHP-3-SECT-5.5">Section 3.5.5</a>.</p>
+</blockquote>
+
+<p>To add a new user, open the Control Panel, and double-click the Users
+Accounts icon to open the User Accounts window, shown in <a href="ch03.html#samba2-CHP-3-FIG-55">Figure 3-55</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-55"/><img src="figs/sam2_0355.gif"/></div><h4 class="head4">Figure 3-55. The User Accounts window</h4>
+
+<p>Click the Create a new account task, which will bring up the window
+shown in <a href="ch03.html#samba2-CHP-3-FIG-56">Figure 3-56</a>. Enter the username, then click
+the Next &gt; button.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-56"/><img src="figs/sam2_0356.gif"/></div><h4 class="head4">Figure 3-56. Entering the username</h4>
+
+<p>Click the radio button labeled
+&quot;Limited&quot;, as shown in <a href="ch03.html#samba2-CHP-3-FIG-57">Figure 3-57</a>.</p>
+
+<p>Click the Create Account button, and you will see the username you
+added next to a picture at the bottom of the User Accounts window. We
+still need to assign a password to the account. Click the account to
+bring up the &quot;What do you want to change about
+<em class="emphasis">username</em>'s
+account?&quot; window, and then click Create a password.
+Enter the password, and enter it again to confirm it.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-57"/><img src="figs/sam2_0357.gif"/></div><h4 class="head4">Figure 3-57. Setting the account type</h4>
+
+<p>This password must be the same as the user's
+password on the Samba host. If you are using encrypted passwords,
+make sure this username and password are the same as what you used
+when you ran the <em class="emphasis">smbpasswd</em> program. Click the
+Create Password button, and you're done adding the
+account.</p>
+
+<p>Now open the Start menu and click the Log Off button. In the Log Off
+Windows dialog box that pops up, again click the Log Off button. When
+Windows displays the login screen, click the user you just added, and
+type in the password to log in.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-3-SECT-5.5"/>
+
+<h3 class="head2">Connecting to the Samba Server</h3>
+
+<p><a name="INDEX-155"/><a name="INDEX-156"/>Now for
+the big moment. Your Samba server is running, and you have set up
+your Windows XP client to communicate with it. In the Start menu,
+select My Computer<a name="FNPTR-9"/><a href="#FOOTNOTE-9">[9]</a> to open the My Computer window. Click My
+Network Places, in the Other Places box in the left part of the
+window. You should see a folder icon for the
+<em class="filename">test</em> directory, as shown in <a href="ch03.html#samba2-CHP-3-FIG-58">Figure 3-58</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-58"/><img src="figs/sam2_0358.gif"/></div><h4 class="head4">Figure 3-58. The My Network Places window</h4>
+
+<p>Now click View workgroup computers in the Network Tasks box at the
+left of the window. You should see your Samba server listed as a
+member of the workgroup. Double-click its icon, and you will see a
+window that looks like <a href="ch03.html#samba2-CHP-3-FIG-59">Figure 3-59</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-59"/><img src="figs/sam2_0359.gif"/></div><h4 class="head4">Figure 3-59. Shares offered by the Toltec server</h4>
+
+<p>If you don't see the server listed in the workgroup,
+don't panic. Select Run... from the Start menu. A
+dialog box appears that allows you to type the name of your server
+and its share directory in Windows format. For example, you would
+enter <em class="filename">\\toltec\</em><tt class="literal">test</tt>, as shown
+in <a href="ch03.html#samba2-CHP-3-FIG-60">Figure 3-60</a>, and use your
+server's hostname instead of
+&quot;toltec&quot;.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-60"/><img src="figs/sam2_0360.gif"/></div><h4 class="head4">Figure 3-60. Opening a shared directory, using the server's NetBIOS name in the UNC</h4>
+
+<p>This will work even if browsing services are not set up right, which
+is a common problem. You can also work around a name-service problem
+by entering the server's IP Address (such as
+172.16.1.1 in our example) instead of the Samba
+server's hostname, as shown in <a href="ch03.html#samba2-CHP-3-FIG-61">Figure 3-61</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-3-FIG-61"/><img src="figs/sam2_0361.gif"/></div><h4 class="head4">Figure 3-61. Opening a shared directory, using the server's IP address in the UNC</h4>
+
+<p>If things still aren't right, go directly to <a href="ch12.html#samba2-CHP-12-SECT-2">Section 12.2</a> to troubleshoot what is wrong
+with the network.</p>
+
+<p>If it works, congratulations! Try copying files to and from the
+server by dragging their icons to and from the Samba
+server's <em class="filename">test</em> folder. You might
+be pleasantly surprised how seamlessly everything works. <a name="INDEX-157"/> <a name="INDEX-158"/></p>
+
+
+</div>
+
+
+</div>
+
+<hr/><h4 class="head4">Footnotes</h4><blockquote><a name="FOOTNOTE-1"/> <p><a href="#FNPTR-1">[1]</a> We are
+intentionally omitting device drivers because they are
+hardware-specific, and we assume you are getting installation
+directions from the manufacturer.</p> <a name="FOOTNOTE-2"/>
+<p><a href="#FNPTR-2">[2]</a> Make sure to use the same netmask as all other systems on the
+network. You can find the netmask in use by checking with Unix or
+Windows systems that have already been configured.</p> <a name="FOOTNOTE-3"/> <p><a href="#FNPTR-3">[3]</a> Keep in mind that IP addresses ending
+in .0 are reserved for network addresses and that ones ending in .255
+are for broadcast addresses. These should never be assigned to any
+system on the network.</p> <a name="FOOTNOTE-4"/> <p><a href="#FNPTR-4">[4]</a> To be more explicit about
+this, the system will identify itself to the network as a b-node
+rather than an h-node.</p> <a name="FOOTNOTE-5"/> <p><a href="#FNPTR-5">[5]</a> We put the
+names of the <em class="filename">LMHOSTS</em> and
+<em class="filename">HOSTS</em> files in uppercase for additional
+clarity&mdash;to remind you that we are referring to the files on
+Windows rather than on Unix, and because that's the
+way we see them in other books on Windows. The case of the letters in
+the two names actually does not matter.</p> <a name="FOOTNOTE-6"/> <p><a href="#FNPTR-6">[6]</a> The address 127.0.0.1 is known as the
+<em class="emphasis">localhost</em> address and always refers to itself.
+For example, if you type <tt class="literal">ping</tt>
+<tt class="literal">127.0.0.1</tt> on a Unix server, you should always get
+a response, because you're pinging the host
+itself.</p> <a name="FOOTNOTE-7"/> <p><a href="#FNPTR-7">[7]</a> This update is supplied in
+various update packages issued by Microsoft.</p> <a name="FOOTNOTE-8"/> <p><a href="#FNPTR-8">[8]</a> Notice how in Windows NT,
+some clients are called &quot;services&quot;!
+In these directions, we will conform to Microsoft's
+terminology.</p> <a name="FOOTNOTE-9"/> <p><a href="#FNPTR-9">[9]</a> If there is a My Network Places
+item in the Start menu at this point, you can save yourself a little
+time and just click that. If you don't see it,
+don't worry; it will appear automatically
+later.</p> </blockquote>
+
+<hr/><h4 class="head4"><a href="toc.html">TOC</a></h4>
+</body></html>
diff --git a/docs/htmldocs/using_samba/ch04.html b/docs/htmldocs/using_samba/ch04.html
new file mode 100644
index 0000000000..02cc979284
--- /dev/null
+++ b/docs/htmldocs/using_samba/ch04.html
@@ -0,0 +1,2556 @@
+<html>
+<body bgcolor="#ffffff">
+
+<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
+hspace="10" align="left" />
+
+<h1 class="head0">Chapter 4. Windows NT Domains</h1>
+
+
+
+<p><a name="INDEX-1"/>In previous
+chapters, we've focused on workgroup networking to
+keep things simple and introduce you to networking with Samba in the
+most painless manner we could find. However, workgroup computing has
+its drawbacks, and for many computing environments, the greater
+security and single logon of the Windows NT domain make it worthwhile
+to spend the extra effort to implement a domain.</p>
+
+<p>In addition to the domain features of
+<a name="INDEX-2"/>that we discussed in <a href="ch01.html">Chapter 1</a>, having a domain makes it possible to use
+<em class="firstterm">logon scripts</em><a name="INDEX-3"/> and <em class="firstterm">roaming profiles
+</em><a name="INDEX-4"/>(also called<em class="firstterm"> roving
+profiles</em><a name="INDEX-5"/>). A logon
+script is a text file of commands that are run during startup, and a
+profile is a collection of information regarding the desktop
+environment, including the contents of the Start menu, icons that
+appear on the desktop, and other characteristics about the GUI
+environment that users are allowed to customize. A roaming profile
+can follow its owner from computer to computer, allowing her to have
+the same familiar interface appear wherever she logs on.</p>
+
+<p>A Windows NT domain offers centralized control over the network.
+<em class="firstterm">Policies</em><a name="INDEX-6"/> can be set up by an administrator to
+define aspects of the users' environment and limit
+the amount of control they have over the network and their computers.
+It is also possible for administrators to perform remote
+administration of the domain controllers from any Windows NT/2000/XP
+workstation.</p>
+
+<p>Samba 2.2 has the ability to act as a primary domain controller,
+supporting domain logons from Windows 95/98/Me/NT/2000/XP computers
+and allowing Windows NT/2000/XP<a name="FNPTR-1"/><a href="#FOOTNOTE-1">[1]</a> systems to join the domain as domain
+member servers. Samba can also join a domain as a member server,
+allowing the primary domain controller to be a Windows NT/2000 system
+or another Samba server.</p>
+
+<a name="samba2-CHP-4-NOTE-100"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>Samba 2.2 does not support <a name="INDEX-7"/><a name="INDEX-8"/><a name="INDEX-9"/>LDAP and <a name="INDEX-10"/>Kerberos authentication of Active
+Directory, so it cannot act as a Windows 2000 Active Directory domain
+controller. However, Samba can be added to an Active Directory domain
+as a member server, with the Windows 2000 domain controllers running
+in either mixed or native mode. The Windows 2000 server (even if it
+is running in native mode) supports the Samba server by acting as a
+<a name="INDEX-11"/><a name="INDEX-12"/>PDC emulator, using the Windows NT
+style of authentication rather than the Kerberos style.</p>
+</blockquote>
+
+<p>If you're adding a Samba server to a network that
+has already been set up, you won't have to decide
+whether to use a workgroup or a domain; you will simply have to be
+compatible with what's already in place. If you do
+have a choice, we suggest you evaluate both workgroup and domain
+computing carefully before rolling out a big installation. You will
+have a lot of work to do if you later need to convert one to the
+other. One last thought on this matter is that Microsoft is
+developing Windows in the direction of increased use of domains and
+is intending that eventually Windows networks be composed solely of
+Active Directory domains. If you implement a Windows NT domain now,
+you'll be in a better position to transition to
+Active Directory later, after Samba has better support for it.</p>
+
+<p>In this chapter, we cover various topics directly related to using
+Samba in a Windows NT domain, including:</p>
+
+<ul><li>
+<p>Configuring and using Samba as the primary domain controller</p>
+</li><li>
+<p>Setting up Windows 95/98/Me systems to log on to the domain</p>
+</li><li>
+<p>Implementing user-level security on Windows 95/98/Me</p>
+</li><li>
+<p>Adding Windows NT/2000/XP systems to the domain</p>
+</li><li>
+<p>Configuring logon scripts, roaming profiles, and system policies</p>
+</li><li>
+<p>Adding a Samba server to a domain as a member server</p>
+</li></ul>
+
+
+
+
+<div class="sect1"><a name="samba2-CHP-4-SECT-1"/>
+
+<h2 class="head1">Samba as the Primary Domain Controller</h2>
+
+<p><a name="INDEX-13"/>Samba 2.2
+is able to handle the most desired functions of a primary domain
+controller in a Windows NT domain, handling domain logons and
+authentication for accessing shared resources, as well as supporting
+logon scripts, roaming profiles, and system policies.</p>
+
+<a name="samba2-CHP-4-NOTE-101"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>You will need to use at least Samba 2.2 to ensure that PDC
+functionality for Windows NT/2000/XP clients is present. Prior to
+Samba 2.2, only limited user authentication for NT clients was
+present.</p>
+</blockquote>
+
+<p>In this section, we will show you how to configure Samba as a PDC for
+use with Windows 95/98/Me and Windows NT/2000/XP clients. The two
+groups of Windows versions interact differently within domains, and
+in some cases are supported in slightly different ways. If you know
+you are going to be using only Windows 95/98/Me or Windows
+NT/2000/XP, you can set up Samba to support only that group. However,
+there isn't any harm in supporting both at the same
+time.</p>
+
+<a name="samba2-CHP-4-NOTE-102"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>If you would like more information on how to set up
+<a name="INDEX-14"/>domains, see the file
+<em class="filename">Samba-PDC-HOWTO.html</em><a name="INDEX-15"/>
+in the <em class="filename">docs/htmldocs</em> directory of the Samba
+source distribution.</p>
+</blockquote>
+
+<p>Samba must be the only domain controller for the domain. Make sure
+that a PDC isn't already active, and that there are
+no backup domain controllers. Samba 2.2 is not able to communicate
+with backup domain controllers, and having domain controllers in your
+domain with unsynchronized data would result in a very dysfunctional
+network.</p>
+
+<a name="samba2-CHP-4-NOTE-103"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>Although Samba 2.2 cannot function as, or work with, a Windows NT
+<a name="INDEX-16"/><a name="INDEX-17"/>BDC, it is possible to set up
+another Samba server to act as a backup for a Samba PDC. For further
+information, see the file
+<em class="filename">Samba-BDC-HOWTO.html</em><a name="INDEX-18"/>
+in the <em class="filename">docs/htmldocs</em> directory of the Samba
+source distribution.</p>
+</blockquote>
+
+<p>Configuring Samba to be a PDC is a matter of modifying the
+<em class="filename">smb.conf</em> file, creating some directories, and
+restarting the server.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-4-SECT-1.1"/>
+
+<h3 class="head2">Modifying smb.conf</h3>
+
+<p>First you will need to start with an
+<em class="filename">smb.conf</em><a name="INDEX-19"/><a name="INDEX-20"/> file that correctly configures Samba for
+workgroup computing, such as the one we created in <a href="ch02.html">Chapter 2</a>, and insert the following lines into the
+<tt class="literal">[global]</tt> section:</p>
+
+<blockquote><pre class="code">[global]
+    ; use the name of your Samba server instead of toltec
+    ; and your own workgroup instead of METRAN
+    netbios name = toltec
+    workgroup = METRAN
+    encrypt passwords = yes
+        
+    domain master = yes
+    local master = yes
+    preferred master = yes
+    os level = 65
+
+    security = user
+    domain logons = yes
+    
+    ; logon path tells Samba where to put Windows NT/2000/XP roaming profiles
+    logon path = \\%L\profiles\%u\%m
+    logon script = logon.bat
+
+    logon drive = H:
+    ; logon home is used to specify home directory and
+    ; Windows 95/98/Me roaming profile location
+    logon home = \\%L\%u\.win_profile\%m
+    
+    time server = yes
+
+    ; instead of jay, use the names of all users in the Windows NT/2000/XP
+    ; Administrators group who log on to the domain
+    domain admin group = root jay
+
+    ; the below works on Red Hat Linux - other OSs might need a different command
+    add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u</pre></blockquote>
+
+<p>And after the <tt class="literal">[global]</tt> section, add these three
+new shares:</p>
+
+<blockquote><pre class="code">[netlogon]
+    path = /usr/local/samba/lib/netlogon
+    writable = no
+    browsable = no
+
+[profiles]
+    ; you might wish to use a different directory for your
+    ; Windows NT/2000/XP roaming profiles
+    path = /home/samba-ntprof
+    browsable = no
+    writable = yes
+    create mask = 0600
+    directory mask = 0700
+
+[homes]
+    read only = no
+    browsable = no
+    guest ok = no
+    map archive = yes</pre></blockquote>
+
+<p>Now for the explanation. If you are comparing this example to the
+configuration file presented in <a href="ch02.html">Chapter 2</a>, you
+will notice that the first three parameter settings are similar. We
+start out in the <tt class="literal">[global]</tt> section by setting the
+NetBIOS name of the Samba server. We are using the default, which is
+the DNS hostname, but are being explicit because the NetBIOS name is
+used in UNCs that appear later in <em class="filename">smb.conf</em>. The
+next two lines, setting the workgroup name and choosing to use
+encrypted passwords, are identical to our
+<em class="filename">smb.conf</em> file from <a href="ch02.html">Chapter 2</a>.
+However, things are now a little different: even though it still
+reads &quot;workgroup&quot;, we are actually
+setting the name of the domain. For a workgroup, using encrypted
+passwords is optional; when using a domain, they are required.</p>
+
+<p>The next four lines set up our Samba PDC to handle browsing services.
+The line <tt class="literal">domain</tt> <tt class="literal">master</tt>
+<tt class="literal">=</tt> <tt class="literal">yes</tt> causes Samba to be the
+domain master browser, which handles browsing services for the domain
+across multiple subnets if necessary. Although it looks very similar,
+<tt class="literal">local</tt> <tt class="literal">master</tt>
+<tt class="literal">=</tt> <tt class="literal">yes</tt> does not cause Samba to
+be the master browser on the subnet, but merely tells it to
+participate in browser elections and allow itself to win. (These two
+lines are yet more default settings that we include to be clear.) The
+next two lines ensure that Samba wins the elections. Setting the
+<tt class="literal">preferred</tt> <tt class="literal">master</tt> parameter
+makes Samba force an election when it starts up. The
+<tt class="literal">os</tt> <tt class="literal">level</tt> parameter is set
+higher than that of any other system, which results in Samba winning
+that election. (At the time of this writing, an <tt class="literal">os</tt>
+level of 65 was sufficient to win over all versions of
+Windows&mdash;but make sure no other Samba server is set higher!) We
+make sure Samba is both the <a name="INDEX-21"/><a name="INDEX-22"/>domain and local master browser
+because Windows NT/2000 PDCs always reserve the domain master browser
+role for themselves and because Windows clients require things to be
+that way to find the primary domain controller. It is possible to
+allow another computer on the network to win the role of local master
+browser, but having the same server act as both domain and local
+masters is simpler and more efficient.</p>
+
+<p>The next two lines in the <tt class="literal">[global]</tt> section set up
+Samba to handle the actual domain logons. We set
+<tt class="literal">security</tt> <tt class="literal">=</tt>
+<tt class="literal">user</tt> so that Samba will require a username and
+password. This is actually the same as in the workgroup setup we
+covered in <a href="ch01.html">Chapter 1</a> and <a href="ch02.html">Chapter 2</a> because it is the default. The only
+reason we're including it explicitly is to avoid
+confusion: another valid setting is <tt class="literal">security</tt>
+<tt class="literal">=</tt> <tt class="literal">domain</tt>, but that is for
+having another (Windows or Samba) domain controller handle the logons
+and should never be found in the <em class="filename">smb.conf</em> of a
+Samba PDC. The next line, <tt class="literal">domain</tt>
+<tt class="literal">logons</tt> <tt class="literal">=</tt>
+<tt class="literal">yes</tt>, is what tells Samba we want this server to
+handle domain logons.</p>
+
+<p>Defining a logon path is necessary for supporting
+<a name="INDEX-23"/><a name="INDEX-24"/>roaming profiles for
+Windows NT/2000/XP clients. The UNC
+<tt class="literal">\\%L\profiles\%u</tt> refers to a share held on the
+Samba server where the profiles are kept. The variables
+<tt class="literal">%L</tt> and <tt class="literal">%u</tt> are replaced by Samba
+with the name of the server and the username of the logged on user,
+respectively. The section in <em class="filename">smb.conf</em> defining
+the <tt class="literal">[profiles]</tt> share contains the definition of
+exactly where the profiles are kept on the server.
+We'll get back to this topic a bit later in this
+chapter.</p>
+
+<p>The <tt class="literal">logon</tt> <tt class="literal">script</tt>
+<tt class="literal">=</tt> <tt class="literal">logon.bat</tt> line specifies the
+name of an MS-DOS batch file that will be executed when the client
+logs on to the domain. The path specified here is relative to the
+<tt class="literal">[netlogon]</tt> share that is defined later in the
+<em class="filename">smb.conf</em> file.</p>
+
+<p>The settings of <tt class="literal">logon</tt> <tt class="literal">drive</tt> and
+<tt class="literal">logon</tt> <tt class="literal">home</tt> have a couple of
+purposes. Setting <tt class="literal">logon</tt> <tt class="literal">drive</tt>
+<tt class="literal">=</tt> <tt class="literal">H</tt>: allows the home directory
+of the user to be connected to drive letter H on the client. The
+<tt class="literal">logon</tt> <tt class="literal">home</tt> parameter is set to
+the location of the home directory on the server, and again,
+<tt class="literal">%u</tt> is replaced at runtime by the logged on
+user's username. The home directory is used to store
+roaming profiles for Windows 95/98/Me clients. These parameters tie
+into the <tt class="literal">[homes]</tt> share that we are adding, as we
+will explain a bit later.</p>
+
+<p>Setting <tt class="literal">time</tt> <tt class="literal">server</tt>
+<tt class="literal">=</tt> <tt class="literal">yes</tt> causes Samba to advertise
+itself as a <a name="INDEX-25"/>time service for the network. This is
+optional.</p>
+
+<p>The <tt class="literal">domain</tt> <tt class="literal">admin</tt>
+<tt class="literal">group</tt> parameter exists as a short-term measure in
+Samba 2.2 to give Samba a list of users who have administrative
+privileges in the domain. The list should contain any Samba users who
+log on from Windows NT/2000/XP systems and are members of the
+Administrators or Domain Admins groups, if roaming profiles are to
+work correctly.</p>
+
+<p>The last parameter to add to the <tt class="literal">[global]</tt> section
+is <tt class="literal">add</tt> <tt class="literal">user</tt>
+<tt class="literal">script</tt>, and you will need it only if one or more
+of your clients is a Windows NT/2000/XP system. We will tell you more
+about this in <a href="ch04.html#samba2-CHP-4-SECT-2">Section 4.2</a> later in this chapter.</p>
+
+<p>The rest of the additions to <em class="filename">smb.conf</em> are the
+definitions for three <a name="INDEX-26"/><a name="INDEX-27"/>shares. The
+<tt class="literal">[netlogon]</tt><a name="INDEX-28"/> share is necessary for Samba to
+handle domain logons because Windows clients need to connect to it
+during the logon process and will fail if the share does not exist.
+Other than that, the only function of <tt class="literal">[netlogon]</tt>
+is to be a repository for logon scripts and system-policy files,
+which we shall cover in detail later in this chapter. The path to a
+directory on the Samba server is given, and because the clients only
+read logon scripts and system-policy files from the share, the
+<tt class="literal">writable</tt> <tt class="literal">=</tt>
+<tt class="literal">no</tt> definition is used to make the share read-only.
+Users do not need to see the share, so we set
+<tt class="literal">browsable</tt> <tt class="literal">=</tt>
+<tt class="literal">no</tt> to make the share invisible.</p>
+
+<p>The <tt class="literal">[profiles]</tt><a name="INDEX-29"/> share is needed for use with
+Windows NT/2000/XP roaming profiles. The path points to a directory
+on the Samba server where the profiles are kept, and in this case,
+the clients must be able to read and write the profile data. The
+<tt class="literal">create</tt> <tt class="literal">mask</tt> (read and write
+permitted for the owner only) and <tt class="literal">directory</tt>
+<tt class="literal">mask</tt> (read, write, and search permitted for the
+owner only) are set up such that a user's profile
+data can be read and written only by the user and not accessed or
+modified by anyone else.</p>
+
+<p>The <tt class="literal">[homes]</tt><a name="INDEX-30"/> share is necessary for our
+definitions of <tt class="literal">logon</tt> <tt class="literal">drive</tt> and
+<tt class="literal">logon</tt> <tt class="literal">home</tt> to work. Samba uses
+the <tt class="literal">[homes]</tt> share to add the home directory of the
+user (found in <em class="filename">/etc/passwd</em> ) as a share. Instead
+of appearing as &quot;homes&quot;, the share
+will be accessible on the client through a folder having the same
+name as the user's username. We will cover this
+topic in more detail in <a href="ch09.html">Chapter 9</a>.</p>
+
+<p>At this point, you might want to run
+<em class="filename">testparm</em><a name="INDEX-31"/> to check your
+<em class="filename">smb.conf</em> file. <a name="INDEX-32"/><a name="INDEX-33"/></p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-4-SECT-1.2"/>
+
+<h3 class="head2">Creating Directories on the Samba Server</h3>
+
+<p><a name="INDEX-34"/><a name="INDEX-35"/>The
+<tt class="literal">[netlogon]</tt> and <tt class="literal">[profiles]</tt>
+shares defined in our new <em class="filename">smb.conf</em> file
+reference directories on the Samba server, and it is necessary to
+create those directories with the proper permissions:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>mkdir /usr/local/samba/lib/netlogon</b></tt>
+# <tt class="userinput"><b>chmod 775 /usr/local/samba/lib/netlogon</b></tt>
+# <tt class="userinput"><b>mkdir /home/samba-ntprof</b></tt>
+# <tt class="userinput"><b>chmod 777 /home/samba-ntprof</b></tt></pre></blockquote>
+
+<p>The directory names we use are just examples. You are free to choose
+your own.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-4-SECT-1.3"/>
+
+<h3 class="head2">Restarting the Samba Server</h3>
+
+<p><a name="INDEX-36"/>At this
+point, the only thing left to do is restart the Samba server, and the
+changes will be put into effect:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>/etc/rc.d/init.d/smb restart</b></tt></pre></blockquote>
+
+<p>(or use whatever method works on your system, as discussed in <a href="ch02.html">Chapter 2</a>.) The server is now ready to accept domain
+logons. <a name="INDEX-37"/></p>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-4-SECT-2"/>
+
+<h2 class="head1">Adding Computer Accounts</h2>
+
+<p>To interact in a domain, a Windows NT/2000/XP system must be a member
+of the domain. <a name="INDEX-38"/>Domain membership is implemented
+using <em class="firstterm">computer
+accounts,</em><a name="INDEX-39"/><a name="INDEX-40"/> which are similar to user
+accounts and allow a domain controller to keep information with which
+to authenticate computers on the network. That is, the domain
+controller must be able to tell if requests that arrive from a
+computer are coming from a computer that it
+&quot;knows&quot; as being part of the
+domain. Each Windows NT/2000/XP system in the domain has a computer
+account in the domain controllers' database, which
+on a Windows NT/2000 hosted domain is the <a name="INDEX-41"/>SAM
+database. Although Samba uses a different method (involving the
+<em class="filename">smbpasswd</em><a name="INDEX-42"/> file), it also treats computer accounts
+similarly to user accounts.</p>
+
+<p>To create a computer account, an administrator configures a Windows
+NT/2000/XP system to be part of the domain. For Samba 2.2, the
+&quot;<a name="INDEX-43"/><a name="INDEX-44"/>domain
+administrator&quot; is the <a name="INDEX-45"/><a name="INDEX-46"/>root account on the Samba
+server, and you will need to run the command:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>smbpasswd -a root</b></tt></pre></blockquote>
+
+<p>to add the root user to Samba's password database.
+In this case, do not provide <em class="filename">smbpasswd</em> with the
+same password as the actual root account on the server. Create a
+different password to be used solely for creating computer accounts.
+This will reduce the possibility of compromising the root password.</p>
+
+<p>When the computer account is created, two things must happen on the
+Samba server. An entry is added to the <em class="filename">smbpasswd</em>
+file, with a &quot;username&quot; that is the
+NetBIOS name of the computer with a dollar sign
+(<tt class="literal">$</tt>) appended to it. This part is handled by the
+<em class="emphasis">smbpasswd</em> command, and you do not need to
+perform any additional action to implement it.</p>
+
+<p>With Samba 2.2, an entry is also required in the
+<em class="filename">/etc/passwd</em> file<a name="FNPTR-2"/><a href="#FOOTNOTE-2">[2]</a> to give the computer account a
+user ID (UID) on the Samba server.</p> 
+
+<p>This account will never be used to
+log in to the Unix system, so it should not be given a valid home
+directory or login shell. To make this part work, you must set the
+<tt class="literal">add</tt> <tt class="literal">user</tt>
+<tt class="literal">script</tt> parameter in your Samba configuration file,
+using a command that adds the entry in the proper manner. On our Red
+Hat Linux system, we set <tt class="literal">add</tt>
+<tt class="literal">user</tt> <tt class="literal">script</tt> to:</p>
+
+<blockquote><pre class="code">/usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u</pre></blockquote>
+
+<p>This command adds an entry in <em class="filename">/etc/passwd</em>
+similar to the following:</p>
+
+<blockquote><pre class="code">aztec$:x:505:100::/dev/null:/bin/false</pre></blockquote>
+
+<p>Again, notice that the username ends in a dollar sign. The user
+account shown has a &quot;home
+directory&quot; of <em class="filename">/dev/null</em>, a
+group ID (GID) of 100, and a &quot;login
+shell&quot; of <em class="filename">/bin/false</em>. The
+<em class="emphasis">-M</em> flag in our <em class="emphasis">useradd</em>
+command prevents it from creating the home directory. Samba replaces
+the <tt class="literal">%u</tt> variable in the
+<em class="emphasis">useradd</em> command with the NetBIOS name of the
+computer, including the trailing dollar sign. The basic idea here is
+to create an entry with a valid username and UID. These are the only
+parts that Samba uses. It is important that the UID be unique, not
+also used for other accounts&mdash;especially ones that are
+associated with Samba users.</p>
+
+<p>If you are using some other variety of Unix, you will need to replace
+our <em class="emphasis">useradd</em> command with a command that performs
+the same function on your system. If a command such as
+<em class="emphasis">useradd</em> does not come with your system, you can
+write a shell script yourself that performs the same function. In any
+case, the command should add a password hash that does not correspond
+to any valid password. For example, in the<em class="filename">
+/etc/shadow</em> file of our Linux server, we find the
+following two lines:</p>
+
+<blockquote><pre class="code">jay:%1%zQ7j7ok8$D/IubyRAY5ovM3bTrpUCn1:11566:0:99999:7:::
+zapotec$:!!:11625:0:99999:7:::</pre></blockquote>
+
+<p>The first line is for <tt class="literal">jay</tt>'s user
+account. The second field is the password hash&mdash;the long string
+between the first and second colons. The second line is for the
+computer account of <tt class="literal">zapotec</tt>, a domain member
+server. Its &quot;username&quot; ends with a
+dollar sign (<tt class="literal">$</tt>), and the second field in this case
+has been set to &quot;!!&quot;, which is an
+arbitrary string not produced from any password. Therefore, there is
+no valid password for this account on the Linux host. Just about any
+ASCII string can be used instead of
+&quot;!!&quot;. For example, you could use
+&quot;DISABLED&quot; instead.</p>
+
+<a name="samba2-CHP-4-NOTE-104"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>It is possible to <a name="INDEX-47"/><a name="INDEX-48"/><a name="INDEX-49"/><a name="INDEX-50"/>create the entries for
+<em class="filename">/etc/passwd</em> and <em class="filename">smbpasswd</em>
+manually; however, we suggest this method be used very carefully, and
+only for initial testing, or as a last resort. The reason for this is
+to maintain security. After the computer account has been created on
+the server, the next Windows NT/2000/XP system on the network with a
+matching NetBIOS name to log on to the domain will be associated with
+this account. This allows crackers a window of opportunity to take
+over computer accounts for their own purposes.</p>
+</blockquote>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-4-SECT-3"/>
+
+<h2 class="head1">Configuring Windows Clients for Domain Logons</h2>
+
+<p><a name="INDEX-51"/>The client-side configuration for Windows
+clients is really simple. All you have to do is switch from workgroup
+to domain networking by enabling domain logons, and in the case of
+Windows NT/2000/XP, also provide the root password you gave
+<em class="filename">smbpasswd</em> for creating computer accounts. This
+results in the Windows NT/2000/XP system becoming a member of the
+domain.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-4-SECT-3.1"/>
+
+<h3 class="head2">Windows 95/98/Me</h3>
+
+<p><a name="INDEX-52"/><a name="INDEX-53"/>To
+enable domain logons with Windows 95/98/Me, open the Control Panel
+and double-click the Network icon. Then click Client for Microsoft
+Networks, and click the Properties button. At this point, you should
+see a dialog box similar to <a href="ch04.html#samba2-CHP-4-FIG-1">Figure 4-1</a>. Select the
+Logon to Windows Domain checkbox at the top of the dialog box, and
+enter the name of the domain as you have defined it with the
+<tt class="literal">workgroup</tt> parameter in the Samba configuration
+file. Then click OK, and reboot the machine when asked.</p>
+
+<div class="figure"><a name="samba2-CHP-4-FIG-1"/><img src="figs/sam2_0401.gif"/></div><h4 class="head4">Figure 4-1. Configuring a Windows 95/98 client for domain logons</h4>
+<a name="samba2-CHP-4-NOTE-105"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>If <a name="INDEX-54"/>Windows complains that you are already
+logged into the domain, you probably have an active connection to a
+share in the workgroup (such as a mapped network drive). Simply
+disconnect the resource temporarily by right-clicking its icon and
+choosing the Disconnect pop-up menu item.</p>
+</blockquote>
+
+<p>When Windows reboots, you should see the standard logon dialog with
+an addition: a field for a domain. The domain name should already be
+filled in, so simply enter your password and click the OK button. At
+this point, Windows should consult the primary domain controller
+(Samba) to see if the password is correct. (You can check the log
+files if you want to see this in action.) If it worked,
+congratulations! You have properly configured Samba to act as a
+domain controller for Windows 95/98/Me machines, and your client is
+successfully connected.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-4-SECT-3.2"/>
+
+<h3 class="head2">User-Level Security for Windows 95/98/Me</h3>
+
+<p><a name="INDEX-55"/><a name="INDEX-56"/><a name="INDEX-57"/>Now that you have a primary domain
+controller to authenticate users, you can implement much better
+security for shares that reside on Windows 95/98/Me
+systems.<a name="FNPTR-3"/><a href="#FOOTNOTE-3">[3]</a> To enable this functionality, open the
+Control Panel, double-click the Network icon, and click the Access
+Control tab in the dialog box. The window should now look like <a href="ch04.html#samba2-CHP-4-FIG-2">Figure 4-2</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-4-FIG-2"/><img src="figs/sam2_0402.gif"/></div><h4 class="head4">Figure 4-2. Setting user-level access control</h4>
+
+<p>Click the User-level access control radio button, and type in the
+name of your domain in the text area. Click the OK button. If you get
+the dialog box shown in <a href="ch04.html#samba2-CHP-4-FIG-3">Figure 4-3</a>, it means that
+shares are already on the system.</p>
+
+<div class="figure"><a name="samba2-CHP-4-FIG-3"/><img src="figs/sam2_0403.gif"/></div><h4 class="head4">Figure 4-3. Error dialog while changing to user-level access control</h4>
+
+<p>In that case, you might want to cancel the operation and make a
+record of each of the computer's shares, making it
+easier to re-create them, and then redo this part. (To get a list of
+shares, open an MS-DOS prompt window and run the
+<tt class="literal">net</tt> <tt class="literal">view</tt>
+<tt class="literal">\\</tt><em class="replaceable">computer_name</em>
+command.) Otherwise, you will get a message asking you to reboot to
+put the change in configuration into effect.</p>
+
+<p>After rebooting, you can create shares with user-level access
+control. To do this, right-click the folder you wish to share, and
+select Sharing.... This will bring up the Shared Properties dialog
+box, shown in <a href="ch04.html#samba2-CHP-4-FIG-4">Figure 4-4</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-4-FIG-4"/><img src="figs/sam2_0404.gif"/></div><h4 class="head4">Figure 4-4. The Shared Properties dialog</h4>
+
+<p>Click the Shared As: radio button, and give the share a name and
+comment. Then click the Add... button, and you will see the Add Users
+dialog box, shown in <a href="ch04.html#samba2-CHP-4-FIG-5">Figure 4-5</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-4-FIG-5"/><img src="figs/sam2_0405.gif"/></div><h4 class="head4">Figure 4-5. The Add Users dialog</h4>
+
+<p>What has happened is that Windows has contacted the primary domain
+controller (in this case, Samba) and requested a list of domain users
+and groups. You can now select a user or group and add it to one or
+more of the three lists on the righthand side of the window&mdash;for
+Read Only, Full Access, or Custom Control&mdash;by clicking the
+buttons in the middle of the window. When you are done, click the OK
+button. If you added any users or groups to the Custom Control list,
+you will be presented with the Change Access Rights dialog box, shown
+in <a href="ch04.html#samba2-CHP-4-FIG-6">Figure 4-6</a>, in which you can specify the rights
+you wish to allow. Then click the OK button to close the dialog box.</p>
+
+<div class="figure"><a name="samba2-CHP-4-FIG-6"/><img src="figs/sam2_0406.gif"/></div><h4 class="head4">Figure 4-6. The Change Access Rights dialog</h4>
+
+<p>You are now returned to the Shared Properties dialog box, where you
+will see the Name: and Access Rights: columns filled in with the
+permissions that you just created. Click the OK button to finalize
+the process. Remember, you will have to perform these actions on any
+folders that you had previously shared using share-level security.
+<a name="INDEX-58"/><a name="INDEX-59"/></p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-4-SECT-3.3"/>
+
+<h3 class="head2">Windows NT 4.0</h3>
+
+<p><a name="INDEX-60"/><a name="INDEX-61"/>To
+configure Windows NT for domain logons, log in to the computer as
+Administrator or another user in the Administrators group, open the
+Control Panel, and double-click the Network icon. If it
+isn't already selected, click on the Network
+Identification tab.</p>
+
+<p>Click the Change... button, and you should see the dialog box shown
+in <a href="ch04.html#samba2-CHP-4-FIG-7">Figure 4-7</a>. In this dialog box, you can choose
+to have the Windows NT client become a member of the domain by
+clicking the checkbox marked Domain: in the Member of box. Then type
+in the name of the domain to which you wish the client to log on; it
+should be the same as the one you specified using the
+<tt class="literal">workgroup</tt> parameter in the Samba configuration
+file. Click the checkbox marked Create a Computer Account in the
+Domain, and fill in &quot;root&quot; for the
+text area labeled User Name:. In the Password: text area, fill in the
+root password you gave <em class="emphasis">smbpasswd</em> for creating
+computer accounts.</p>
+
+<div class="figure"><a name="samba2-CHP-4-FIG-7"/><img src="figs/sam2_0407.gif"/></div><h4 class="head4">Figure 4-7. Configuring a Windows NT client for domain logons</h4>
+<a name="samba2-CHP-4-NOTE-106"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>If Windows complains that you are already logged in, you probably
+have an active connection to a share in the workgroup (such as a
+mapped network drive). Disconnect the resource temporarily by
+right-clicking its icon and choosing the Disconnect pop-up menu item.</p>
+</blockquote>
+
+<p>After you press the OK button, Windows should present you with a
+small dialog box welcoming you to the domain. Click the Close button
+in the Network dialog box, and reboot the computer as requested. When
+the system comes up again, the machine will automatically present you
+with a logon screen similar to the one for Windows 95/98/Me clients,
+except that the domain text area has a drop-down menu so that you can
+opt to log on to either the local system or the domain. Make sure
+your domain is selected, and log on to the domain using any
+Samba-enabled user account on the Samba server.</p>
+<a name="samba2-CHP-4-NOTE-107"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>Be sure to select the correct domain in the Windows NT logon dialog
+box. Once it is selected, it might take a moment for Windows NT to
+build the list of available domains.</p>
+</blockquote>
+
+<p>After you enter the password, Windows NT should consult the primary
+domain controller (Samba) to see if the password is correct. Again,
+you can check the log files if you want to see this in action. If it
+worked, you have successfully configured Samba to act as a domain
+controller for Windows NT machines. <a name="INDEX-62"/><a name="INDEX-63"/></p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-4-SECT-3.4"/>
+
+<h3 class="head2">Windows 2000</h3>
+
+<p><a name="INDEX-64"/><a name="INDEX-65"/>To
+configure Windows 2000 for domain logons, log in to the computer as
+Administrator or another user in the Administrators group, open the
+Control Panel, and double-click the System icon to open the System
+Properties dialog box. Click the Network Identification tab, and then
+click the Properties button. You should now see the Identification
+Changes dialog box shown in <a href="ch04.html#samba2-CHP-4-FIG-8">Figure 4-8</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-4-FIG-8"/><img src="figs/sam2_0408.gif"/></div><h4 class="head4">Figure 4-8. The Identification Changes dialog</h4>
+
+<p>Click the radio button labeled
+&quot;Domain:&quot; and fill in the name of
+your domain in the text-entry area. Then click the OK button. This
+will bring up the Domain Username and Password dialog box. Enter
+&quot;root&quot; for the username. For the
+password, use the password that you gave to
+<em class="emphasis">smbpasswd</em> for the root account.</p>
+<a name="samba2-CHP-4-NOTE-108"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>If Windows complains that you are already logged in, you probably
+have an active connection to a share in the workgroup (such as a
+mapped network drive). Disconnect the resource temporarily by
+right-clicking its icon and choosing the Disconnect pop-up menu item.</p>
+</blockquote>
+
+<p>After you press the OK button, Windows should present you with a
+small dialog box welcoming you to the domain. When you click the OK
+button in this dialog box, you will be told that you need to reboot
+the computer. Click the OK button in the System Properties dialog
+box, and reboot the computer as requested. When the system comes up
+again, the machine will automatically present you with a Log On to
+Windows dialog box similar to the one shown in <a href="ch04.html#samba2-CHP-4-FIG-9">Figure 4-9</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-4-FIG-9"/><img src="figs/sam2_0409.gif"/></div><h4 class="head4">Figure 4-9. The Windows 2000 logon window</h4>
+
+<p>If you do not see the Log on to: drop-down menu, click the Options
+&lt;&lt; button and it will appear. Select your domain, rather than
+the local computer, from the menu.</p>
+<a name="samba2-CHP-4-NOTE-109"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>Be sure to select the correct domain in the logon dialog box. Once it
+is selected, it might take a moment for Windows to build the list of
+available domains.</p>
+</blockquote>
+
+<p>Enter the username and password of any Samba-enabled user in the User
+name: and Password: fields, and either press the Enter key or click
+the OK button. If it worked, your Windows session will start up with
+no error dialogs. <a name="INDEX-66"/><a name="INDEX-67"/></p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-4-SECT-3.5"/>
+
+<h3 class="head2">Windows XP Home</h3>
+
+<p><a name="INDEX-68"/>You have our
+condolences if you are trying to use the Home edition of Windows XP
+in a domain environment! Microsoft has omitted support for Windows NT
+domains from Windows XP Home, resulting in a product that is
+ill-suited for use in a domain-based network.</p>
+
+<p>On the client side, Windows XP Home users cannot log on to a Windows
+NT domain. Although it is still possible to access domain resources,
+a username and password must be supplied each time the user connects
+to a resource, rather than the &quot;single
+signon&quot; of a domain logon. Domain features such as
+logon scripts and roaming profiles are not supported.</p>
+
+<p>As a server, Windows XP Home cannot join a Windows NT domain as a
+domain member server. It can serve files and printers, but only using
+share-mode (&quot;workgroup&quot;) security.
+It can't even use user-mode security, as Windows
+95/98/Me can.</p>
+
+<p>Considering these limitations, we do not recommend Windows XP Home
+for any kind of local area network computing.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-4-SECT-3.6"/>
+
+<h3 class="head2">Windows XP Professional</h3>
+
+<p><a name="INDEX-69"/><a name="INDEX-70"/>To configure Windows XP
+Professional for domain logons, log in to the computer as
+Administrator or another user in the Administrators group, open the
+Control Panel in Classic View, and double-click the System icon to
+open the System Properties dialog box. Click the Computer Name tab
+and then click the Change... button. You should now see the Computer
+Name Changes dialog box shown in <a href="ch04.html#samba2-CHP-4-FIG-10">Figure 4-10</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-4-FIG-10"/><img src="figs/sam2_0410.gif"/></div><h4 class="head4">Figure 4-10. The Computer Name Changes dialog</h4>
+
+<p>Click the radio button labeled
+&quot;Domain:&quot;, and fill in the name of
+your domain in the text-entry area. Then click the OK button. This
+will bring up the Domain Username and Password dialog box. Enter
+&quot;root&quot; for the username. For the
+password, use the password that you gave to
+<em class="emphasis">smbpasswd</em> for the root account.</p>
+<a name="samba2-CHP-4-NOTE-110"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>If Windows complains that you are already logged in, you probably
+have an active connection to a share in the workgroup (such as a
+mapped network drive). Disconnect the resource temporarily by
+right-clicking its icon and choosing the Disconnect pop-up menu item.</p>
+</blockquote>
+
+<p>After you press the OK button, Windows should present you with a
+small dialog box welcoming you to the domain. When you click the OK
+button in this dialog box, you will be told that you need to reboot
+the computer to put the changes into effect. Click the OK buttons in
+the dialog boxes to close them, and reboot the computer as requested.
+When the system comes up again, the machine will automatically
+present you with a Log On to Windows dialog box similar to the one
+shown in <a href="ch04.html#samba2-CHP-4-FIG-11">Figure 4-11</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-4-FIG-11"/><img src="figs/sam2_0411.gif"/></div><h4 class="head4">Figure 4-11. The Windows XP logon window</h4>
+
+<p>If you get a dialog box at this point that tells you the domain
+controller cannot be found, the solution is to change a registry
+setting as follows.</p>
+
+<p>Open the Start Menu and click the Run... menu item. In the text area
+in the dialog box that opens, type in
+&quot;regedit&quot; and click the OK button
+to start the Registry Editor. You will be editing the registry, so
+follow the rest of the directions very carefully. Click the
+&quot;<tt class="literal">+</tt>&quot; button next
+to the HKEY_LOCAL_MACHINE folder, and in the contents that open up,
+click the &quot;<tt class="literal">+</tt>&quot;
+button next to the SYSTEM folder. Continue in the same manner to open
+CurrentControlSet, then Services, then Netlogon. (You will have to
+scroll down many times to find Netlogon in the list of services.)
+Then click the Parameters folder, and you will see items appear in
+the right side of the window. Double-click
+&quot;requiresignorseal&quot;, and a dialog
+box will open. In the Value data: text area, change the
+&quot;1&quot; to a
+&quot;0&quot; (zero), and click the OK
+button, which modifies the registry both in memory and on disk. Now
+close the Registry Editor and log off and back on again.</p>
+
+<p>If you do not see the Log on to: drop-down menu, click the Options
+&lt;&lt; button and it will appear. Select your domain from the menu,
+rather than the local computer.</p>
+<a name="samba2-CHP-4-NOTE-111"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>Be sure to select the correct domain in the logon dialog box. Once it
+is selected, it might take a moment for Windows to build the list of
+available domains.</p>
+</blockquote>
+
+<p>Enter the username and password of any Samba-enabled user in the User
+name: and Password: fields, and either press the Enter key or click
+the OK button. If it worked, your Windows session will start up with
+no error dialogs. <a name="INDEX-71"/> <a name="INDEX-72"/><a name="INDEX-73"/></p>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-4-SECT-4"/>
+
+<h2 class="head1">Logon Scripts</h2>
+
+<p><a name="INDEX-74"/>After a Windows client connects with a
+domain controller (either to authenticate a user, in the case of
+Windows 95/98/Me, or to log on to the domain, in the case of Windows
+NT/2000/XP), the client downloads an MS-DOS batch file to run. The
+domain controller supplies the file assuming one has been made
+available for it. This batch file is the logon script and is useful
+in setting up an initial environment for the user.</p>
+
+<p>In a Unix environment, the ability to run such a script might lead to
+a very complex initialization and deep customization. However, the
+Windows environment is mainly oriented to the GUI, and the
+command-line functions are more limited. Most commonly, the logon
+script is used to run a <em class="emphasis">net</em> command, such as
+<em class="emphasis">net use</em><a name="INDEX-75"/>, to connect a network drive letter,
+like this:</p>
+
+<blockquote><pre class="code">net use T: \\toltec\test</pre></blockquote>
+
+<p>This command will make our <tt class="literal">[test]</tt> share (from
+<a href="ch02.html">Chapter 2</a>) show up as the T: drive in My Computer.
+This will happen automatically, and T: will be available to the user
+at the beginning of her session, instead of requiring her to run the
+<em class="emphasis">net use</em> command or connect the T: drive using
+the Map Network Drive function of Windows Explorer.</p>
+
+<p>Another useful command is:</p>
+
+<blockquote><pre class="code">net use H: /home</pre></blockquote>
+
+<p>which <a name="INDEX-76"/><a name="INDEX-77"/>connects the
+user's home directory to a drive letter (which can
+be H:, as shown here, or some other letter, as defined by
+<tt class="literal">logon</tt> <tt class="literal">drive</tt>). For this to work,
+you must have a <tt class="literal">[homes]</tt> share defined in your
+<em class="filename">smb.conf</em> file.</p>
+
+<p>If you are using <a name="INDEX-78"/><a name="INDEX-79"/>roaming profiles, you should definitely
+have:</p>
+
+<a name="INDEX-80"/><blockquote><pre class="code">net time \\<em class="replaceable">toltec</em> /set /yes</pre></blockquote>
+
+<p>in your logon script. (As usual, replace
+&quot;toltec&quot; with the name of your
+Samba PDC.) This will make sure the clocks of the Windows clients are
+synchronized with the PDC, which is important for roaming profiles to
+work correctly.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-4-SECT-4.1"/>
+
+<h3 class="head2">Creating a Logon Script</h3>
+
+<p><a name="INDEX-81"/>In our
+<em class="filename">smb.conf</em> file, we have the line:</p>
+
+<a name="INDEX-82"/><blockquote><pre class="code">logon script = logon.bat</pre></blockquote>
+
+<p>This defines the location and name of the logon script batch file on
+the Samba server. The path is relative to the
+<tt class="literal">[netlogon]</tt><a name="INDEX-83"/> share, defined later in the
+file like this:</p>
+
+<blockquote><pre class="code">[netlogon]
+    path = /usr/local/samba/lib/netlogon
+    writable = no
+    browsable = no</pre></blockquote>
+
+<p>With this example, the logon script is
+<em class="filename">/user/local/samba/lib/netlogon/logon.bat</em>. We
+include the directives <tt class="literal">writable</tt>
+<tt class="literal">=</tt> <tt class="literal">no</tt>, to make sure network
+clients cannot change anything in the <tt class="literal">[netlogon]</tt>
+share, and also <tt class="literal">browsable</tt> <tt class="literal">=</tt>
+<tt class="literal">no</tt>, which keeps them from even seeing the share
+when they browse the contents of the server. Nothing in
+<tt class="literal">[netlogon]</tt> should ever be modified by
+nonadministrative users. Also, the permissions on the directory for
+<tt class="literal">[netlogon]</tt> should be set appropriately (no write
+permissions for &quot;other&quot; users), as
+we showed you earlier in this chapter.</p>
+
+<p>Notice also that the extension of our logon script is
+<em class="filename">.bat</em><a name="INDEX-84"/>. Be careful about this&mdash;an extension
+of <em class="filename">.cmd</em><a name="INDEX-85"/> will work for Windows NT/2000/XP clients,
+but will result in errors for Windows 95/98/Me clients, which do not
+recognize <em class="filename">.cmd</em> as an extension for batch files.</p>
+
+<p>Because the logon script will be executed on a Windows system, it
+must be in MS-DOS text-file format, with the end of line composed of
+a carriage return followed by a linefeed. The Unix convention is a
+newline, which is simply a linefeed character, so if you use a Unix
+text editor to create your logon script, you must somehow make it use
+the appropriate characters. With
+<em class="emphasis">vim</em><a name="INDEX-86"/><a name="INDEX-87"/> (a clone of the <em class="emphasis">vi</em>
+editor that is distributed with Red Hat Linux), the method is to
+create a new file and use the command:</p>
+
+<blockquote><pre class="code">:se ff=dos</pre></blockquote>
+
+<p>to set the file format to MS-DOS style before typing in any text.
+With <em class="emphasis">emacs</em><a name="INDEX-88"/>, the same can be done using the command:</p>
+
+<blockquote><pre class="code">^X <em class="replaceable">Enter</em> f dos <em class="replaceable">Enter</em></pre></blockquote>
+
+<p>where <tt class="literal">^X</tt> is a Control-X character and
+<tt class="literal">Enter</tt> is a press of the Enter key. Another method
+is to create a Unix-format file in any text editor and then convert
+it to MS-DOS format using the
+<em class="emphasis">unix2dos</em><a name="INDEX-89"/> program:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>unix2dos unix_file &gt;logon.bat</b></tt></pre></blockquote>
+
+<p>If your system does not have <em class="emphasis">unix2dos</em>,
+don't worry. You can implement it yourself with the
+following two-line Perl script:</p>
+
+<blockquote><pre class="code">#!/usr/bin/perl
+open FILE, $ARGV[0];
+while (&lt;FILE&gt;) { s/$/\r/; print }</pre></blockquote>
+
+<p>Or, you can use Notepad on a Windows system to write your script and
+then drag the logon script over to a folder on the Samba server. In
+any case, you can <a name="INDEX-90"/>check the format of your script using
+the <em class="emphasis">od</em><a name="INDEX-91"/> command, like this:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>od -c logon.bat</b></tt></pre></blockquote>
+
+<p>You should see output resembling this:</p>
+
+<blockquote><pre class="code">0000000   n  e  t     u  s  e      T   :    \  \  t  o  l
+0000020   t  e  c  \  t  e  s  t  \r  \n
+0000032</pre></blockquote>
+
+<p>The important detail here is that at the end of each line is a
+<tt class="literal">\r</tt> <tt class="literal">\n</tt>, which is a carriage
+return followed by a linefeed.</p>
+
+<p>Our example logon script, containing a single <em class="emphasis">net
+use</em> command, was created and set up in a way that allows
+it to be run successfully on any Windows client, regardless of which
+Windows version is installed on the client and which user is
+authenticating or logging on to the domain. But what if we need to
+have different users, computers, or Windows versions running
+different logon scripts?</p>
+
+<p>One method is to use variables inside the <a name="INDEX-92"/>logon script that cause commands to be
+conditionally executed. For details on how to do this, you can
+consult a reference on batch-file programming for MS-DOS and Windows
+NT command language. One such reference is <em class="citetitle">Windows NT
+System Administration</em>, published by
+O'Reilly.</p>
+
+<p>Windows batch-command language is very limited in functionality.
+Fortunately, Samba also supports a means by which customization can
+be handled. The
+<em class="filename">smb.conf</em><a name="INDEX-93"/><a name="INDEX-94"/> file contains variables that can be
+used to insert (at runtime) the name of the server
+(<tt class="literal">%L</tt><a name="INDEX-95"/>), the username of the person who is
+accessing the server's resources
+(<tt class="literal">%u</tt><a name="INDEX-96"/>), or the computer name of the client
+system (<tt class="literal">%m</tt><a name="INDEX-97"/>). To give an example, if we set up the
+path to the logon script as:</p>
+
+<blockquote><pre class="code">logon script = %u/logon.bat</pre></blockquote>
+
+<p>we would then put a directory for each user in the
+<tt class="literal">[netlogon]</tt> share, with each directory named the
+same as the user's username, and in each directory
+we would put a customized <em class="filename">logon.bat</em> file. Then
+each user would have his own custom logon script. We will give you a
+better example of how to do this kind of thing in the next section,
+<a href="ch04.html#samba2-CHP-4-SECT-5">Section 4.5</a>.</p>
+
+<a name="samba2-CHP-4-NOTE-112"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>For more information on Samba configuration file variables, such as
+the <tt class="literal">%L</tt>, <tt class="literal">%u</tt>, and
+<tt class="literal">%m</tt> variables we just used, see <a href="ch06.html">Chapter 6</a> and <a href="appb.html">Appendix B</a>.</p>
+</blockquote>
+
+<p>When modifying and testing your logon script, don't
+just log off of your Windows session and log back on to make your
+script run. Instead, restart (reboot) your system before logging back
+on. Because Windows often keeps the <tt class="literal">[netlogon]</tt>
+share open across logon sessions, the reboot ensures that Windows and
+Samba have completely released and reconnected the
+<tt class="literal">[netlogon]</tt> share, and the new version of the logon
+script is being run while logging on.</p>
+
+<p>More information regarding <a name="INDEX-98"/>logon scripts can be found in the
+O'Reilly book, <em class="emphasis">Managing Windows NT
+Logons</em>. <a name="INDEX-99"/> <a name="INDEX-100"/><a name="INDEX-101"/></p>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-4-SECT-5"/>
+
+<h2 class="head1">Roaming Profiles</h2>
+
+<p><a name="INDEX-102"/>One benefit of the centralized
+authentication of Windows NT domains is that a user
+<a name="INDEX-103"/>can log on from more than just one
+computer. To help users feel more &quot;at
+home&quot; when logged on at a computer other than their
+usual one, Microsoft has added the ability for
+users' personal settings to
+&quot;roam&quot; from one computer to
+another.</p>
+
+<p>All Windows versions can be configured individually for each user of
+the computer. Windows NT/2000/XP supports the ability to handle
+multiple user accounts, and Windows 95/98/Me can be configured for
+use by multiple users, keeping the configuration settings for each
+user separate. Each user can configure the
+computer's settings to her liking, and the system
+saves these settings as the user's
+<em class="firstterm">profile</em>, such that upon logging on to the
+system, the user is presented with her familiar desktop.</p>
+
+<p>Some of the settings, such as folder options or the image used for
+the desktop background, are held in the registry. Others, including
+the documents and folders appearing on the desktop and the contents
+of the Start menu, are stored as folders and files in the filesystem.</p>
+
+<p>When the profile is stored on the local system, it is called a
+<em class="firstterm">local profile</em><a name="INDEX-104"/>. On Windows NT, local profiles are
+stored in <em class="filename">C:\winnt\profiles</em>. On Windows 2000/XP,
+they can be found in <em class="filename">C:\Documents and Settings.
+</em>On Windows 95/98/Me, when configured for a single user
+(the default case), the local profile is scattered in places such as
+the registry and directories such as
+<em class="filename">C:\Windows\Desktop</em> and
+<em class="filename">C:\Windows\Start Menu</em>. When Windows 95/98/Me is
+configured for multiple users, the local profile of the preexisting
+user is moved to a folder in <em class="filename">C:\Windows\Profiles</em>
+that has the same name as the user, and any users that are
+subsequently added to the computer have their local profiles created
+in that directory as well. You can browse through the local profiles
+to see their structure&mdash;each has a <a name="INDEX-105"/><a name="INDEX-106"/><a name="INDEX-107"/><a name="INDEX-108"/><a name="INDEX-109"/>registry file
+(<em class="filename">USER.DAT</em><a name="INDEX-110"/><a name="INDEX-111"/> for Windows 95/98/Me and
+<em class="filename">NTUSER.DAT</em><a name="INDEX-112"/><a name="INDEX-113"/> for Windows NT/2000/XP) and some folders
+that contain shortcuts and documents.</p>
+
+<p>A roaming profile is a user profile that is stored on a server and
+&quot;follows&quot; its owner around the
+network so that when the user logs on to the domain from another
+computer, his profile is downloaded from the server and his familiar
+desktop appears on that computer as well.</p>
+<a name="samba2-CHP-4-NOTE-113"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p><a name="INDEX-114"/>Samba can
+support roaming profiles, and it is a fairly simple matter to
+configure it for them. However, this is one feature that we recommend
+you <em class="emphasis">do not</em> use, at least until you are sure you
+understand roaming profiles well and are very confident that you can
+implement them with no harm incurred. If you want to (or are required
+to) implement roaming profiles for your Windows clients, we suggest
+you first set up a small domain with a Samba server and a few Windows
+clients exclusively for the purposes of research and testing.
+<em class="emphasis">Under no circumstances should you attempt to implement
+roaming profiles in a careless or frivolous manner</em>.</p>
+</blockquote>
+
+
+<div class="sect2"><a name="samba2-CHP-4-SECT-5.1"/>
+
+<h3 class="head2">How Roaming Profiles work</h3>
+
+<p><a name="INDEX-115"/>We will start out by explaining to you
+how roaming profiles work when set up correctly. You will need a
+clear understanding of them to tell the difference between when they
+are working as they are designed and when they are not. In addition,
+roaming profiles can be a source of confusion for your users in many
+ways, and you should know how to detect when a problem with a client
+is related to roaming profile function or dysfunction.</p>
+
+<a name="samba2-CHP-4-NOTE-114"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p><a name="INDEX-116"/>A definitive source of
+documentation on Windows NT roaming profiles is the Microsoft white
+paper <em class="citetitle">Implementing Policies and Profiles for Windows NT
+4.0</em><a name="INDEX-117"/>, which can be found at
+<a href="http://www.microsoft.com/ntserver/techresources/management/prof_policies.asp">http://www.microsoft.com/ntserver/techresources/management/prof_policies.asp</a>.</p>
+</blockquote>
+
+<p>During the domain logon process, the roaming profile is copied from
+the domain controller and used as a local profile during the
+user's logon session. When the user logs off the
+domain, the local profile is copied back to the domain controller and
+stored as the new roaming profile. When the local profile is changed,
+the server does not receive an update until the user logs off the
+domain or shuts down or reboots the client. The client does not send
+an update to the server during the logon session, and a client does
+not receive an update of a setting changed on another client during a
+logon session. When the user does log off, changes in the
+configuration settings in the local profile are sent to the server,
+and the updates of the roaming profile are available for the next
+logon session.</p>
+
+<p>This simple behavior can lead to unexpected results when users are
+<a name="INDEX-118"/>logged on to the domain
+on more than one client at a time. If a user makes a change to the
+configuration settings on one client and then logs off, the settings
+can result in the roaming profile being modified accordingly. But the
+next client that logs off might cause those changes to be
+overwritten, and if so, the settings from the first client will be
+lost. The behavior of different Windows versions varies with regard
+to this, and we've seen a wide variety of
+behaviors&mdash;not always in alignment with
+Microsoft's documentation or even working the same
+way on separate occasions. Sometimes Windows will refuse to overwrite
+a profile, perhaps giving an &quot;access
+denied&quot; error, and at other times it will seem to
+work while producing odd side effects. A common source of confusion
+is what happens if a file is added to or deleted from the desktop,
+which is by default configured to be part of the profile. A deleted
+file might later reappear, and it is even possible for a file to
+irrecoverably disappear without warning (on Windows 95/98). Or maybe
+a file that is added to the desktop on one client never gets added to
+the roaming profile and fails to propagate to other clients. This
+behavior is somewhat improved on Windows 2000/XP, which attempts to
+merge items into the profile that are added on concurrently logged-on
+clients.</p>
+
+<p>One factor that comes into play is that Windows compares the
+<a name="INDEX-119"/>timestamps of the local and roaming
+profiles and can refuse to overwrite a roaming profile if it is newer
+than the local profile on the client, or vice versa. For this reason,
+it is important to keep the clocks of the Windows clients and the
+Samba PDC synchronized. We have already shown you how to do this,
+using the <em class="emphasis">net time
+\\</em><em class="replaceable">server</em>
+<em class="emphasis">/set</em> <em class="emphasis">/yes</em> command in the
+logon script.</p>
+
+<p><a name="INDEX-120"/>Even when the server and clients are
+correctly configured, a number of things that can happen make things
+seem &quot;broken.&quot; The most common
+occurrence is that some shortcuts on clients other than the one that
+created the roaming profile will not work. These shortcuts can exist
+on the desktop or as items in the Start menu. This behavior is a
+result of applications or files that exist on one computer but not
+others. Windows will display these shortcuts, but if they appear on
+the desktop, they will have a generic icon and will bring up an error
+message if a user double-clicks them.</p>
+
+<a name="samba2-CHP-4-NOTE-115"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>Because profiles can and usually do include the contents of the
+desktop and other folders, it is possible for the roaming profile to
+grow to a huge size due to actions of a user, such as creating new
+files on the desktop or copying files there. By default, Internet
+Explorer keeps its disk cache in the <em class="filename">Temporary Internet
+Files</em><a name="INDEX-121"/><a name="INDEX-122"/> folder in the profile and has been
+known to populate this directory with thousands of files. This can
+result in a huge roaming profile that causes network congestion and
+very large delays while users are logging on to the domain. (A fix
+for this can be found in article Q185255 in the Microsoft Knowledge
+Base.)</p>
+</blockquote>
+
+<p>One behavior we've seen a few times is that if, for
+some reason (e.g., a network error or misconfiguration), the roaming
+profile is not available during the logon process, Windows will use
+the local profile on the client instead. When this happens, the user
+might receive an unfamiliar profile, and all the benefits of roaming
+profiles are lost for that logon session.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-4-SECT-5.2"/>
+
+<h3 class="head2">Configuring Samba for Roaming Profiles</h3>
+
+<p><a name="INDEX-123"/><a name="INDEX-124"/>In an ideal world, different Windows
+versions would share the same roaming profile, allowing users to log
+on to the domain from any Windows client system, ranging from Windows
+95 to Windows XP, and enjoy their familiar settings. It would even be
+possible to be logged on concurrently from multiple clients, and a
+change made to the profile on any of them would quickly propagate to
+all the others. Settings in a roaming profile made on a client that
+didn't apply to another would be handled sanely.</p>
+
+<p>Unfortunately, this scenario does not work in reality, and it is
+important to maintain separate roaming profiles to prevent different
+Windows versions from using or modifying a roaming profile created
+by, and/or in use by, another version.</p>
+
+<p>We do this by using configuration file variables to point to
+different profile directories. If you look at <a href="appb.html#samba2-APP-B-TABLE-1">Table B-1</a> in <a href="appb.html#samba2-APP-B#samba2-APP-B">Appendix B</a>, which shows
+the variables that can be used, you might be tempted to use the
+<a name="INDEX-125"/><tt class="literal">%a</tt> variable, which
+is replaced by the name of the operating system the client is
+running. However, this does not work because all of Windows 95/98/Me
+will be seen as the same operating system, and likewise for Windows
+2000/XP. So, we use <a name="INDEX-126"/><tt class="literal">%m</tt> to get the
+NetBIOS name of the client, and combine that with a symbolic link to
+point to the directory containing the profile for the Windows version
+that particular client is running.</p>
+
+<p>Our additions to <em class="filename">smb.conf</em> that appeared earlier
+in this chapter included the two lines:</p>
+
+<blockquote><pre class="code">logon path = \\%L\profiles\%u\%m
+logon home = \\%L\%u\.win_profile\%m</pre></blockquote>
+
+<p>The first line specifies where the roaming profiles for Windows
+NT/2000/XP clients are kept, and the second line performs the same
+function for Windows 95/98/Me clients. In both cases, the location is
+specified as a UNC, but
+<tt class="literal">logon</tt><a name="INDEX-127"/> <tt class="literal">path</tt> (for Windows
+NT/2000/XP) is specified relative to the
+<tt class="literal">[profiles]</tt> share, while
+<tt class="literal">logon</tt><a name="INDEX-128"/> <tt class="literal">home</tt> (for Windows
+95/98/Me) is specified relative to the user's home
+directory. This is done to comply with Samba's
+emulation of Windows NT/2000 PDC behavior.</p>
+
+<p>The <tt class="literal">logon</tt> <tt class="literal">home</tt> UNC must begin
+by specifying the user's home directory, which in
+our previous example would be <tt class="literal">\\%L\%u</tt>. The
+variable <tt class="literal">%L</tt><a name="INDEX-129"/> expands to the NetBIOS name of the
+server (in this case, toltec), and
+<tt class="literal">%u</tt><a name="INDEX-130"/> expands to the name of the user. This
+must be done to allow the command:</p>
+
+<a name="INDEX-131"/><blockquote><pre class="code">C:\&gt;<tt class="userinput"><b>net use h: /home</b></tt></pre></blockquote>
+
+<p>to function correctly to connect the user's home
+directory to drive letter H: on all Windows clients. (The drive
+letter used for this purpose is defined by <tt class="literal">logon</tt>
+<tt class="literal">drive</tt>.) We add the directory
+<em class="filename">.win_profile</em><a name="INDEX-132"/> to the UNC to put the Windows
+95/98/Me roaming profile in a subdirectory of the
+user's home directory.</p>
+<a name="samba2-CHP-4-NOTE-116"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>Note that in both <tt class="literal">logon path</tt> and <tt class="literal">logon
+home</tt>, we absolutely avoid making the profile directory the
+same as the user's home directory, and the directory
+that contains the profile is not used for any other purpose. This is
+because when the roaming profile is updated, all directories and
+files in the roaming-profile directory that are not part of the
+roaming profile are deleted.</p>
+</blockquote>
+
+<p>In the <tt class="literal">logon</tt> <tt class="literal">path</tt> line in
+<em class="filename">smb.conf</em>, we use <tt class="literal">%u</tt> to put
+the profiles directory in a subdirectory in the
+<tt class="literal">[profiles]</tt> share, such that each user gets her own
+directory that holds her roaming profiles.</p>
+
+<p>We define the <tt class="literal">[profiles]</tt> share like this:</p>
+
+<blockquote><pre class="code">[profiles]
+    writable = yes
+    create mask = 0600
+    directory mask = 0700
+    browsable = no
+    path = /home/samba-ntprof</pre></blockquote>
+
+<p>The first four parameters in the previous share definition specify to
+allow roaming profiles to be written with the users'
+permissions, to create files with read and write permissions for the
+owner, and to create directories with read, write, and search
+permissions for the owner and no access allowed for other users. As
+with the <tt class="literal">[netlogon]</tt> share, we set
+<tt class="literal">browsable</tt> <tt class="literal">=</tt>
+<tt class="literal">no</tt> so that the share will not show up on the
+clients in Windows Explorer.</p>
+
+<p>We've decided to put our Windows NT/2000/XP profiles
+in <em class="filename">/home</em>, the default location of the home
+directories on Linux. This will make it simple to include the roaming
+profiles in backups of the home directories. You can use another
+directory if you like.</p>
+
+<p>Notice that in both <tt class="literal">logon</tt> <tt class="literal">path</tt>
+and <tt class="literal">logon</tt> <tt class="literal">home</tt>, the directory
+we specify ends in <tt class="literal">%m</tt>, which Samba replaces with
+the NetBIOS name of the client. We are using the
+client's computer name to identify indirectly which
+version of Windows it is running.</p>
+
+<p>Initially, the directories you specify to hold the roaming profiles
+will be empty and will become populated as clients log off for the
+first time. (Samba will even create the directories if they do not
+already exist.) At first, the directories will simply contain
+profiles that are identical to the clients' local
+profiles, and we highly recommend that you make a backup at this
+point before things get complicated. A listing of the roaming profile
+directory for user <tt class="literal">iman</tt>, after she has logged off
+from Windows 98 clients <tt class="literal">mixtec</tt> and
+<tt class="literal">pueblo</tt> and Windows Me clients
+<tt class="literal">huastec</tt> and <tt class="literal">navajo</tt>, might look
+something like the following:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>ls -l /home/iman/.win_profile</b></tt>
+total 4
+drwx------    6 iman      iman          4096 Dec  8 18:09 huastec
+drwx------    9 iman      iman          4096 Dec  7 03:47 mixtec
+drwx------   11 iman      iman          4096 Dec  7 03:05 navajo
+drwx------   11 iman      iman          4096 Dec  7 03:05 pueblo</pre></blockquote>
+
+<p>If things were left like this, the clients would not share their
+roaming profiles, so next we change from using separate directories
+to having symbolic links point to common directories:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>mv mixtec Win98</b></tt>
+# <tt class="userinput"><b>mv navajo WinMe</b></tt>
+# <tt class="userinput"><b>rm huastec pueblo</b></tt>
+# <tt class="userinput"><b>ln -s Win98 pueblo</b></tt>
+# <tt class="userinput"><b>ln -s WinMe huastec</b></tt>
+# <tt class="userinput"><b>chown iman:iman *</b></tt>
+# <tt class="userinput"><b>ls -l /home/iman/.win_profile</b></tt>
+total 6
+lrwxrwxrwx    1 iman      iman             5 Nov 16 01:40 huastec -&gt; WinMe
+lrwxrwxrwx    1 iman      iman             5 Nov 16 01:40 mixtec -&gt; Win98
+lrwxrwxrwx    1 iman      iman             5 Nov 21 17:24 navajo -&gt; WinMe
+lrwxrwxrwx    1 iman      iman             5 Nov 23 01:16 pueblo -&gt; Win98
+drwx------    9 iman      iman          4096 Dec  7 03:47 Win98
+drwx------   11 iman      iman          4096 Dec  7 03:05 WinMe</pre></blockquote>
+
+<p>Now when <tt class="literal">iman</tt> logs on to the domain from either
+Windows 98 system, the client from which she is logging on will get
+the profile stored in the <em class="filename">Win98</em> directory (that
+started out as her local profile on <tt class="literal">mixtec</tt>). This
+works likewise for the Windows Me clients.</p>
+
+<p>To show a more complete example, here is a listing of a fully
+operational Windows 95/98/Me profiles directory:</p>
+
+<a name="INDEX-133"/><blockquote><pre class="code">$ <tt class="userinput"><b>ls -l /home/jay/.win_profile</b></tt>
+total 12
+lrwxrwxrwx    1 jay      jay             9 Nov 16 22:14 aztec -&gt; /home/jay
+lrwxrwxrwx    1 jay      jay             5 Nov 16 01:40 hopi -&gt; Win95
+lrwxrwxrwx    1 jay      jay             5 Nov 16 01:40 huastec -&gt; WinMe
+lrwxrwxrwx    1 jay      jay             5 Nov 16 01:38 maya -&gt; Win98
+lrwxrwxrwx    1 jay      jay             5 Nov 16 01:40 mixtec -&gt; Win98
+lrwxrwxrwx    1 jay      jay             5 Nov 21 17:24 navajo -&gt; WinMe
+lrwxrwxrwx    1 jay      jay             5 Nov 23 01:16 pueblo -&gt; Win98
+lrwxrwxrwx    1 jay      jay             5 Nov 22 02:06 ute -&gt; Win95
+drwx------    6 jay      jay          4096 Dec  8 18:09 Win95
+drwx------    9 jay      jay          4096 Dec  7 03:47 Win98
+drwx------   11 jay      jay          4096 Dec  7 03:05 WinMe
+lrwxrwxrwx    1 jay      jay             5 Nov 21 22:48 yaqui -&gt; Win98
+lrwxrwxrwx    1 jay      jay             9 Nov 16 22:14 zuni -&gt; /home/jay</pre></blockquote>
+
+<p>Again, the computer name of each client exists in this directory as a
+symbolic link that points to the directory containing the actual
+roaming profile. For example, <tt class="literal">maya</tt>, a client that
+runs Windows 98, has a symbolic link named <em class="filename">maya</em>
+to the <em class="filename">Win98</em> directory. A listing of
+<em class="filename">Win98</em> shows:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>ls -l Win98</b></tt>
+total 148
+drwxr-xr-x    3 jay      jay          4096 Nov 23 01:30 Application Data
+drwxr-xr-x    2 jay      jay          4096 Nov 23 01:30 Cookies
+drwxr-xr-x    3 jay      jay          4096 Dec  7 03:47 Desktop
+drwxr-xr-x    3 jay      jay          4096 Nov 23 01:30 History
+drwxr-xr-x    2 jay      jay          4096 Nov 23 01:30 NetHood
+drwxr-xr-x    2 jay      jay          4096 Dec  7 03:47 Recent
+drwxr-xr-x    3 jay      jay          4096 Nov 23 01:30 Start Menu
+-rw-r--r--    1 jay      jay        114720 Dec  7 03:46 USER.DAT</pre></blockquote>
+
+<p>The contents of the <em class="filename">Win95</em> and
+<em class="filename">WinMe</em> directories appear similar and contain
+roaming profiles that work exactly as they should on their respective
+operating systems.</p>
+
+<p>Notice in the previous listing that <em class="filename">aztec</em> and
+<em class="filename">zuni</em> are symbolic links to
+<em class="filename">/home/jay</em>. We've cautioned you
+never to configure a roaming profile directory to be a
+user's home directory, but this is to handle
+something different. The clients <tt class="literal">aztec</tt> and
+<tt class="literal">zuni</tt> are Windows XP systems, which handle
+<tt class="literal">logon</tt> <tt class="literal">home</tt> differently than
+other versions of Windows. We have set <tt class="literal">logon</tt>
+<tt class="literal">home</tt> <tt class="literal">=</tt>
+<tt class="literal">\\%L\%u\</tt>.<tt class="literal">win</tt>
+<tt class="literal">profile</tt>, and all versions of Windows except for
+Windows XP strip off everything after <tt class="literal">\\%L\%u</tt> and
+correctly locate the home directory&mdash;in this case,
+<em class="filename">/home/jay</em>. Windows XP uses the full UNC, so we
+simply add a symbolic link to redirect it to the correct directory to
+get the <em class="emphasis">net use H: /home</em> command to work as it
+should. The roaming profiles for Windows XP systems are not affected
+by this and are kept with the other roaming profiles in the Windows
+NT/2000/XP family, as shown in this listing:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>ls -l /home/samba-ntprof/jay</b></tt>
+total 16
+lrwxrwxrwx    1 jay      jay             5 Nov 20 03:45 apache -&gt; Win2K
+lrwxrwxrwx    1 jay      jay             5 Nov 13 12:35 aztec -&gt; WinXP
+lrwxrwxrwx    1 jay      jay             5 Nov 13 12:34 dine -&gt; WinNT
+lrwxrwxrwx    1 jay      jay             5 Nov 24 03:44 inca -&gt; Win2K
+lrwxrwxrwx    1 jay      jay             5 Nov 13 12:34 pima -&gt; Win2K
+drwx------   13 jay      jay          4096 Dec  3 15:24 qero
+drwx------   13 jay      jay          4096 Dec  1 20:31 Win2K
+drwx------   12 jay      jay          4096 Nov 30 17:04 WinNT
+drwx------   13 jay      jay          4096 Nov 20 01:23 WinXP
+lrwxrwxrwx    1 jay      jay             5 Nov 20 06:09 yavapai -&gt; WinXP
+lrwxrwxrwx    1 jay      jay             5 Nov 13 12:34 zapotec -&gt; Win2K
+lrwxrwxrwx    1 jay      jay             5 Nov 13 12:35 zuni -&gt; WinXP</pre></blockquote>
+
+<p>As you can see, we are using a similar method for the Windows
+NT/2000/XP roaming profiles. In the listing,
+<em class="filename">qero</em> is not a symbolic link, but rather a
+directory that holds the roaming profile for <tt class="literal">qero</tt>,
+a Windows 2000 client that has recently been added. We had not
+created a symbolic link called <em class="filename">qero</em> before
+installing Windows 2000, so when jay logged off for the first time,
+Samba created a directory named <em class="filename">qero</em> and copied
+the roaming profile received from the client to the new directory.
+Because this is a separate directory from <em class="filename">Win2K</em>,
+which all other Windows 2000 clients are using to share their roaming
+profiles, the roaming profile for <tt class="literal">qero</tt> works like
+a local profile, except that it is stored on the primary domain
+controller.</p>
+
+<p>This might seem like an odd thing to do, but it has some purpose.
+Sometimes you might wish to isolate a client in this manner,
+especially while the operating system is being installed and
+initially configured. Remember, if that client, with its default
+local profile, is logged off the domain, the local profile will be
+written to the roaming profile directory. If the client were using
+the shared roaming profile directory, the effect could be
+undesirable, to say the least. Using our method, the
+<em class="filename">qero</em> directory can later be renamed to make it
+into an archival backup, or it can just be deleted. Then a new
+symlink named <em class="filename">qero</em> can be created to point to
+the <em class="filename">Win2K</em> directory, and <tt class="literal">qero</tt>
+will share the roaming profile in <em class="filename">Win2K</em> with the
+other Windows 2000 clients.</p>
+
+<p>An alternative method is simply to create the
+<a name="INDEX-134"/>symbolic
+links before the clients are added to the network. After you become
+more comfortable with the way roaming profiles work, you might find
+this method to be simpler and quicker.</p>
+
+<p>Again, we urge you to be careful about letting different versions of
+Windows share the same roaming profile. The method of configuring
+roaming profiles we've shown you here allows you to
+test a configuration for a few clients at a time without affecting
+your whole network of clients. For example, we could install a small
+number of Windows 2000 and Windows XP systems in the domain for
+testing purposes and then create symlinks for them that point to a
+directory called <em class="filename">Win2KXP</em> to find out if sharing
+roaming profiles between our Windows 2000 and Windows XP systems
+meets our expectations. The <em class="filename">Win2KXP</em> directory
+could be created as an empty directory, in which case it would have a
+roaming profile written to it by the first of the clients to log off.
+Or, <em class="filename">Win2KXP</em> could simply be a renamed roaming
+profile directory that was created by one of the clients when it was
+added to the domain. <a name="INDEX-135"/><a name="INDEX-136"/></p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-4-SECT-5.3"/>
+
+<h3 class="head2">Configuring Windows 95/98/Me for Roaming Profiles</h3>
+
+<p><a name="INDEX-137"/><a name="INDEX-138"/>For roaming profiles to work on
+Windows 95/98/Me clients, all you need to do is change one setting to
+allow each user to have a separate local profile. This has the side
+effect of enabling roaming profiles as well.</p>
+
+<p>Open the Control Panel and double-click the Passwords icon to open
+the Passwords Properties dialog box. Click the User Profiles tab, and
+the dialog box will appear as shown in <a href="ch04.html#samba2-CHP-4-FIG-12">Figure 4-12</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-4-FIG-12"/><img src="figs/sam2_0412.gif"/></div><h4 class="head4">Figure 4-12. The Windows 98 Passwords Properties dialog</h4>
+
+<p>Click the button labeled &quot;Users can customize their
+preferences and desktop settings.&quot; In the User
+profile settings box, you can check the options you prefer. When
+done, click the OK button and reboot as requested. During this first
+reboot, Windows will copy the local profile data to
+<em class="filename">C:\windows\profiles</em> but will not attempt to copy
+the roaming profile from the server. The next time the system is shut
+down, the local profile will be copied to the server, and when
+Windows reboots, it will copy the roaming profile from the server.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-4-SECT-5.4"/>
+
+<h3 class="head2">Configuring Windows NT/2000/XP for Roaming Profiles</h3>
+
+<p><a name="INDEX-139"/><a name="INDEX-140"/><a name="INDEX-141"/><a name="INDEX-142"/>Roaming profiles are enabled by
+default on Windows NT/2000/XP. In case you would like to check or
+modify your settings, follow these directions.</p>
+
+<p>Make sure you are logged in to the local system as Administrator or
+another user in the Administrators group. Open the Control Panel and
+double-click the System icon. On Windows NT/2000, click the User
+Profiles tab, or on Windows XP, click the Advanced tab and then the
+Settings button in the User Profiles box. You should see the dialog
+box in <a href="ch04.html#samba2-CHP-4-FIG-13">Figure 4-13</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-4-FIG-13"/><img src="figs/sam2_0413.gif"/></div><h4 class="head4">Figure 4-13. The Windows 2000 System Properties, User Profiles tab</h4>
+
+<p>Notice in the figure that there are two entries for the username
+<tt class="literal">jay</tt>. The entry ZAPOTEC\jay refers to the account
+on the local system, and METRAN\jay refers to the domain account.
+Recall that when a user logs on, a drop-down menu in the dialog box
+allows him to log on to a domain or log in to the local system. When
+<tt class="literal">jay</tt> logs in to the local machine, only the local
+profile is used. When logged on to the domain, the configuration
+shown will use the roaming profile. To switch a
+user's profile type for a domain logon account,
+click the account name to select it, then click the Change Type...
+button near the bottom of the dialog box. The Change Profile Type
+dialog box will appear. Click the radio button for either roaming or
+local profile, and then click the OK buttons for each dialog box.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-4-SECT-5.5"/>
+
+<h3 class="head2">Mandatory Profiles</h3>
+
+<p><a name="INDEX-143"/>With a simple
+modification, a <a name="INDEX-144"/>roaming profile can be made into a
+<a name="INDEX-145"/>mandatory
+profile, which has the quality of being unmodifiable by its owner.
+Mandatory profiles are used in some computing environments to
+simplify administration. The theory is that if users cannot modify
+their profiles, less can go wrong, and it is also possible to use the
+same standardized profile for all users.</p>
+
+<p>In practice, some issues come up. Because the users can still modify
+the configuration settings in their local profile during their logon
+session, confusion can result the next time they log on to the domain
+and discover their changes have been
+&quot;lost.&quot; If the user of a client
+reinstalls an application in a different place, the shortcuts to the
+program on the desktop, in the Start menu, or in a Quick Launch bar
+cannot be permanently deleted. They will reappear every time the user
+logs back on to the domain. Essentially, a mandatory profile is a
+roaming profile that always fails to update to the server upon
+logging off!</p>
+
+<p>Another complication is that different versions of Windows behave
+differently with mandatory profiles. If a user who has a mandatory
+profile creates a new file on her desktop, the file might be missing
+the next time the user logs off and on again or reboots. Some Windows
+versions preserve desktop files in the local profile (even if the
+file does not exist in the mandatory profile), whereas others do not.</p>
+
+<p>To change a <a name="INDEX-146"/><a name="INDEX-147"/>roaming profile to a mandatory
+profile, all you have to do is rename the
+<em class="filename">.dat</em><a name="INDEX-148"/><a name="INDEX-149"/> file in the roaming profile directory
+on the server to have a <em class="filename">.man</em> extension instead.
+For a Windows 95/98/Me roaming profile, you would rename
+<em class="filename">USER.DAT</em> to <em class="filename">USER.MAN</em>, and
+for a Windows NT/2000/XP roaming profile, you would rename
+<em class="filename">NTUSER.DAT</em> to <em class="filename">NTUSER.MAN</em>.
+Also, you might want to make the roaming-profile directory and its
+contents read-only, to make sure that a user can't
+change it by logging into his Unix user account on the Samba host
+system.</p>
+
+<p>If you want to have all your users share a mandatory profile, you can
+change the definitions of <tt class="literal">logon</tt>
+<tt class="literal">path</tt> and <tt class="literal">logon</tt>
+<tt class="literal">home</tt> in your <em class="filename">smb.conf</em> file to
+point to a shared mandatory profile on the server and adjust your
+directory structure and symbolic links accordingly. For example,
+<tt class="literal">logon</tt> <tt class="literal">path</tt> and
+<tt class="literal">logon</tt> <tt class="literal">home</tt> might be defined
+like this:</p>
+
+<blockquote><pre class="code">logon path = \\%L\profiles\%m
+logon home = \\%L\%u\.win_profile\%m</pre></blockquote>
+
+<p>Notice that we've removed the <tt class="literal">%u</tt>
+part of the path for <tt class="literal">logon</tt>
+<tt class="literal">path</tt>, and we would also change the directory
+structure on the server to do away with the separation of the
+profiles by username and have just one profile for each Windows
+NT/2000/XP version.</p>
+
+<p>We cannot use the same treatment for <tt class="literal">logon</tt>
+<tt class="literal">home</tt> because it is also used to specify the home
+directory. In this case, we would change the symbolic links in each
+user's <em class="filename">.win_profile</em> directory
+to point to a common mandatory profile directory containing the
+mandatory profiles for each of Windows 95/98/Me. Again, check the
+ownership and permissions on the files in the directory, and modify
+them if necessary to make sure a user can't modify
+any files by logging into her Unix account on the Samba host system.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-4-SECT-5.6"/>
+
+<h3 class="head2">Logon Script and Roaming-Profile Options</h3>
+
+<p><a href="ch04.html#samba2-CHP-4-TABLE-1">Table 4-1</a> summarizes the options commonly used in
+association with Windows NT domain <a name="INDEX-150"/><a name="INDEX-151"/>logon
+scripts and roaming profiles.</p>
+
+<a name="samba2-CHP-4-TABLE-1"/><h4 class="head4">Table 4-1. Logon-script options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">logon</tt> <tt class="literal">script</tt></p>
+</td>
+<td>
+<p>string (MS-DOS path)</p>
+</td>
+<td>
+<p>Name of logon script batch file</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">logon</tt> <tt class="literal">path</tt></p>
+</td>
+<td>
+<p>string (UNC server and share name)</p>
+</td>
+<td>
+<p>Location of roaming profile</p>
+</td>
+<td>
+<p><tt class="literal">\\%N\%U\profile</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">logon</tt> <tt class="literal">drive</tt></p>
+</td>
+<td>
+<p>string (drive letter)</p>
+</td>
+<td>
+<p>Specifies the logon drive for a home directory</p>
+</td>
+<td>
+<p><tt class="literal">Z</tt>:</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">logon</tt> <tt class="literal">home</tt></p>
+</td>
+<td>
+<p>string (UNC server and share name)</p>
+</td>
+<td>
+<p>Specifies a location for home directories for clients logging on to
+the domain</p>
+</td>
+<td>
+<p><tt class="literal">\\%N\%U</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-4-SECT-5.6.1"/>
+
+<a name="INDEX-152"/><h3 class="head3">logon script</h3>
+
+<p>This option specifies a Windows batch file that will be executed on
+the client after a user has logged on to the domain. Each logon
+script should be stored in the root directory of the
+<tt class="literal">[netlogon]</tt> share or a subdirectory. This option
+frequently uses the <tt class="literal">%U</tt> or <tt class="literal">%m</tt>
+variables (user or NetBIOS name) to point to an individual script.
+For example:</p>
+
+<blockquote><pre class="code">[global]
+    logon script = %U.bat</pre></blockquote>
+
+<p>will execute a script based on the username. If the user who is
+connecting is <tt class="literal">fred</tt> and the path of the
+<tt class="literal">[netlogon]</tt> share maps to the directory
+<em class="filename">/export/samba/netlogon</em>, the script should be
+<em class="filename">/export/samba/netlogon/fred.bat</em>. Because these
+scripts are downloaded to the client and executed on the Windows
+side, they must have MS-DOS-style newline characters rather than Unix
+newlines.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-4-SECT-5.6.2"/>
+
+<a name="INDEX-153"/><h3 class="head3">logon path</h3>
+
+<p>This option specifies the location where roaming profiles are kept.
+When the user logs on, a roaming profile will be downloaded from the
+server to the client and used as the local profile during the logon
+session. When the user logs off, the contents of the local profile
+will be uploaded back to the server until the next time the user
+connects.</p>
+
+<p>It is often more secure to create a separate share exclusively for
+storing user profiles:</p>
+
+<blockquote><pre class="code">[global]
+    logon path = \\hydra\profile\%U</pre></blockquote>
+
+<p>For more information on this option, see <a href="ch04.html#samba2-CHP-4-SECT-5">Section 4.5</a> earlier in this chapter.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-4-SECT-5.6.3"/>
+
+<a name="INDEX-154"/><h3 class="head3">logon drive</h3>
+
+<p>This option specifies the drive letter on a Windows NT/2000/XP client
+to which the home directory specified with the
+<tt class="literal">logon</tt> <tt class="literal">home</tt> option will be
+mapped. Note that this option will work with Windows NT/2000/XP
+clients only. For example:</p>
+
+<blockquote><pre class="code">[global]
+    logon drive = I:</pre></blockquote>
+
+<p>You should always use drive letters that will not conflict with fixed
+drives on the client machine. The default is Z:, which is a good
+choice because it is as far away from A:, C:, and D: as possible.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-4-SECT-5.6.4"/>
+
+<a name="INDEX-155"/><h3 class="head3">logon home</h3>
+
+<p>This option specifies the location of a user's home
+directory for use by the MS-DOS <em class="emphasis">net</em> commands.
+For example, to specify a home directory as a share on a Samba
+server, use the following:</p>
+
+<blockquote><pre class="code">[global]
+    logon home = \\hydra\%U</pre></blockquote>
+
+<p>Note that this works nicely with the <tt class="literal">[homes]</tt>
+service, although you can specify any directory you wish. Home
+directories can be mapped with a logon script using the following
+command:</p>
+
+<a name="INDEX-156"/><blockquote><pre class="code">C:\&gt;<tt class="userinput"><b>net use i: /home  </b></tt></pre></blockquote>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-4-SECT-6"/>
+
+<h2 class="head1">System Policies</h2>
+
+<p>A <a name="INDEX-157"/>system policy can be used in a Windows
+NT domain as a remote administration tool for implementing a similar
+computing environment on all clients and limiting the abilities of
+users to change configuration settings on their systems or allowing
+them to run only a limited set of programs. One application of system
+policies is to use them along with mandatory profiles to implement a
+collection of computers for public use, such as in a library, school,
+or Internet cafe.</p>
+
+<p>A system policy is a collection of registry settings that is stored
+in a file on the PDC and is automatically downloaded to the clients
+when users log on to the domain. The file containing the settings is
+created on a Windows system using the <a name="INDEX-158"/>System Policy Editor. Because the format
+of the registry is different between Windows 95/98/Me and Windows
+NT/2000/XP, it is necessary to make sure that the file that is
+created is in the proper format. This is a very simple matter because
+when the System Policy Editor runs on Windows 95/98/Me, it will
+create a file in the format for Windows 95/98/Me, and if it is run on
+Windows NT/2000/XP, it will use the format needed by those versions.
+After the policy file is created with the System Policy Editor, it is
+stored on the primary domain controller and is automatically
+downloaded by the clients during the logon process, and the policies
+are applied to the client system.</p>
+
+<p>On Windows NT 4.0 Server, you can run the System Policy Editor by
+logging in to the system as Administrator or another user in the
+Administrators group, opening the Start menu, and selecting Programs,
+then Administrative Tools, then System Policy Editor. On Windows 2000
+Advanced Server, open the Start menu and click Run . . . . In the
+dialog box that comes up, type in
+<tt class="literal">C:\winnt\poledit.exe</tt>, and click the OK button.</p>
+
+<p>If you are using a Windows version other than NT Server or Windows
+2000 Advanced Server, you must install the System Policy Editor, and
+getting a copy of it can be a little tricky. If you are running
+Windows NT 4.0 Workstation or Windows 2000 Professional and have a
+Windows NT 4.0 Server installation CD-ROM, you can run the file
+<em class="filename">\Clients\Svrtools\Winnt\Setup.bat</em> from that CD
+to install the Client-based Network Administration Tools, which
+includes <em class="emphasis">poledit.exe</em>. Then open the Start menu,
+click Run..., type <tt class="literal">C:\winnt\system32\poledit.exe</tt>
+into the text area, and click the OK button.</p>
+
+<p>If you are using Windows 95/98, insert a Windows 95 or Windows 98
+distribution CD-ROM<a name="FNPTR-4"/><a href="#FOOTNOTE-4">[4]</a> into your CD-ROM drive,
+then open the Control Panel and double-click the Add/Remove Programs
+button.</p>
+
+<p>Click the Windows Setup tab, and then click the Have Disk...
+button. In the new dialog box that appears, click the Browse...
+button, then select the CD-ROM drive from the Drives drop-down menu.
+Then:</p>
+
+<ul><li>
+<p>If you are using a Windows 95 installation CD-ROM, double-click the
+admin, then apptools, then poledit folder icons.</p>
+</li><li>
+<p>If you are using a Windows 98 installation CD-ROM, double-click the
+tools, then reskit, then netadmin, then poledit folder icons.</p>
+</li></ul>
+<p>You should see &quot;<a name="INDEX-159"/>grouppol.inf&quot; appear in
+the File name: text area on the left of the dialog box. Click the OK
+buttons in two dialog boxes, and you will be presented with a dialog
+box in which you should select both the Group Policies and System
+Policy Editor checkboxes. Then click the Install button. Close the
+remaining dialog box, and you can now run the System Policy Editor by
+opening the Start menu and selecting Programs, then Accessories, then
+System Tools, then System Policy Editor. Or click the Run... item in
+the Start Menu, and enter <tt class="literal">C:\Windows\Poledit</tt>.</p>
+
+<p>When the System Policy Editor starts up, select New Policy from the
+File menu, and you will see a window similar to that in <a href="ch04.html#samba2-CHP-4-FIG-14">Figure 4-14</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-4-FIG-14"/><img src="figs/sam2_0414.gif"/></div><h4 class="head4">Figure 4-14. The System Policy Editor window</h4>
+
+<p>The next step is to make a selection from the File menu to add
+policies for users, groups, and computers. For each item you add, you
+will be asked for the username, or name of the group or computer, and
+a new icon will appear in the window. Double-clicking one of the
+icons will bring up the Properties dialog box, such as the one shown
+in <a href="ch04.html#samba2-CHP-4-FIG-15">Figure 4-15</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-4-FIG-15"/><img src="figs/sam2_0415.gif"/></div><h4 class="head4">Figure 4-15. The Properties dialog of System Policy Editor</h4>
+
+<p>The upper window in the dialog shows the registry settings that can
+be modified as part of the system policy, and the lower window shows
+descriptive information or more settings pertaining to the one
+selected in the upper window. Notice in the figure that there are
+three checkboxes and that they are all in different states:</p>
+
+<dl>
+<dt><b>Checked</b></dt>
+<dd>
+<p>Meaning that the registry setting is enabled in the policy</p>
+</dd>
+
+
+
+<dt><b>White (unchecked)</b></dt>
+<dd>
+<p>Which clears the registry setting</p>
+</dd>
+
+
+
+<dt><b>Gray</b></dt>
+<dd>
+<p>Which causes the registry setting on the client to be unmodified</p>
+</dd>
+
+</dl>
+
+<p>Basically, if all the items are left gray (the default), the system
+policy will have no effect. The registry of the logged-on client will
+not be modified. However, if any of the items are either checked or
+unchecked (white), the registry on the client will be modified to
+enable the setting or clear it.</p>
+<a name="samba2-CHP-4-NOTE-117"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>In this section, we are giving you enough information on using the
+System Policy Editor to get you started&mdash;or, should we say,
+enough rope with which to hang yourself. Remember that a system
+policy, once put into action, will be modifying the registries of all
+clients who log on to the domain. The usual warnings about editing a
+Windows registry apply here with even greater importance. Consider
+how difficult (or even impossible) it will be for you to restore the
+registries on all those clients if anything happens to go wrong.
+<em class="emphasis">As with roaming profiles, casual or careless implementation
+of system policies can easily lead to domain-wide
+disaster</em>.</p>
+
+<p>Creating a good system policy file is a complex topic, which we
+cannot cover in detail here. It would take a whole book, and yes,
+there happens to be an O'Reilly book on the subject,
+<em class="citetitle">Windows System Policy Editor</em>. Another
+definitive source of documentation on Windows NT system policies and
+the System Policy Editor is the Microsoft white paper
+<em class="citetitle">Implementing Policies and Profiles for Windows NT
+4.0</em>, which can be found at <a href="http://www.microsoft.com/ntserver/techresources/management/prof_policies.asp">http://www.microsoft.com/ntserver/techresources/management/prof_policies.asp</a>.</p>
+</blockquote>
+
+<p>Once you have created a policy, click the OK button and use the Save
+As... item from the File menu to save it. Use the filename
+<em class="filename">config.pol</em><a name="INDEX-160"/> for a Windows 95/98 system policy and
+<em class="filename">ntconfig.pol</em><a name="INDEX-161"/> for a policy that will be used on Windows
+NT/2000/XP clients. Finally, copy the <em class="filename">.pol</em> file
+to the directory used for the <tt class="literal">[netlogon]</tt> share on
+the Samba PDC. The <em class="filename">config.pol</em> and
+<em class="filename">ntconfig.pol</em> files must go in this
+directory&mdash;unlike roaming profiles and logon scripts, there is
+no way to specify the location of the system policy files in
+<em class="filename">smb.conf</em>. If you want to have different system
+policies for different users or computers, you must perform that part
+of the configuration within the System Policy Editor.</p>
+
+<a name="samba2-CHP-4-NOTE-118"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>If you have, or will have, any <a name="INDEX-162"/><a name="INDEX-163"/>Windows Me clients on your network,
+be careful. Microsoft has stated that Windows Me does not support
+system policies. The odd thing about this is that it will download
+the policy from a <em class="filename">config.pol</em> file on the PDC,
+but there is no guarantee that the results will be what was intended.
+Check the effect of your system policy carefully on your Windows Me
+clients to make sure it is working how you want.</p>
+</blockquote>
+
+<p>When a user logs on to the domain, her Windows client will download
+the <em class="filename">.pol</em> file from the server, and the settings
+in it (that is, the items either checked or cleared in the System
+Policy Editor) will override the client's settings.</p>
+
+<p>If things &quot;should work&quot; but
+don't, try shutting down the Windows client and
+restarting, rather than just logging off and on again. Windows
+sometimes will hold the <tt class="literal">[netlogon]</tt> share open
+across logon sessions, and this can prevent the client from getting
+the updated <em class="filename">.pol</em> file from the server.
+<a name="INDEX-164"/>
+<a name="INDEX-165"/></p>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-4-SECT-7"/>
+
+<h2 class="head1">Samba as a Domain Member Server</h2>
+
+<p><a name="INDEX-166"/>Up to now,
+we've focused on configuring and using Samba as the
+primary domain controller. If you already have a domain controller on
+your network, either a Windows NT/2000 Server system or a Samba PDC,
+you can add a Samba server to the domain as a domain member server.
+This involves setting up the Samba server to have a computer account
+with the primary domain controller, in a similar way that Windows
+NT/2000/XP clients can have computer accounts on a Samba PDC. When a
+client accesses shares on the Samba domain member server, Samba will
+pass off the authentication to the domain controller rather than
+performing the task on the local system. If the PDC is a Windows
+server, any number of Windows BDCs might exist that can handle the
+authentication instead of the PDC.</p>
+
+<p>The first step is to add the Samba server to the domain by creating a
+computer account for it on the primary domain controller. You can do
+this using the <em class="emphasis">smbpasswd</em> command, as follows:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>smbpasswd -j <em class="replaceable">DOMAIN</em> -r <em class="replaceable">PDCNAME</em> -U<em class="replaceable">admin_acct</em>%<em class="replaceable">password</em></b></tt></pre></blockquote>
+
+<p>In this command, <em class="replaceable">DOMAIN</em> is replaced by the
+name of the domain the Samba host is joining,
+<em class="replaceable">PDCNAME</em> is replaced by the computer name
+of the primary domain controller,
+<em class="replaceable">admin_acct</em> is replaced by the username of
+an administrative account on the domain controller (either
+Administrator&mdash;or another user in the Administrators
+group&mdash;on Windows NT/2000, and root on Samba), and
+<em class="replaceable">password</em> is replaced with the password of
+that user. To give a more concrete example, on our domain that has a
+Windows NT 4 Server primary domain controller or a Windows 2000
+Active Directory domain controller named <tt class="literal">SINAGUA</tt>,
+the command would be:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>smbpasswd -j METRAN -r SINAGUA -UAdministrator%hup8ter</b></tt></pre></blockquote>
+
+<p>and if the PDC is a Samba system, we would use the command:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>smbpasswd -j METRAN -r toltec -Uroot%jwun83jb</b></tt></pre></blockquote>
+
+<p>where <tt class="literal">jwun83jb</tt> is the password for the root user
+that is contained in the<em class="filename"> smbpasswd</em> file, as we
+explained earlier in this chapter.</p>
+
+<p>If you did it right, <em class="emphasis">smbpasswd</em> will respond with
+a message saying the domain has been joined. The security
+identifier<a name="FNPTR-5"/><a href="#FOOTNOTE-5">[5]</a> returned to Samba from the PDC is kept in
+the file <em class="filename">/usr/local/samba/private/secrets.tdb</em>.
+The information in
+<em class="filename">secrets.tdb</em><a name="INDEX-167"/> is security-sensitive, so make sure to
+protect <em class="filename">secrets.tdb</em> in the same way you would
+treat Samba's password file.</p>
+
+<p>The next step is to modify the
+<em class="filename">smb.conf</em><a name="INDEX-168"/> file. Assuming you are starting with a
+valid <em class="filename">smb.conf</em> file that correctly configures
+Samba to function in a workgroup, such as the one we used in <a href="ch02.html">Chapter 2</a>, it is simply a matter of adding the following
+three lines to the <tt class="literal">[global]</tt> section:</p>
+
+<blockquote><pre class="code">workgroup = METRAN
+security = domain
+password server = *</pre></blockquote>
+
+<p>The first line establishes the name of the domain (even though it
+says &quot;workgroup&quot;). Instead of
+METRAN, use the name of the domain you are joining. Setting security
+to &quot;domain&quot; causes Samba to hand
+off authentication to a domain controller, and the
+<tt class="literal">password</tt> <tt class="literal">server</tt>
+<tt class="literal">=</tt> <tt class="literal">*</tt> line tells Samba to find
+the domain controller for authentication (which could be the primary
+domain controller or a backup domain controller) by querying the WINS
+server or using broadcast packets if a WINS server is not available.</p>
+
+<p>At this point, it would be prudent to run
+<em class="emphasis">testparm</em> to check that your
+<em class="filename">smb.conf</em> is free of errors. Then restart the
+Samba daemons.</p>
+
+<p>If the PDC is a Windows NT system, you can use Server Manager to
+check that the Samba server has been added successfully. Open the
+Start menu, then select Programs, then Administrative Tools (Common),
+and then Server Manager. Server Manager starts up with a window that
+looks like <a href="ch04.html#samba2-CHP-4-FIG-16">Figure 4-16</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-4-FIG-16"/><img src="figs/sam2_0416.gif"/></div><h4 class="head4">Figure 4-16. The Windows NT Server Manager window</h4>
+
+<p>As you can see, we've added both
+<tt class="literal">toltec</tt> and <tt class="literal">mixtec</tt> to a domain
+for which the Windows NT 4.0 Server system,
+<tt class="literal">sinagua</tt>, is the primary domain controller.</p>
+
+<p>You can check your setup on Windows 2000 Advanced Server by opening
+the Start menu and selecting Programs, then Administrative Tools,
+then Active Directory Users and Computers. The window that opens up
+will look like <a href="ch04.html#samba2-CHP-4-FIG-17">Figure 4-17</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-4-FIG-17"/><img src="figs/sam2_0417.gif"/></div><h4 class="head4">Figure 4-17. The Windows 2000 Active Directory Users and Computers window</h4>
+
+<p>Click Computers in the left side of the window with the Tree tab. You
+should see your Samba system listed in the right pane of the window.
+<a name="INDEX-169"/></p>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-4-SECT-8"/>
+
+<h2 class="head1">Windows NT Domain Options</h2>
+
+<p><a href="ch04.html#samba2-CHP-4-TABLE-2">Table 4-2</a> shows the options that are commonly used
+in association with Samba on a Windows NT domain.</p>
+
+<a name="samba2-CHP-4-TABLE-2"/><h4 class="head4">Table 4-2. Windows NT domain options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">domain logons</tt></p>
+</td>
+<td>
+<p>boolean</p>
+</td>
+<td>
+<p>Indicates whether Windows domain logons are to be used</p>
+</td>
+<td>
+<p><tt class="literal">No</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">domain master</tt></p>
+</td>
+<td>
+<p>boolean</p>
+</td>
+<td>
+<p>For telling Samba to take the role of domain master browser</p>
+</td>
+<td>
+<p>Auto</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">add user script</tt></p>
+</td>
+<td>
+<p>string (command)</p>
+</td>
+<td>
+<p>Script to run to add a user or computer account</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">delete user</tt> <tt class="literal">script</tt></p>
+</td>
+<td>
+<p>string (command)</p>
+</td>
+<td>
+<p>Script to run to delete a user or computer account</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">domain admin group</tt></p>
+</td>
+<td>
+<p>string (list of users)</p>
+</td>
+<td>
+<p>Users that are in the Domain Admins group</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">domain guest group</tt></p>
+</td>
+<td>
+<p>string (list of users)</p>
+</td>
+<td>
+<p>Users that are in the Domain Guests group</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">password server</tt></p>
+</td>
+<td>
+<p>string (list of computers)</p>
+</td>
+<td>
+<p>List of domain controllers used for authentication when Samba is
+running as a domain member server</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">machine password timeout</tt></p>
+</td>
+<td>
+<p>numeric (seconds)</p>
+</td>
+<td>
+<p>Sets the renewal interval for NT domain machine passwords</p>
+</td>
+<td>
+<p><tt class="literal">604,800</tt> (1 week )</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+
+</table>
+
+<p>Here are detailed explanations of each <a name="INDEX-170"/>Windows NT domain option listed
+in <a href="ch04.html#samba2-CHP-4-TABLE-2">Table 4-2</a>.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-4-SECT-8.1"/>
+
+<a name="INDEX-171"/><h3 class="head2">domain logons</h3>
+
+<p>This option configures Samba to accept domain logons as a primary
+domain controller. When a client successfully logs on to the domain,
+Samba will return a special token to the client that allows the
+client to access domain shares without consulting the PDC again for
+authentication. Note that the Samba machine must employ user-level
+security (<tt class="literal">security</tt> <tt class="literal">=</tt>
+<tt class="literal">user</tt>) and must be the PDC for this option to
+function. In addition, Windows machines will expect a
+<tt class="literal">[netlogon]</tt> share to exist on the Samba server.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-4-SECT-8.1.1"/>
+
+<a name="INDEX-172"/><h3 class="head3">domain master</h3>
+
+<p>In a Windows network, a local master browser handles browsing within
+a subnet. A Windows domain can be made up of a number of subnets,
+each of which has its own local master browser. The primary domain
+controller serves the function of domain master browser, collecting
+the browse lists from the local master browser of each subnet. Each
+local master browser queries the domain master browser and adds the
+information about other subnets to their own browse lists. When Samba
+is configured as a primary domain controller, it automatically sets
+<tt class="literal">domain</tt> <tt class="literal">master</tt>
+<tt class="literal">=</tt> <tt class="literal">yes</tt>, making itself the domain
+master browser.</p>
+
+<p>Because Windows NT PDCs always claim the role of domain master
+browser, Samba should never be allowed to be domain master if there
+is a Windows PDC in the domain.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-4-SECT-8.1.2"/>
+
+<a name="INDEX-173"/><h3 class="head3">add user script</h3>
+
+<p>There are two ways in which <tt class="literal">add</tt>
+<tt class="literal">user</tt> <tt class="literal">script</tt> can be used. When
+the Samba server is set up as a primary domain controller, it can be
+assigned to a command that will run on the Samba server to add a
+Windows NT/2000/XP computer account to Samba's
+password database. When the user on the Windows system changes the
+computer's settings to join a domain, he is asked
+for the username and password of a user who has administrative rights
+on the domain controller. Samba authenticates this user and then runs
+the <tt class="literal">add</tt> <tt class="literal">user</tt>
+<tt class="literal">script</tt> with root permissions.</p>
+
+<p>When Samba is configured as a domain member server, the
+<tt class="literal">add</tt> <tt class="literal">user</tt>
+<tt class="literal">script</tt> can be assigned to a command to add a user
+to the system. This allows Windows clients to add users that can
+access shares on the Samba system without requiring an administrator
+to create the account manually on the Samba host.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-4-SECT-8.1.3"/>
+
+<a name="INDEX-174"/><h3 class="head3">delete user script</h3>
+
+<p>There are times when users are automatically deleted from the domain,
+and the <tt class="literal">delete</tt> <tt class="literal">user</tt>
+<tt class="literal">script</tt> can be assigned to a command that removes a
+user from the Samba host as a Windows server would do. However, you
+might not want this to happen, because the Unix user might need the
+account for reasons other than use with Samba. Therefore, we
+recommend that you be very careful about using this option.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-4-SECT-8.1.4"/>
+
+<a name="INDEX-175"/><h3 class="head3">domain admin group</h3>
+
+<p>In a domain of Windows systems, it is possible for a server to get a
+list of the members of the Domain Admins group from a domain
+controller. Samba 2.2 does not have the ability to handle this, and
+the <tt class="literal">domain</tt> <tt class="literal">admin</tt>
+<tt class="literal">group</tt> parameter exists as a manual means of
+informing Samba who is in the group. The list should contain root
+(necessary for adding computer accounts) and any users on Windows
+NT/2000/XP clients in the domain who are in the Domain Admins group.
+These users must be recognized by the primary controller in order for
+them to perform some administrative duties such as adding users to
+the domain.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-4-SECT-8.1.5"/>
+
+<a name="INDEX-176"/><h3 class="head3">password server</h3>
+
+<p>In a Windows domain in which the domain controllers are a Windows
+primary domain controller, along with any number of Windows backup
+domain controllers, clients and domain member servers authenticate
+users by querying either the PDC or any of the BDCs. When Samba is
+configured as a domain member server, the <tt class="literal">password</tt>
+<tt class="literal">server</tt> parameter allows some control over how
+Samba finds a domain controller. Earlier versions of Samba could not
+use the same method that Windows systems use, and it was necessary to
+specify a list of systems to try. When you set
+<tt class="literal">password</tt> <tt class="literal">server</tt>
+<tt class="literal">=</tt> <tt class="literal">*</tt>, Samba 2.2 is able to find
+the domain controller in the same manner that Windows does, which
+helps to spread the requests over several backup domain controllers,
+minimizing the possibility of them becoming overloaded with
+authentication requests. We recommend that you use this method.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-4-SECT-8.1.6"/>
+
+<a name="INDEX-177"/><h3 class="head3">machine password timeout</h3>
+
+<p>The <tt class="literal">machine</tt> <tt class="literal">password</tt>
+<tt class="literal">timeout</tt> global option sets a retention period for
+Windows NT domain machine passwords. The default is currently set to
+the same time period that Windows NT 4.0 uses: 604,800 seconds (one
+week). Samba will periodically attempt to change the
+<em class="firstterm">machine account password</em>, which is a password
+used specifically by another server to report changes to it. This
+option specifies the number of seconds that Samba should wait before
+attempting to change that password. The timeout period can be changed
+to a single day by specifying the following:</p>
+
+<blockquote><pre class="code">[global]
+    machine password timeout = 86400</pre></blockquote>
+
+<a name="samba2-CHP-4-NOTE-119"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>If you would like more information on how Windows NT uses domain
+usernames and groups, we recommend Eric <a name="INDEX-178"/>Pearce's
+<em class="citetitle">Windows NT in a Nutshell</em>, published by
+O'Reilly. <a name="INDEX-179"/></p>
+</blockquote>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+<hr/><h4 class="head4">Footnotes</h4><blockquote><a name="FOOTNOTE-1"/> <p><a href="#FNPTR-1">[1]</a> When we include
+Windows XP in discussions of Windows NT domains in this book, we are
+referring to Windows XP Professional and not to the Home edition. The
+reason for this is explained in the section on Windows XP later in
+this chapter.</p> <a name="FOOTNOTE-2"/> <p><a href="#FNPTR-2">[2]</a> The entry in
+<em class="filename">/etc/passwd</em> might not be required in future
+Samba versions.</p> <a name="FOOTNOTE-3"/> <p><a href="#FNPTR-3">[3]</a> If you want to follow our example in this
+section, and your network doesn't have any Windows
+systems offering shares, see <a href="ch05.html">Chapter 5</a> for
+directions on how to create one. Make sure you understand how to set
+up shares before continuing with the directions presented
+here!</p> <a name="FOOTNOTE-4"/> <p><a href="#FNPTR-4">[4]</a> The version of the System Policy
+Editor distributed with Windows 98 is an update of the version
+shipped with Windows 95. Use the version from the Windows 98
+distribution if you can.</p> <a name="FOOTNOTE-5"/> <p><a href="#FNPTR-5">[5]</a> This security identifier (SID) is part of
+an access token that allows the PDC to identify and authenticate the
+client.</p> </blockquote><hr/><h4 class="head4"><a href="toc.html">TOC</a></h4></body></html>
diff --git a/docs/htmldocs/using_samba/ch05.html b/docs/htmldocs/using_samba/ch05.html
new file mode 100644
index 0000000000..07a65cd08a
--- /dev/null
+++ b/docs/htmldocs/using_samba/ch05.html
@@ -0,0 +1,1779 @@
+<html>
+<body bgcolor="#ffffff">
+
+<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
+hspace="10" align="left" />
+
+<h1 class="head0">Chapter 5. Unix Clients</h1>
+
+<p><a name="INDEX-1"/>In <a href="ch03.html">Chapter 3</a> we showed you how to configure Windows systems
+to access shared resources on both Windows and Samba servers. This
+has probably opened up a whole new world of computing for
+you&mdash;one in which you have to run to a Windows system every time
+you want to copy a file between Unix and Windows! In this chapter, we
+will show you the &quot;other
+side&quot;&mdash;how to access SMB shares from your
+favorite Unix system.</p>
+
+<p>You can access SMB resources from Unix in three ways, depending on
+your version of Unix. A program included with the Samba distribution
+called <em class="emphasis">smbclient</em><a name="INDEX-2"/> can be used to connect with a share on
+the network in a manner similar to using <em class="emphasis">ftp</em>
+when transferring files to or from an FTP site.</p>
+
+<p>If your system is running Linux, you can use the
+<a name="INDEX-3"/>smbfs
+filesystem to mount SMB shares right onto your Linux filesystem, just
+as you would mount a disk partition or NFS filesystem. The SMB shares
+can then be accessed and manipulated by all programs running on the
+Linux system: command shells, desktop GUI interfaces, and application
+software.</p>
+
+<p>On some BSD-based systems, including Mac OS X, a pair of utilities
+named <em class="emphasis">smbutil</em> <a name="INDEX-4"/>and <em class="emphasis">mount_smbfs</em>
+<a name="INDEX-5"/>can be used to query SMB servers and
+mount shares.</p>
+
+<p>For other Unix variants,
+<em class="emphasis">smbsh</em><a name="INDEX-6"/> can be run to enable common shell
+commands such as <em class="emphasis">cd</em>, <em class="emphasis">ls</em>,
+<em class="emphasis">mv, wc</em>, and <em class="emphasis">grep</em> to access
+and manipulate files and directories on SMB shares. This effectively
+extends the reach of the Unix shell and utilities beyond the Unix
+filesystem and into the SMB network.</p>
+
+<p>All the Unix clients can access shares offered by either Windows
+systems or Samba servers. We have already shown you how to set up a
+share on a Samba server and could use that as an example to work
+with. But it's much more fun to use the Unix clients
+with shares served by Windows systems. So before we start covering
+the Unix clients in detail, we will take a quick detour and show you
+how to set up file shares on both Windows 95/98/Me and Windows
+NT/2000/XP systems.</p>
+
+
+<div class="sect1"><a name="samba2-CHP-5-SECT-1"/>
+
+<h2 class="head1">Sharing Files on Windows 95/98/Me</h2>
+
+<p>When <a name="INDEX-7"/><a name="INDEX-8"/>sharing files on Windows 95/98/Me, you
+can authenticate users in two different ways.
+<a name="INDEX-9"/><a name="INDEX-10"/>Share-level security is the default
+and is easy to use. However, it is not as secure and can require
+users to type in passwords when connecting to shares. User-level
+security offers a better security model and can be used if you have
+either a Samba or Windows NT/2000 server on your network performing
+user authentication.</p>
+
+<p>To configure the type of access control for your system, open the
+Control Panel, double-click the Network icon, then click the Access
+Control tab. You should see the dialog box shown in <a href="ch05.html#samba2-CHP-5-FIG-1">Figure 5-1</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-5-FIG-1"/><img src="figs/sam2_0501.gif"/></div><h4 class="head4">Figure 5-1. The Access Control tab of the Windows 98 Network Control Panel window</h4>
+
+<p>Click the &quot;Share-level access
+control&quot; or &quot;User-level access
+control&quot; radio button, depending on which you want
+to use. When using user-level access control, you will also need to
+fill in the name of your workgroup or Windows NT domain. Reboot as
+requested.</p>
+
+<p>To share a folder, right-click the folder's icon and
+select Sharing . . . . This will open the Sharing tab of the
+folder's Properties dialog box. Click the
+&quot;Shared As:&quot; radio button, and fill
+in a name for the share (which defaults to the
+folder's name) and a description, which will be
+visible to client users. If you don't want the share
+to be visible in the Network Neighborhood view of other Windows
+clients, pick a name for the share that ends in a dollar sign
+(<tt class="literal">$</tt>).</p>
+
+<p><a href="ch05.html#samba2-CHP-5-FIG-2">Figure 5-2</a> shows what the Sharing tab of the
+folder's Properties dialog box will look like when
+using share-level security. The security settings are very simple.
+You can select a radio button for read-only access or full
+(read/write) access, or have the user's permissions
+(either read-only or read/write) depend on which password they use.
+In accordance with which you select, you will be asked to assign
+either or both of the read-only and full-access passwords for the
+share.</p>
+
+<div class="figure"><a name="samba2-CHP-5-FIG-2"/><img src="figs/sam2_0502.gif"/></div><h4 class="head4">Figure 5-2. The Sharing tab of the folder's Properties dialog, with share-level security</h4>
+
+<p>If your system is configured with user-level security, the Sharing
+tab of the folder's Properties dialog box will look
+like <a href="ch05.html#samba2-CHP-5-FIG-3">Figure 5-3</a>. As you can see,
+we've created a share named
+&quot;DATA&quot;, and used the Add . . .
+button to create permissions that allow read-only access for all
+domain users and read/write (full access) for <tt class="literal">jay</tt>.</p>
+
+<div class="figure"><a name="samba2-CHP-5-FIG-3"/><img src="figs/sam2_0503.gif"/></div><h4 class="head4">Figure 5-3. The Sharing tab of the folder Properties dialog, with user-level security</h4>
+
+<p>When you are done specifying your settings for the share, click on
+the OK button, and the share will become available to users on
+network clients. Unless you chose a share name ending in a dollar
+sign, you can see it in the Network Neighborhood or My Network Places
+of Windows clients on the network. You can also now use the Unix
+clients described in this chapter to connect to the share.</p>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-5-SECT-2"/>
+
+<h2 class="head1">Sharing Files on Windows NT/2000/XP</h2>
+
+<p>To create a file share on <a name="INDEX-11"/><a name="INDEX-12"/><a name="INDEX-13"/><a name="INDEX-14"/>Windows NT/2000/XP, you first must
+log in to the system as any member of the Administrators, Power
+Users, or Server Operators groups. Right-click the icon of a folder
+you wish to share, and click Sharing . . . in the pop-up menu. The
+Sharing tab of the folder's Properties dialog box
+will appear, as shown in <a href="ch05.html#samba2-CHP-5-FIG-4">Figure 5-4</a>. Click the
+&quot;Share this folder&quot; radio button.</p>
+
+<div class="figure"><a name="samba2-CHP-5-FIG-4"/><img src="figs/sam2_0504.gif"/></div><h4 class="head4">Figure 5-4. The Sharing tab of the folder's Properties dialog on Windows 2000</h4>
+
+<p>Share name: will default to the name of the folder, and you can
+change it if you want. One reason you might want to use a different
+name for the share is to make the share not appear in browse lists
+(as displayed by the Network Neighborhood, for example). This can be
+done by using a share name ending in a dollar sign
+(<tt class="literal">$</tt>). You can also add a description of the share
+in the Comment: text area. The description will appear to users of
+network clients and can help them understand the contents of the
+share.</p>
+
+<p><a name="INDEX-15"/><a name="INDEX-16"/><a name="INDEX-17"/><a name="INDEX-18"/><a name="INDEX-19"/>By clicking the Permissions button,
+you can set permissions for the share on a user-by-user basis. This
+is equivalent to the user-level security of Windows 95/98/Me file
+sharing. On Windows NT/2000/XP, Microsoft recommends that share
+permissions be set to allow full access by everyone, with the
+permissions controlled on a file-by-file basis using filesystem
+access control lists
+(<a name="INDEX-20"/>ACLs). The actual permissions given
+to network clients are a combination of the share permissions and
+file access permissions. To edit the ACL for the folder, click the
+Security tab. For more information on ACLs, see <a href="ch08.html#samba2-CHP-8-SECT-3">Section 8.3</a> in <a href="ch08.html">Chapter 8</a>.</p>
+
+<p>If you want, you can limit the number of users who can concurrently
+connect to the share using the &quot;User
+limit:&quot; radio button. The New Share button allows
+you to create multiple file shares for the same folder, each having
+its own name, comment, user limit, and other parameters.</p>
+
+<p>When you are done, click the OK button, and the folder will be
+accessible from clients on the network.</p>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-5-SECT-3"/>
+
+<h2 class="head1">smbclient</h2>
+
+<p>The Samba Team supplies <em class="emphasis">smbclient</em><a name="INDEX-21"/> as a basic part of the Samba suite. At
+first, it might seem to be a primitive interface to the SMB network,
+but <em class="emphasis">smbclient</em> is actually a versatile tool. It
+can be used for browsing shares on servers, testing configurations,
+debugging, accessing shared printers, backing up shared data, and
+automating administrative tasks in shell scripts. And unlike
+<tt class="literal">smbfs</tt><a name="INDEX-22"/><a name="INDEX-23"/><a name="INDEX-24"/> and <em class="emphasis">smbsh</em>,
+<em class="emphasis">smbclient</em> works on all Unix variants that
+support Samba.</p>
+
+<p>In this chapter we'll focus mostly on running
+<em class="emphasis">smbclient</em> as an interactive shell, using its
+<em class="emphasis">ftp</em>-like commands to access shared directories
+on the network. Using <em class="emphasis">smbclient</em> to access
+printers and perform backups will be covered in <a href="ch10.html">Chapter 10</a>.</p>
+
+<p>A complete reference to <em class="emphasis">smbclient</em> is found in
+<a href="appc.html">Appendix C</a>.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-5-SECT-3.1"/>
+
+<h3 class="head2">Listing Services</h3>
+
+<p><a name="INDEX-25"/>The <em class="emphasis">-L</em> option
+can be used with <em class="emphasis">smbclient</em> to list the resources
+on a single computer. Assuming the Samba server is configured to take
+the role of the master browser, we can obtain a list of the computers
+in the domain or workgroup like this:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient -L toltec</b></tt>
+added interface ip=172.16.1.1 bcast=172.16.1.255 nmask=255.255.255.0
+Password:
+Domain=[METRAN] OS=[Unix] Server=[Samba 2.2.5]
+
+    Sharename      Type      Comment
+    ---------      ----      -------
+    test           Disk      For testing only, please
+    IPC$           IPC       IPC Service (Samba 2.2.5)
+    ADMIN$         Disk      IPC Service (Samba 2.2.5)
+
+    Server               Comment
+    ---------            -------
+    MAYA                 Windows 98
+    MIXTEC               Samba 2.2.5
+    TOLTEC               Samba 2.2.5
+    ZAPOTEC              
+
+    Workgroup            Master
+    ---------            -------
+    METRAN               TOLTEC</pre></blockquote>
+
+<p>In the column labeled &quot;Server&quot;,
+<tt class="literal">maya</tt>, <tt class="literal">mixtec</tt>, and
+<tt class="literal">zapotec</tt> are shown along with toltec, the Samba
+server. The services on <tt class="literal">toltec</tt> are listed under
+&quot;Sharename&quot;. The IPC$ and ADMIN$
+shares are standard Windows services that are used for network
+communication and administrative purposes, and
+<em class="filename">test</em> is the directory we added as a share in
+<a href="ch02.html">Chapter 2</a>.</p>
+
+<p>Now that we know the names of computers in the domain, we can list
+services on any of those computers. For example, here is how we would
+list the services offered by <tt class="literal">maya</tt>, a Windows 98
+workstation:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient -L maya</b></tt>
+added interface ip=172.16.1.1 bcast=172.16.1.255 nmask=255.255.255.0
+Password:
+
+
+    Sharename      Type      Comment
+    ---------      ----      -------
+    PRINTER$       Disk      
+    HP             Printer   HP 932C on Maya
+    D              Disk      D: on Maya
+    E              Disk      E: on Maya
+
+    ADMIN$         Disk      
+    IPC$           IPC       Remote Inter Process Communication
+
+    Server               Comment
+    ---------            -------
+
+    Workgroup            Master
+    ---------            -------</pre></blockquote>
+
+<p>A shared printer is attached to <tt class="literal">maya</tt>, so we see
+the PRINTER$ administrative service, along with the HP share for the
+printer itself. Also on <tt class="literal">maya</tt> are the D and E
+shares, which allow access across the network to
+<tt class="literal">maya</tt>'s D: and E: drives. It is
+normal for the Server and Workgroup sections to be empty when listing
+services on a Windows client.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-5-SECT-3.2"/>
+
+<h3 class="head2">Authenticating with smbclient</h3>
+
+<p><a name="INDEX-26"/>As with any other SMB client,
+<em class="emphasis">smbclient</em> needs to supply a username and
+password if it is authenticating in a domain environment or if it is
+contacting a Samba server that is set up with user-level security. In
+a workgroup environment, it will at least need a password to use when
+connecting with a password-protected resource.</p>
+
+<p>By default, <em class="emphasis">smbclient</em> uses the username of the
+user who runs it and then prompts for a password. If you are using
+<em class="emphasis">smbclient</em> a lot, you might tire of entering your
+password every time.</p>
+
+<p><em class="emphasis">smbclient</em> supports some alternate methods of
+entering a username and password. The password can be entered on the
+command line, like this:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient //maya/e jayspassword</b></tt></pre></blockquote>
+
+<p>Or both the username and password can be supplied by using the
+<em class="emphasis">-U</em> option, including the username and password
+separated by a percent (<tt class="literal">%</tt>) character:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient //maya/e -U kelly%kellyspassword</b></tt></pre></blockquote>
+
+<p>This method is useful if you are logged in to the system under an
+account that is not Samba-enabled or you are testing your
+configuration to see how it treats another user. With either method,
+you can avoid having to enter the username and/or password each time
+you run <em class="emphasis">smbclient</em> by creating an alias for the
+command or creating a shell function or shell script. For example,
+with the <em class="emphasis">bash</em> shell, it is possible to define a
+function like this:</p>
+
+<blockquote><pre class="code">smbcl(  )
+{
+    smbclient $* -U jay%jayspassword
+}</pre></blockquote>
+
+<p>Adding the definition to the shell's startup script
+(which would be <em class="filename">~/.bash_profile</em> for
+<em class="emphasis">bash</em>) would result in the definition affecting
+all subsequent shell invocations.</p>
+
+<p>Another method that can be used to supply both the username and
+password is to set the USER and <a name="INDEX-27"/><a name="INDEX-28"/>PASSWD environment variables. Either
+set the USER environment variable using the
+<em class="replaceable">username</em>%<em class="replaceable">password</em>
+format, or set the USER environment variable to the username, and set
+PASSWD to the user's password.</p>
+
+<p>It is also possible to create a credentials file containing the
+username on the first line and the password on the second line, like
+this:</p>
+
+<blockquote><pre class="code">username = jay
+password = jayspassword</pre></blockquote>
+
+<p>Then, <em class="emphasis">smbclient</em> is run using the
+<em class="emphasis">-A</em> option to specify the name of the file:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient //maya/e -A ~/.smbpw</b></tt></pre></blockquote>
+
+<a name="samba2-CHP-5-NOTE-120"/><blockquote class="note"><h4 class="objtitle">NOTE</h4>
+<p>Of the methods we described in this section, the only one that is
+really secure is the default method of allowing
+<em class="emphasis">smbclient</em><a name="INDEX-29"/> to
+prompt for the password and typing in the password without echoing.</p>
+
+<p>If security is a concern, you definitely should avoid providing your
+password on the command line because it is very easy for
+&quot;shoulder surfers&quot; to obtain, as
+well as anyone who looks through your shell's
+command history.</p>
+
+<p>If you keep your Samba password in a credentials file, shell startup
+file, or shell script, make sure the file's
+permissions prohibit other users from reading or writing it. (Use an
+octal permissions mode of 0600.) Security experts never keep
+passwords in files owned by nonroot users or accessible by anyone
+other than the superuser. As part of their security policy, some
+organizations do not permit passwords to be stored in files, so you
+might want to check first before using this method.</p>
+
+<p>The authentication method that uses the USER and PASSWD environment
+variables isn't any more secure. Environment
+variables are usually set either on the command line or in one or
+more of the shell's startup files, so this method
+suffers from the same weaknesses we've just
+discussed. In addition, any program run by the user has access to the
+shell's environment variables, making a Trojan horse
+attack on the PASSWD variable really easy!</p>
+</blockquote>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-5-SECT-3.3"/>
+
+<h3 class="head2">An Interactive smbclient Session</h3>
+
+<p><a name="INDEX-30"/>A common use for
+<em class="emphasis">smbclient</em> is to use it as an
+<em class="emphasis">ftp</em>-like shell to access SMB resources on the
+network. To begin a session, <em class="emphasis">smbclient</em> must be
+provided with the UNC of a resource (which you can find using the
+<em class="emphasis">-L</em> option) on the command line, like this:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient //maya/e</b></tt>
+added interface ip=172.16.1.3 bcast=172.16.1.255 nmask=255.255.255.0
+Password: 
+smb: \&gt;</pre></blockquote>
+
+<p>Forward slashes are accepted by <em class="emphasis">smbclient</em> for
+the share's UNC, which makes entering the UNC on the
+command line easier. Backslashes can also be used, but they must be
+quoted or escaped, and it is somewhat more difficult to type
+'<tt class="literal">\\maya\e</tt>' or <tt class="literal">\\\\maya\\e</tt>.
+After connecting to the share, <em class="emphasis">smbclient</em>
+displays the <tt class="literal">smb: \&gt;</tt> prompt, waiting for a
+command to be entered. Commands are similar to those with which you
+might be familiar in <em class="emphasis">ftp</em> and are also somewhat
+similar to Unix shell commands. To get a list of
+<em class="emphasis">smbclient</em><a name="INDEX-31"/> commands, use the
+<em class="emphasis">help</em> command:</p>
+
+<blockquote><pre class="code">smb: \&gt; <tt class="userinput"><b>help</b></tt>
+ls             dir            du             lcd            cd             
+pwd            get            mget           put            mput           
+rename         more           mask           del            open           
+rm             mkdir          md             rmdir          rd             
+prompt         recurse        translate      lowercase      print          
+printmode      queue          cancel         quit           q              
+exit           newer          archive        tar            blocksize      
+tarmode        setmode        help           ?              history        
+!</pre></blockquote>
+
+<p>Some commands in the previous list are synonyms for other commands.
+For example, the <em class="emphasis">?</em> command is a synonym for
+<em class="emphasis">help</em>. You can give this command the name of
+another command as an argument to get a concise reminder of what the
+command does and how to use it:</p>
+
+<blockquote><pre class="code">smb: \&gt; <tt class="userinput"><b>? ls</b></tt>
+HELP ls:
+        &lt;mask&gt; list the contents of the current directory</pre></blockquote>
+
+<p>The term <tt class="literal">&lt;mask&gt;</tt> refers to a file-matching
+pattern as commonly found in Unix shells and utilities. For example:</p>
+
+<blockquote><pre class="code">smb: \&gt; <tt class="userinput"><b>ls *doc</b></tt>
+  ms-ProfPol-wp.doc                   A      131  Tue Dec 18 09:12:34 2002
+  smbclient.doc                       A    33969  Mon Dec 10 20:22:24 2002
+  smbmount.doc                        A     7759  Mon Dec 10 20:20:00 2002
+
+                      48590 blocks of size 524288. 40443 blocks available</pre></blockquote>
+
+<p>lists all files ending in &quot;doc&quot; in
+the current directory on the remote system. In the listing, the
+leftmost column shows the filename. Moving left to right, we see the
+file's MS-DOS attributes, then its size, and the
+time it was last modified.</p>
+
+<p>As with any other Unix utility, <em class="emphasis">smbclient</em> has a
+working directory on the local host. It also has another current
+directory on the remote SMB share. With
+<em class="citetitle">smbclient</em>, the <em class="emphasis">cd</em> command
+is used to move around on the remote system:</p>
+
+<blockquote><pre class="code">smb: \&gt; <tt class="userinput"><b>cd trans  </b></tt> 
+smb: \trans\&gt;</pre></blockquote>
+
+<p>Notice how the prompt changes to reflect the new current working
+directory. To change your current directory on the local system, use
+the <em class="emphasis">lcd</em> command:</p>
+
+<blockquote><pre class="code">smb: \trans\&gt; <tt class="userinput"><b>lcd /u/snd</b></tt>
+the local directory is now /u/snd</pre></blockquote>
+
+<p>Most of <em class="emphasis">smbclient</em>'s commands
+are for performing operations on remote files and directories. There
+is no command for listing the contents of the local directory.
+However, <em class="emphasis">smbclient</em> allows a shell escape. Any
+command preceded by an exclamation point (<tt class="literal">!</tt>) is
+interpreted as a shell command and is run in a subshell on the local
+system. For example:</p>
+
+<blockquote><pre class="code">smb: \trans\&gt; <tt class="userinput"><b>! ls -l</b></tt>
+total 16
+drwxrwxr-x    2 jay      jay          4096 Jan 10 14:46 dr220-fet
+drwxrwxr-x    2 jay      jay          4096 Sep 22 12:16 dr220-tube
+-rw-rw-r--    1 jay      jay           131 Jan 10 02:22 readme.txt
+drwxrwxr-x    7 jay      jay          4096 Jan 10 02:19 xl1</pre></blockquote>
+
+<p>lists the contents of <em class="filename">/u/snd</em>. By using
+<em class="emphasis">smbclient</em>'s commands to operate
+on the remote system&mdash;and shell-escaped commands to operate on
+the local system&mdash;it is possible to manipulate data on both
+systems without having to exit <em class="emphasis">smbclient</em> or open
+another shell window.</p>
+
+<p><a name="INDEX-32"/><a name="INDEX-33"/>File transfer is performed using
+the <em class="emphasis">get</em> and
+<em class="emphasis">put</em><a name="INDEX-34"/><a name="INDEX-35"/> commands. The <em class="emphasis">get</em>
+command transfers a single file from the remote to the local system,
+and the <em class="emphasis">put</em> command copies a file from the local
+to the remote system. For example, the following command copies the
+file <em class="filename">readme.txt</em> to the SMB share:</p>
+
+<blockquote><pre class="code">smb: \trans\&gt; <tt class="userinput"><b>put readme.txt</b></tt>
+putting file readme.txt as \trans\readme.txt (127.9 kb/s) (average 10.7 kb/s)</pre></blockquote>
+
+<a name="samba2-CHP-5-NOTE-121"/><blockquote class="note"><h4 class="objtitle">NOTE</h4>
+<p>Unlike <em class="emphasis">ftp</em>, <em class="emphasis">smbclient</em> does
+not have <em class="emphasis">ascii</em> and <em class="emphasis">binary</em>
+commands to set the type of the file that is being transferred.
+Before transferring a text file from a Unix system to a Windows or
+Macintosh system, you might want to use the GNU
+<em class="emphasis">unix2dos</em><a name="INDEX-36"/> command to reformat newlines in the
+file to work with the carriage return linefeed (CRLF) standard:</p>
+
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>unix2dos text_file &gt;text_file.txt</b></tt></pre></blockquote>
+
+
+<p>and then transfer the CRLF-formatted version. After transferring a
+text file from a Windows or Macintosh system to Unix, you can use the
+GNU <em class="emphasis">dos2unix</em><a name="INDEX-37"/> command to perform the inverse
+operation:</p>
+
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>dos2unix text_file.txt &gt;text_file</b></tt></pre></blockquote>
+</blockquote>
+
+<p>To transfer more than one file with a single command, you can use the
+<em class="emphasis">mget</em><a name="INDEX-38"/><a name="INDEX-39"/> and <em class="emphasis">mput</em> commands,
+which accept a list of filenames in the command line. The list can be
+provided by typing in the filenames on the command line separated by
+spaces, or the group of files can be specified with a pattern as one
+would use in Unix shell commands. The command:</p>
+
+<blockquote><pre class="code">smb: \trans\&gt; <tt class="userinput"><b>mget plain/*</b></tt></pre></blockquote>
+
+<p>copies all the files in the directory <em class="filename">plain</em> on
+the SMB share to the current directory on the local system. By
+default, <em class="emphasis">smbclient</em> prompts for each file, asking
+if you want to copy it:</p>
+
+<blockquote><pre class="code">smb: \trans\&gt; <tt class="userinput"><b>mget plain/*</b></tt>
+Get file tomm.wav? n
+Get file toml.wav? n
+Get file tomh.wav? n
+Get file snare.wav? n
+Get file rim.wav? n
+Get file handclap.wav? n
+Get file bassdrum.wav? n</pre></blockquote>
+
+<p>If you are sure you want to copy all the files, you can turn off
+prompting with the <em class="emphasis">prompt</em> command, like this:</p>
+
+<blockquote><pre class="code">smb: \trans\&gt; <tt class="userinput"><b>prompt</b></tt>
+prompting is now off</pre></blockquote>
+
+<p>By default, if you specify the name of a directory,
+<em class="emphasis">smbclient</em> will not copy the contents of the
+directory. To transfer the entire contents of directories listed in
+the <em class="emphasis">mput</em> or <em class="emphasis">mget</em> command,
+you must first use the <em class="emphasis">recurse</em> command:</p>
+
+<blockquote><pre class="code">smb: \trans\&gt; <tt class="userinput"><b>recurse</b></tt>
+directory recursion is now on</pre></blockquote>
+
+<p>After setting things up with the
+<em class="emphasis">prompt</em><a name="INDEX-40"/><a name="INDEX-41"/> and <em class="emphasis">recurse</em>
+commands, we can copy a directory like this:</p>
+
+<blockquote><pre class="code">smb: \trans\&gt; <tt class="userinput"><b>mget acc</b></tt>
+getting file tomm.wav of size 55494 as tomm.wav (2580.6 kb/s) (average 2087.3 kb/s)
+getting file toml.wav of size 57220 as toml.wav (2660.9 kb/s) (average 2167.6 kb/s)
+getting file tomh.wav of size 55936 as tomh.wav (2601.2 kb/s) (average 2220.8 kb/s)
+getting file snare.wav of size 22132 as snare.wav (1200.7 kb/s) (average 2123.7 kb/s)
+getting file rim.wav of size 8314 as rim.wav (1623.8 kb/s) (average 2110.8 kb/s)
+getting file handclap.wav of size 14180 as handclap.wav (1978.2 kb/s) (average 2106.2 
+kb/s)
+getting file bassdrum.wav of size 6950 as bassdrum.wav (2262.3 kb/s) (average 2108.5 
+kb/s)</pre></blockquote>
+
+<p><a name="INDEX-42"/>Directory recursion applies to all
+commands, so if an <em class="emphasis">ls</em> command is used while
+directory recursion is on, all files in the directory tree are
+listed. To turn directory recursion off again, simply re-enter the
+command. At the same time, you might also wish to toggle prompting
+back to its initial state:</p>
+
+<blockquote><pre class="code">smb: \trans\&gt; <tt class="userinput"><b>recurse</b></tt>
+directory recursion is now off
+smb: \trans\&gt; <tt class="userinput"><b>prompt</b></tt>
+prompting is now on</pre></blockquote>
+
+<p>There are other <em class="emphasis">smbclient</em> commands that you
+might find useful. The <em class="emphasis">mkdir</em> command can be used
+to create a directory; <em class="emphasis">rmdir</em> removes a
+directory; <em class="emphasis">rm</em> deletes a file; and
+<em class="emphasis">rename</em> changes a file's name.
+These behave very similarly to their Unix shell counterparts. <a href="appc.html">Appendix C</a> contains a complete reference to
+<em class="emphasis">smbclient</em> and its command set.</p>
+
+<p>To exit <em class="emphasis">smbclient</em>, use the
+<em class="emphasis">exit</em> or <em class="emphasis">quit</em> command:</p>
+
+<a name="INDEX-43"/><blockquote><pre class="code">smb: \trans\&gt; <tt class="userinput"><b>quit </b></tt></pre></blockquote>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-5-SECT-3.4"/>
+
+<h3 class="head2">Programming with smbclient</h3>
+
+<p><a name="INDEX-44"/>The <em class="emphasis">-c</em> option
+<em class="emphasis">of smbclient</em> allows a list of commands to be
+passed on the command line. To copy the file
+<em class="filename">\\maya\e\trans\readme.txt</em> to
+<em class="filename">/u/snd/readme.txt</em>, we might use the command:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient //maya/e -c &quot;lcd /u/snd; cd trans; get readme.txt&quot; -A ~/.smbpw</b></tt></pre></blockquote>
+
+<p>Everything that <em class="emphasis">smbclient</em> needs to know to
+perform the operation has been specified in the command. There is no
+interactive session, so a command such as this can be placed inside a
+shell script or a program in some other programming language.</p>
+
+<p>By using <em class="emphasis">smbclient</em> in this manner, it is
+possible to create customized commands using shell functions, scripts
+or aliases. For example, suppose we wanted a command to print a short
+listing of files in a shared directory, showing just the names of the
+files. Using a <em class="emphasis">bash</em> function, we could define a
+command <em class="emphasis">smbls</em> as follows:</p>
+
+<blockquote><pre class="code">smbls(  )
+{
+        share=`echo $1 | cut -d '/' -f '1-4'`
+        dir=`echo $1 | cut -d '/' -f '5-'`
+        smbclient $share -c &quot;cd $dir; ls&quot; -A ~/.smbpw | \
+                        grep &quot;^  &quot; | cut -d ' ' -f 3 - | sort
+}</pre></blockquote>
+
+<p>After defining this function, we can use <em class="emphasis">smbls</em>
+like this:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>smbls //maya/e</b></tt>
+CD-images
+lectures
+ms-ProfPol-wp.doc
+profile-map
+readme.txt
+RECYCLED
+smbclient.doc
+smbmount.doc
+smbsh.txt
+trans
+$ <tt class="userinput"><b>smbls //maya/e/lectures</b></tt>
+.
+..
+lecture1.mp3
+lecture2.mp3
+lecture3.mp3
+lecture4.mp3
+lecture5.mp3
+lecture6.mp3
+lecture7.mp3
+lecture8.mp3
+lecture9.mp3</pre></blockquote>
+
+<p>Another use for <em class="emphasis">smbclient</em> in scripts is
+performing administrative tasks. Suppose a group of users on Windows
+clients are sharing a set of files as part of a project on which they
+are working. Instead of expecting them to coordinate making daily
+backups, we could write a script that copies the share to the Samba
+server and run the script nightly as a cron job. The directory on the
+Samba server could be shared as well, allowing any of the users to
+retrieve a backup file on their own, without having to bother an
+administrator.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-5-SECT-3.5"/>
+
+<h3 class="head2">Backups with smbclient</h3>
+
+<p>A major use of <em class="emphasis">smbclient</em><a name="INDEX-45"/><a name="INDEX-46"/> is to create and restore backups of
+SMB file shares. The backup files <em class="emphasis">smbclient</em>
+writes are in tar format, making them easy to work with and portable
+among all Unix versions. Using <em class="emphasis">smbclient</em> on a
+Unix server to run network backups can result in a more centralized
+and easily managed solution for providing data integrity because both
+SMB shares and NFS filesystems can be backed up on the same system.</p>
+
+<p>You can use <em class="emphasis">smbclient</em> to perform backups in two
+ways. When backing up an entire share, the simplest method is to use
+the <em class="emphasis">-Tc</em> option on the command line:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>smbclient //maya/e -A samba-domain-pw -Tc &gt;maya-e.tar</b></tt></pre></blockquote>
+
+<p>This will create a tar archive of the <em class="filename">\\maya\e</em>
+share in the file <em class="filename">maya-e.tar</em>. By using the
+<em class="emphasis">-D</em> option, it is possible to back up a directory
+in the share, rather than the whole share:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>smbclient //maya/e -A samba-domain-pw -D trans -Tc &gt;maya-e.tar</b></tt></pre></blockquote>
+
+<p>This causes <em class="emphasis">smbclient</em> to change its working
+directory to the <em class="filename">trans</em> directory of the
+<em class="filename">\\maya\e</em> share before starting the backup. It is
+also possible to use
+<em class="emphasis">smbclient</em>'s
+<em class="emphasis">tar</em> command in interactive mode, like this:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>smbclient //maya/e </b></tt>
+added interface ip=172.16.1.3 bcast=172.16.1.255 nmask=255.255.255.0
+Password:
+smb: \&gt; <tt class="userinput"><b>cd trans</b></tt>
+smb: \trans\&gt; <tt class="userinput"><b>tarmode full hidden system quiet</b></tt>
+smb: \trans\&gt; <tt class="userinput"><b>tar c maya-e-trans.tar</b></tt></pre></blockquote>
+
+<p>With the previous code, only the <em class="emphasis">trans</em>
+subdirectory in the <em class="emphasis">\\maya\e</em> share will be
+backed up, using the settings specified in the
+<em class="emphasis">tarmode</em> command. To have this type of backup run
+automatically from a script, use the <em class="emphasis">-c</em> option:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>smbclient //maya/e -A samba-domain-pw -c &quot;cd trans; tarmode full hidden \</b></tt>
+<tt class="userinput"><b>    system quiet; tar &gt;maya-e-trans.tar&quot;</b></tt></pre></blockquote>
+
+<p>Using either the <em class="emphasis">-T</em> command-line option or
+<em class="emphasis">smbclient</em>'s
+<em class="emphasis">tar</em> command, additional options can be supplied.
+It is necessary to specify either the <em class="emphasis">c</em> option
+to create a backup archive or the <em class="emphasis">x</em> option to
+extract (restore) one.<a name="FNPTR-1"/><a href="#FOOTNOTE-1">[1]</a> </p>
+
+<p>The other options can be appended to the option string
+and are explained in the section on <em class="emphasis">smbclient</em> in
+<a href="appc.html">Appendix C</a>. They allow you to create incremental
+backups, specify which files to include or exclude from the backup,
+and specify a few other miscellaneous settings. For example, suppose
+we wish to create an incremental backup of a share and reset the
+archive bit on the files to set things up for the next incremental
+backup. Instead of using the interactive commands:</p>
+
+<blockquote><pre class="code">smb: \&gt; <tt class="userinput"><b>tarmode inc reset quiet</b></tt>
+smb: \&gt; <tt class="userinput"><b>tar c backup.tar</b></tt></pre></blockquote>
+
+<p>we could either use the interactive command:</p>
+
+<blockquote><pre class="code">smb: \&gt; <tt class="userinput"><b>tar cgaq backup.tar</b></tt></pre></blockquote>
+
+<p>or specify the <em class="emphasis">-Tcgaq</em> option on the
+<em class="emphasis">smbclient</em> command line.</p>
+
+<p>Your best strategy for using <em class="emphasis">smbclient</em> for
+network backups depends on your local configuration. If you have only
+a few Windows systems sharing a small amount of data, you might
+create a script containing <em class="emphasis">smbclient -Tc</em>
+commands to back up each share to a separate tar file, placing the
+files in a directory that is included with regular backups of the
+Unix system. If you have huge SMB shares on your network, you might
+prefer to write the backup directly to a tape drive. You can do this
+with <em class="emphasis">smbclient</em> just as you would with a Unix
+<em class="emphasis">tar</em> command:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>smbclient //maya/d -A samba-domain-pw -Tc &gt;/dev/tape</b></tt></pre></blockquote>
+
+<p>After you have become more familiar with
+<em class="emphasis">smbclient</em> and have an automated backup system in
+place, you might find that using Samba has dramatically decreased
+your anxiety regarding the integrity of your
+network's data. The authors of this book are
+experienced Unix system administrators, and we highly recommend
+having a backup strategy that has been carefully planned,
+implemented, and most importantly, <em class="emphasis">tested and known to work
+as it is supposed to</em>.</p>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-5-SECT-4"/>
+
+<h2 class="head1">smbfs</h2>
+
+<p>On Linux, the <a name="INDEX-47"/>smbfs filesystem can be used to mount
+SMB shares onto the Linux filesystem in a manner similar to mounting
+disk partitions on NFS filesystems. The result is so transparent that
+users on the Linux system might never be aware that they are
+accessing files through a Windows or Samba server. Files and
+directories appear as any other files or directories on the local
+Linux system, although there are a few differences in behavior
+relating to ownership and permissions.<a name="FNPTR-2"/><a href="#FOOTNOTE-2">[2]</a></p>
+
+<p>Although smbfs is based on the Samba code, it is not itself part of
+the Samba distribution. Instead, it is included with Linux as a
+standard part of the Linux filesystem support.</p>
+
+<p>The <em class="emphasis">smbmount</em> and
+<em class="emphasis">smbmnt</em><a name="INDEX-48"/> programs are part of the Samba
+distribution and are needed on the client to mount smbfs filesystems.
+Samba must be compiled with the <tt class="literal">--with-smbmount</tt>
+configure option to make sure these programs are compiled. They refer
+to <em class="filename">smb.conf</em> for information they need regarding
+the local system and network configuration, so you will need a
+working <em class="filename">smb.conf</em><a name="INDEX-49"/><a name="INDEX-50"/>
+file on the system, even if it is not acting as a Samba server.
+ <a name="INDEX-51"/><a name="INDEX-52"/><a name="INDEX-53"/></p>
+
+
+<div class="sect2"><a name="samba2-CHP-5-SECT-4.1"/>
+
+<h3 class="head2">Mounting an smbfs Filesystem</h3>
+
+<p>The <em class="emphasis">smbmount</em><a name="INDEX-54"/> command is used to mount an smbfs
+filesystem into the Linux filesystem. The basic usage is:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>smbmount </b></tt><em class="replaceable">Share-UNC mount-point</em><tt class="userinput"><b> -o </b></tt><em class="replaceable">options</em></pre></blockquote>
+
+<p>Replace <em class="replaceable">Share-UNC</em> with the UNC for the SMB
+share, and <em class="replaceable">mount-point</em> with the full path
+to the directory in the Linux filesystem to use as the mount point.
+The <em class="replaceable">options</em> argument is used to set the
+exact manner in which the share is mounted. Let's
+look at an example of a <em class="emphasis">smbmount</em> command:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>smbmount //maya/e /smb/e \</b></tt>
+<tt class="userinput"><b>    -o &quot;credentials=/home/jay/.smbpw,uid=jay,gid=jay,fmask=664,dmask=775&quot;</b></tt></pre></blockquote>
+
+<p>Here we are mounting share <em class="filename">\\maya\e</em> from a
+Windows 98 system on the mount point <em class="filename">/smb/e</em> on
+the Linux system.</p>
+
+<a name="samba2-CHP-5-NOTE-122"/><blockquote class="note"><h4 class="objtitle">NOTE</h4>
+<p>If your Linux kernel doesn't include smbfs support,
+you will get the error message:</p>
+
+<blockquote><pre class="code">ERROR: smbfs filesystem not supported by the kernel</pre></blockquote>
+
+
+<p>In this case, you must configure and compile a new kernel to include
+support for smbfs. When smbfs is installed, and an SMB share is
+mounted, you can run the command:</p>
+
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>cat /proc/filesystems</b></tt></pre></blockquote>
+
+<p>and see a line that looks like:</p>
+
+<blockquote><pre class="code">nodev   smbfs</pre></blockquote>
+
+
+<p>in the command's output.</p>
+</blockquote>
+
+<p>The mount point must exist before <em class="emphasis">smbmount</em> is
+run and can be created using the <em class="emphasis">mkdir</em> command:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>mkdir /smb/e</b></tt></pre></blockquote>
+
+<p>The argument to the <em class="emphasis">-o</em> option might look a
+little complex. It is a comma-separated list of
+<em class="replaceable">key</em><tt class="literal">=</tt><em class="replaceable">value</em>
+pairs. The <tt class="literal">credentials</tt> key is set to the name of
+the credentials file, which is used to give
+<em class="emphasis">smbmount</em> a valid username and password with
+which to authenticate while connecting to the share. The format is
+identical to that used by <em class="emphasis">smbclient</em> (as
+explained in the previous section), so you can use the same
+credentials file for both clients. If you want, you can use the
+<em class="replaceable">key</em>=<em class="replaceable">value</em> pair
+<tt class="literal">username</tt>=<em class="replaceable">name</em>%<em class="replaceable">password</em>
+to specify the username and password directly in the
+<em class="emphasis">smbmount</em> command, although this is considerably
+less secure.</p>
+
+<a name="samba2-CHP-5-NOTE-123"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>The <em class="emphasis">smbmount</em> command accepts the same
+authentication methods as <em class="emphasis">smbclient</em>. The
+comments in the section on <em class="emphasis">smbclient</em> regarding
+supplying passwords on the command line&mdash;and keeping passwords
+in files and environment variables&mdash;also apply here.</p>
+</blockquote>
+
+<p>The rest of the options tell <em class="emphasis">smbmount</em> how to
+translate between the SMB filesystem and the Unix filesystem, which
+differ in their handling of ownership and permissions. The
+<em class="emphasis">uid</em> and <em class="emphasis">gid</em> options specify
+the owner and group to be assigned to all directories and files in
+the mounted share.</p>
+
+<p>The <em class="emphasis">fmask</em><a name="INDEX-55"/> and
+<em class="emphasis">dmask</em><a name="INDEX-56"/> options specify
+<a name="INDEX-57"/>bitmasks for
+permissions of files and directories, respectively. These bitmasks
+are logically ANDed with whatever permissions are granted by the
+server to create the effective permissions on the client Unix system.
+On the server side, the permissions granted depend on the
+server's operating system. For a Windows 95/98/Me
+server using share-mode security, the MS-DOS read-only attribute can
+be set on individual files and directories and combined with the Full
+Access or Read Only permissions on the share as a whole. In
+user-level security mode, Windows 95/98/Me can have ACL-like
+permissions applied to the entire share, as discussed in <a href="ch04.html">Chapter 4</a>. Windows NT/2000/XP support ACLs on individual
+files and directories, with Full Control, Change, or Read permissions
+that can be applied to the entire share. If the server is a Samba
+server, the permissions are whatever is defined by the Samba share
+and the local Unix system for the individual files and directories.
+In every case, the permissions applied to the share act to further
+limit access, beyond what is specified for the individual files and
+directories.</p>
+
+<a name="samba2-CHP-5-NOTE-124"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>You might think that the <em class="emphasis">fmask</em> and
+<em class="emphasis">dmask</em> permission masks can be used only to
+reduce the effective permissions on files and directories, but this
+is not always the case. For example, suppose that a file is being
+shared by a Windows 95/98/Me server using share-mode security and
+that some number of users have been given the Full Access password
+for the share. If the share is mounted with
+<em class="emphasis">smbmount</em> using an <em class="emphasis">fmask</em> of
+666, read/write permissions are granted on the Unix system not only
+for the owner, but for everyone else on the Unix system as well!</p>
+</blockquote>
+
+<p>After mounting the <em class="filename">\\maya\d</em> share to
+<em class="filename">/smb/e</em>, here is what the contents of
+<em class="filename">/smb/e</em> look like:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>cd /smb/e ; ls -l</b></tt>
+total 47
+drwxrwxr-x    1 jay      jay           512 Jan  8 20:21 CD-images
+drwxrwxr-x    1 jay      jay           512 Jan  6 21:50 lectures
+-rw-rw-r--    1 jay      jay           131 Dec 18 09:12 ms-ProfPol-wp.doc
+-rw-rw-r--    1 jay      jay            59 Dec 18 09:12 profile-map
+-rw-rw-r--    1 jay      jay           131 Jan 15 05:01 readme.txt
+drwxrwxr-x    1 jay      jay           512 Feb  4  2002 RECYCLED
+-rw-rw-r--    1 jay      jay         33969 Dec 10 20:22 smbclient.doc
+-rw-rw-r--    1 jay      jay          7759 Dec 10 20:20 smbmount.doc
+-rw-rw-r--    1 jay      jay          1914 Dec 10 20:17 smbsh.txt
+drwxrwxr-x    1 jay      jay           512 Jan 10 03:54 trans</pre></blockquote>
+
+<p>For the most part, the files and directories contained in the mounted
+smbfs filesystem will work just like any others, except for
+limitations imposed by the nature of SMB networking. For example, not
+even the superuser can perform the operation:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>chown root lectures</b></tt>
+chown: changing ownership of 'lectures': Operation not permitted</pre></blockquote>
+
+<p>because SMB shares do not intrinsically support the idea of
+ownership. Some odd behaviors can result from this. For example, the
+command:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>chmod 777 readme.txt</b></tt></pre></blockquote>
+
+<p>does not produce an error message, although nothing has been changed.
+The file <em class="filename">readme.txt</em> still has permissions set to
+664:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>ls -l readme.txt</b></tt>
+-rw-rw-r--    1 jay      jay           131 Jan 15 05:01 readme.txt</pre></blockquote>
+
+<p>Aside from little things such as these, the mounted smbfs filesystem
+can be used in conjunction with virtually any application, and you
+might be pleasantly surprised at how nicely it integrates with your
+Linux-based computing environment. You can even create symbolic links
+in the Unix filesystem, pointing to files and directories inside SMB
+shares. However, unless the server is a Samba server that supports
+Unix CIFS extensions, you will not be able to create a symbolic link
+inside the mounted smbfs filesystem.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-5-SECT-4.2"/>
+
+<h3 class="head2">Mounting smbfs Filesystems Automatically</h3>
+
+<p><a name="INDEX-58"/>As with other types of
+filesystems, an smbfs filesystem can be mounted automatically during
+system bootup by creating an entry for it in
+<em class="filename">/etc/fstab</em>. The format for the entry is as
+follows:</p>
+
+<blockquote><pre class="code"><em class="replaceable">Share-UNC mount-point</em>  smbfs  <em class="replaceable">options</em> 0 0</pre></blockquote>
+
+<p>Replace <em class="replaceable">Share-UNC</em> with the UNC of the
+share (using the forward slash format), and replace
+<em class="replaceable">mount-point</em> with the name of the directory
+in the Linux filesystem on which the share will be mounted. In place
+of <em class="replaceable">options</em>, simply use the string that you
+used with the <em class="emphasis">-o</em> flag in the
+<em class="emphasis">smbmount</em> command.</p>
+
+<p>Once you have found the arguments to use with the
+<em class="emphasis">smbmount</em> command to mount the share the way you
+like it, it is a very simple matter to create the entry for
+<em class="filename">/etc/fstab</em>. The <em class="emphasis">smbmount</em>
+command we used to mount the share <em class="filename">\\maya\e</em> on
+<em class="filename">/smb/e</em> would translate to this
+<em class="filename">/etc/fstab</em> entry:</p>
+
+<blockquote><pre class="code">//maya/e /smb/e  smbfs  
+credentials=/home/jay/.smbpw,uid=jay,gid=jay,fmask=664,dmask=775 0 0
+
+<i class="lineannotation">(Please note that this should all go on one line.)</i></pre></blockquote>
+<a name="samba2-CHP-5-NOTE-125"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>If you make a mistake in modifying
+<em class="filename">/etc/fstab</em><a name="INDEX-59"/><a name="INDEX-60"/>, your system might not
+reboot properly, and you might be forced to boot into single-user
+mode to fix the problem. Before you edit
+<em class="filename">/etc/fstab</em>, be sure to make a backup copy of it,
+and be prepared to recover your system if anything goes wrong.</p>
+</blockquote>
+
+<p>Once the entry has been added, the system will automatically mount
+the share when booting. Or, the system administrator can manually
+mount or unmount the share with commands such as these:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>mount /smb/e</b></tt>
+# <tt class="userinput"><b>umount /smb/e</b></tt></pre></blockquote>
+
+<a name="samba2-CHP-5-NOTE-126"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>It is possible to use <em class="emphasis">mount</em> and
+<em class="emphasis">umount</em> by giving them the UNC for the share
+using forward slashes, as in our <em class="filename">/etc/fstab</em>
+entry. However, be careful about this. A share might be listed more
+than once in <em class="filename">/etc/fstab</em> so that it can be
+mounted at more than one place in the Linux filesystem. If you use
+the UNC to specify the share you wish to mount or unmount, you might
+cause it to be mounted or unmounted at another mount point from the
+one you intended.</p>
+</blockquote>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-5-SECT-4.3"/>
+
+<h3 class="head2">Common smbmount Options</h3>
+
+<p><a href="ch05.html#samba2-CHP-5-TABLE-1">Table 5-1</a> lists
+<em class="replaceable">key</em><tt class="literal">=</tt><em class="replaceable">value</em>
+pairs that can be used with the <em class="emphasis">-o</em> option of
+<em class="emphasis">smbmount</em> or in the options field of the
+<em class="filename">/etc/fstab</em> entry for the smbfs filesystem. See
+the <em class="emphasis">smbmount</em> manual page for a complete list of
+options.</p>
+
+<a name="samba2-CHP-5-TABLE-1"/><h4 class="head4">Table 5-1. smbmount options</h4><table border="1">
+
+
+
+
+<tr>
+<th>
+<p>Key</p>
+</th>
+<th>
+<p>Value</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">username</tt></p>
+</td>
+<td>
+<p>string</p>
+</td>
+<td>
+<p>Provides the username, and optionally the password and workgroup, for
+authentication.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">password</tt></p>
+</td>
+<td>
+<p>string</p>
+</td>
+<td>
+<p>Provides the share or domain password, if it hasn't
+been supplied by another means.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">credentials</tt></p>
+</td>
+<td>
+<p>string</p>
+</td>
+<td>
+<p>Name of file containing the username and password.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">uid</tt></p>
+</td>
+<td>
+<p>string or numeric</p>
+</td>
+<td>
+<p>User ID to apply to all files and directories of the mounted share.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">gid</tt></p>
+</td>
+<td>
+<p>string or numeric</p>
+</td>
+<td>
+<p>Group ID to apply to all files and directories of the mounted share.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">fmask</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Permissions to apply to files. Default is based on current umask.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">dmask</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Permissions to apply to directories. Default is based on current
+umask.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">debug</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Debug level.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">workgroup</tt></p>
+</td>
+<td>
+<p>string</p>
+</td>
+<td>
+<p>Name of workgroup of remote server.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">guest</tt></p>
+</td>
+<td>
+<p>(none)</p>
+</td>
+<td>
+<p>Suppresses password prompt.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">ro</tt></p>
+</td>
+<td>
+<p>(none)</p>
+</td>
+<td>
+<p>Mount read-only.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">rw</tt></p>
+</td>
+<td>
+<p>(none)</p>
+</td>
+<td>
+<p>Mount read/write. This is the default.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">ttl</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Amount of time to cache the contents of directories. Defaults to 1000
+ms <a name="INDEX-62"/>.</p>
+</td>
+</tr>
+
+</table>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-5-SECT-5"/>
+
+<h2 class="head1">smbsh</h2>
+
+<p>The <em class="emphasis">smbsh</em><a name="INDEX-63"/> program is part of the Samba suite and
+works on some, but not all, Unix variants.<a name="FNPTR-3"/><a href="#FOOTNOTE-3">[3]</a> Effectively, it adds a wrapper around the
+user's command shell, enabling it and common Unix
+utilities to work on files and directories in SMB shares, in addition
+to files and directories in the local Unix filesystem. From the
+user's perspective, the effect is that of a
+simulated mount of the SMB shares onto the Unix filesystem.</p>
+
+<p><em class="emphasis">smbsh</em> works by running the shell and programs
+run from it in an environment in which calls to the standard C
+library are redirected to the
+<em class="emphasis">smbwrapper</em><a name="INDEX-64"/> library, which has support for
+operating on SMB shares. This redirection can work only if the
+program being run is dynamically linked. Fortunately, modern Unix
+versions ship with most common utilities linked dynamically rather
+than statically.</p>
+
+<a name="samba2-CHP-5-NOTE-127"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>To determine whether a program is dynamically or statically linked,
+try using the <em class="emphasis">file</em> command.</p>
+</blockquote>
+
+<p>To use <em class="emphasis">smbsh</em>, your Samba installation must be
+configured using the configure option
+<tt class="literal">--with-smbwrapper</tt>.</p>
+
+<p>If you have a number of Unix systems with the same host operating
+system and architecture and don't want to bother
+with a full Samba installation, you can simply move the following
+files to the other systems:</p>
+
+<blockquote><pre class="code">/usr/local/samba/bin/smbsh
+/usr/local/samba/bin/smbwrapper.so
+/usr/local/samba/lib/smb.conf</pre></blockquote>
+
+<p>Make sure that <em class="filename">/usr/local/samba/bin</em> is in your
+shell's search path. The
+<em class="filename">smb.conf</em><a name="INDEX-65"/><a name="INDEX-66"/> file is
+needed only for <em class="emphasis">smbsh</em> to determine the workgroup
+or domain and does not need to be as elaborate as your Samba
+server's configuration file.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-5-SECT-5.1"/>
+
+<h3 class="head2">An Interactive Session with smbsh</h3>
+
+<p><a name="INDEX-67"/>To start <em class="emphasis">smbsh</em>,
+simply type in the <em class="emphasis">smbsh</em> command at the shell
+prompt. You will be prompted for a username and password with which
+to authenticate on the SMB network:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>smbsh</b></tt>
+Username: davecb
+Password:
+smbsh$</pre></blockquote>
+
+<p>While working within the <em class="emphasis">smbsh</em> shell, you have a
+virtual <em class="filename">/smb</em> directory. This does not actually
+exist in the Unix filesystem and is supported within
+<em class="emphasis">smbsh</em> only to help organize the SMB shares in a
+structure familiar to Unix users. You can list the contents of the
+<em class="filename">/smb</em> virtual directory and get a list of
+workgroups in the local network, which are also presented as virtual
+directories:</p>
+
+<blockquote><pre class="code">smbsh$ <tt class="userinput"><b>cd /smb ; ls</b></tt>
+ZOOL PLANK BACIL</pre></blockquote>
+
+<p>You can change your working directory to one of the workgroup virtual
+directories, and listing one of them will show the computers in the
+workgroup:</p>
+
+<blockquote><pre class="code">smbsh$ <tt class="userinput"><b>cd ZOOL ; ls</b></tt>
+ANTILLES         DODO             MILO             SEAL
+ARGON            HANGGLIDE        OSTRICH          SPARTA
+BALLET           INFUSION         PLAQUE           THEBES
+CHABLIS          JAZ              PRAETORIAN       TJ
+COBRA            KIKO             RAYOPCI          TRANCE
+COUGUR           MACHINE-HEADPCI  RUMYA            VIPERPCI
+CRUSTY           MATHUMA          SCOT</pre></blockquote>
+
+<p>Likewise, you can change your current directory to, and list the
+contents of, a computer virtual directory, and then you can see a
+listing of shares offered by that computer:</p>
+
+<blockquote><pre class="code">smbsh$ <tt class="userinput"><b>cd scot ; ls</b></tt>
+ADMIN$      davecb      nc          np2s        pl
+ace         dhcp-mrk03  np          nps         xp
+cl          ep          np2         opcom</pre></blockquote>
+
+<p>This is the lowest level of
+<em class="emphasis">smbsh</em>'s virtual directory
+system. Once you <em class="emphasis">cd</em> into a share, you are within
+the SMB share on the remote computer:</p>
+
+<blockquote><pre class="code">smbsh$ <tt class="userinput"><b>cd davecb ; ls</b></tt>
+Mail                                mkanalysis_dirs.idx
+SUNWexplo                           nfs.ps
+Sent                                nsmail
+allsun.html                         projects.txt
+bin                                 sumtimex</pre></blockquote>
+
+<p>Once in a remote share, most of the Unix shell utilities will work,
+and you can operate on files and directories much as you would on any
+Unix system. You can even create symbolic links in the Unix
+filesystem pointing to files and directories in the SMB share.
+However, attempts to create symbolic links in the SMB share will fail
+unless the share is being served by Samba with support for Unix CIFS
+extensions.</p>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-5-SECT-6"/>
+
+<h2 class="head1">smbutil and mount_smbfs</h2>
+
+<p>The <em class="emphasis">smbutil</em> and <em class="emphasis">mount_smbfs</em>
+programs provide SMB client functionality for FreeBSD, Darwin, and
+Mac OS X. Neither of the programs is part of the Samba distribution;
+however, we are including them to give you a little additional
+support in case you have BSD-related Unix systems on your network.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-5-SECT-6.1"/>
+
+<h3 class="head2">smbutil</h3>
+
+<p>The <em class="emphasis">smbutil</em><a name="INDEX-68"/> program provides functionality similar
+to some of the Samba suite's command-line utilities.
+It can be used to list the shares available on an SMB server or
+perform NetBIOS name lookups.</p>
+
+<p>The first argument given to <em class="emphasis">smbutil</em> is one of a
+number of subcommands and is usually followed by arguments specific
+to the subcommand. For example, to list the resources offered by a
+server, use the <em class="emphasis">view</em> subcommand, and enter your
+server password when prompted:</p>
+
+<blockquote><pre class="code">% <tt class="userinput"><b>smbutil view //vamana</b></tt>
+Password:
+Share        Type        Comment
+-------------------------------------------------------------
+public        disk
+SS2500        printer     Stylus Scan 2500
+IPC$          pipe        IPC Service (Samba 2.2.5)
+ADMIN$        disk        IPC Service (Samba 2.2.5)
+leonvs        disk        User Home Directories
+
+5 shares listed from 5 available</pre></blockquote>
+
+<p>If you wish to connect to the server with a username that differs
+from that on your client, you can specify it on the command line by
+preceding the name of the server with the username and using an at
+sign (<tt class="literal">@</tt>) as a separator:</p>
+
+<blockquote><pre class="code">% <tt class="userinput"><b>smbutil view //leonvs@vamana</b></tt></pre></blockquote>
+
+<p>You can also include the password after the username, using a colon
+(:) as a separator, to avoid being prompted for
+it:</p>
+
+<blockquote><pre class="code">% <tt class="userinput"><b>smbutil view //leonvs:leonspassword@vamana</b></tt></pre></blockquote>
+
+<p>Typing your password in the open like this is strongly discouraged.
+It's a little better if you use an encrypted
+password, which you can generate using
+<em class="emphasis">smbutil</em>'s
+<em class="emphasis">crypt</em> subcommand:</p>
+
+<blockquote><pre class="code">% <tt class="userinput"><b>smbutil crypt leonspassword</b></tt>
+$$1625a5723293f0710e5faffcfc6</pre></blockquote>
+
+<p>This can then be used in place of a clear-text password. However, the
+encryption is not particularly strong and will foil only the most
+casual inspection. As noted earlier, the only reasonably secure
+method of providing a password is to be prompted for it.</p>
+
+<p>While starting up, <em class="emphasis">smbutil</em> reads the file
+<em class="filename">.nsmbrc</em><a name="INDEX-69"/> in the user's home
+directory. Also, the file
+<em class="filename">/usr/local/etc/nsmb.conf</em><a name="INDEX-70"/><a name="INDEX-71"/> is read, and directives in that file
+override those in users'
+<em class="filename">~/.nsmbrc</em> files. This is to allow administrators
+to apply mandatory settings to all users. Directives can be placed in
+this file using the section and parameter format similar to that of
+the Samba configuration file. A list of common configuration
+parameters is given in <a href="ch05.html#samba2-CHP-5-TABLE-2">Table 5-2</a>.</p>
+
+<p>For example, to keep your password in your
+<em class="filename">~/.nsmbrc</em> file, you can create an entry in the
+file such as the following:</p>
+
+<blockquote><pre class="code">[VAMANA:LEONVS]
+    password=$$1625a5723293f0710e5faffcfc6</pre></blockquote>
+
+<p>The section heading in brackets specifies the SMB
+server's NetBIOS name and the username to which the
+subsequent parameter settings apply. (The hostname and username
+should be supplied in uppercase characters.) Section headings can
+also consist of just a hostname or can contain a share name as a
+third element for specifying parameters applicable to a single share.
+Finally, if a <tt class="literal">[default]</tt> section is present, the
+settings in it apply to all connections.</p>
+
+<p>The following example <em class="filename">.nsmbrc</em> shows some of the
+other parameters you might use:</p>
+
+<blockquote><pre class="code">[default]
+    username=leonvs
+    # NetBIOS name server
+    nbns=192.168.1.3
+
+[VAMANA]
+    # server IP address
+    addr=192.168.1.6
+    workgroup=TEST
+
+[VAMANA:LEONVS]
+    password=$$1625a5723293f0710e5faffcfc6</pre></blockquote>
+
+<p>Another thing you can do with <em class="emphasis">smbutil</em> is
+<a name="INDEX-72"/><a name="INDEX-73"/><a name="INDEX-74"/>translate between IP addresses or DNS
+names and
+<a name="INDEX-75"/>NetBIOS
+names. For example, the <em class="emphasis">status</em> subcommand takes
+an IP address or DNS hostname as an argument and returns the
+corresponding SMB server's NetBIOS name and
+workgroup:</p>
+
+<blockquote><pre class="code">% <tt class="userinput"><b>smbutil status 192.168.1.6</b></tt>
+Workgroup: TEST
+Server: VAMANA</pre></blockquote>
+
+<p>The <em class="emphasis">lookup</em> subcommand returns the IP address
+associated with a given NetBIOS hostname. A NetBIOS name server can
+be optionally specified with the <em class="emphasis">-w</em> argument:</p>
+
+<blockquote><pre class="code">% <tt class="userinput"><b>smbutil lookup -w 192.168.1.3 VAMANA</b></tt>
+Got response from 192.168.1.3
+IP address of VAMANA: 192.168.1.6</pre></blockquote>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-5-SECT-6.2"/>
+
+<h3 class="head2">mount_smbfs</h3>
+
+<p>The <em class="emphasis">mount_smbfs</em><a name="INDEX-76"/> program performs essentially the same
+function as <em class="emphasis">smbmount</em> on Linux. It mounts an SMB
+share on a directory in the local filesystem. The SMB share can then
+be accessed just like any other directory, subject to some behavioral
+differences noted earlier in <a href="ch05.html#samba2-CHP-5-SECT-4.1">Section 5.4.1</a>.</p>
+
+<p>The command synopsis for <em class="emphasis">mount_smbfs</em> is:</p>
+
+<blockquote><pre class="code">mount_smbfs <em class="replaceable">[options]</em> <em class="replaceable">Share-UNC</em> <em class="replaceable">mount-point</em></pre></blockquote>
+
+<p>where <em class="replaceable">Share-UNC</em> is of the form:</p>
+
+<blockquote><pre class="code">//[<em class="replaceable">workgroup</em>;][<em class="replaceable">username</em>[:<em class="replaceable">password</em>]@]<em class="replaceable">server</em>[/<em class="replaceable">share</em>]</pre></blockquote>
+
+<p>For example:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>mount_smbfs '//TEST;leonvs:$$1625a5723293f0710e5faffcfc6@vamana/leonvs' /</b></tt>
+\<tt class="userinput"><b>Volumes/leonvs</b></tt></pre></blockquote>
+
+<p>The ownership and permissions of the mount point determine the
+default ownership and permissions for files and directories in the
+mounted share. These can be modified with command-line arguments,
+like this:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>mount_smbfs -u leonvs -g admin -f 0750 -d 0755 //leonvs@vamana/leonvs </b></tt>
+\<tt class="userinput"><b>/Volumes/leonvs</b></tt></pre></blockquote>
+
+<p>In this example, the files and directories in the mounted share will
+be owned by the user leonvs and the group admin, with files and
+directories having permissions 750 and 755, respectively. (As usual,
+the permissions are specified in the octal format used by the Unix
+<em class="emphasis">chmod</em> command.)</p>
+
+<p>The <em class="emphasis">mount_smbfs</em><a name="INDEX-77"/><a name="INDEX-78"/> command
+also makes use of settings in
+<em class="filename">/usr/local/etc/nsmb.conf</em> and
+<em class="filename">~/.nsmbrc</em>, as described earlier. A list of
+common configuration parameters and command-line options is provided
+in <a href="ch05.html#samba2-CHP-5-TABLE-2">Table 5-2</a>.</p>
+
+<a name="samba2-CHP-5-TABLE-2"/><h4 class="head4">Table 5-2. Common smbutil and mount_smbfs options</h4><table border="1">
+
+
+
+
+<tr>
+<th>
+<p>Command-line option</p>
+</th>
+<th>
+<p>Configuration file parameter</p>
+</th>
+<th>
+<p>Description</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">-I</tt> <em class="replaceable">hostname</em></p>
+</td>
+<td>
+<p><tt class="literal">addr</tt></p>
+</td>
+<td>
+<p>Avoid NetBIOS name resolution and connect to the server using the
+specified DNS hostname or IP address.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>-N</p>
+</td>
+<td>
+<p><em class="emphasis">none</em></p>
+</td>
+<td>
+<p>Do not prompt for a password.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>-R <em class="replaceable">count</em></p>
+</td>
+<td>
+<p><tt class="literal">retry_count</tt></p>
+</td>
+<td>
+<p>Number of times to retry connection before giving up.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>-T <em class="replaceable">seconds</em></p>
+</td>
+<td>
+<p><tt class="literal">timeout</tt></p>
+</td>
+<td>
+<p>Timeout, in seconds, per connection request.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>-U <em class="replaceable">username</em></p>
+</td>
+<td>
+<p><tt class="literal">username</tt></p>
+</td>
+<td>
+<p>Username to use for authentication. Defaults to Unix username.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>-W <em class="replaceable">workgroup</em></p>
+</td>
+<td>
+<p><tt class="literal">workgroup</tt></p>
+</td>
+<td>
+<p>Name of workgroup of remote server.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>-d <em class="replaceable">mode</em></p>
+</td>
+<td>
+<p><em class="emphasis">none</em></p>
+</td>
+<td>
+<p>Permissions to apply to directories in the mounted share. Defaults to
+the same as the file permissions, plus an execute (search) bit
+whenever the read bit is set.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>-f <em class="replaceable">mode</em></p>
+</td>
+<td>
+<p><em class="filename">none</em></p>
+</td>
+<td>
+<p>Permissions to apply to files in the mounted share. Defaults to the
+same as the permissions set on the directory used as the mount point.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>-g <em class="replaceable">group</em></p>
+</td>
+<td>
+<p><em class="emphasis">none</em></p>
+</td>
+<td>
+<p>Name or numeric GID to apply to all files and directories in the
+mounted share. Defaults to the group of the directory used as the
+mount point.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>-n <em class="replaceable">long</em></p>
+</td>
+<td>
+<p><em class="emphasis">none</em></p>
+</td>
+<td>
+<p>Disable support for long filenames. Restrict filenames to 8.3 naming
+standard.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>-u <em class="replaceable">username</em></p>
+</td>
+<td>
+<p><em class="emphasis">none</em></p>
+</td>
+<td>
+<p>Username or numeric UID to apply as the owner of all files and
+directories in the mounted share. Defaults to the owner of the
+directory used as the mount point.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>-w <em class="replaceable">hostname</em></p>
+</td>
+<td>
+<p><tt class="literal">nbns</tt></p>
+</td>
+<td>
+<p>Hostname or IP address of the NetBIOS name server.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><em class="emphasis">none</em></p>
+</td>
+<td>
+<p><tt class="literal">password</tt></p>
+</td>
+<td>
+<p>Password to use for authentication.</p>
+</td>
+</tr>
+
+</table>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-5-SECT-6.3"/>
+
+<h3 class="head2">Mac OS X</h3>
+
+<p><a name="INDEX-79"/>In addition to
+<em class="emphasis">smbutil</em> and <em class="emphasis">mount_smbfs</em>, OS
+X includes a graphical interface to the functionality they provide.
+To use this interface, open the Go menu and select the Connect to
+Server . . . menu item. Instead of using a UNC, specify the share in
+the form of a Uniform Resource Identifier (URI) with a prefix of
+<tt class="literal">smb://</tt> entered in the Address field, as shown in
+<a href="ch05.html#samba2-CHP-5-FIG-5">Figure 5-5</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-5-FIG-5"/><img src="figs/sam2_0505.gif"/></div><h4 class="head4">Figure 5-5. OS X Connect to Server dialog</h4>
+
+<p>You can specify a server, share, workgroup, username, and password
+(optionally encrypted with <em class="emphasis">smbutil crypt</em>) in the
+URI, in the same format as the UNC argument to
+<em class="emphasis">mount_smbfs</em>. If you don't
+specify a share name in the URI, you will be shown a window that lets
+you choose from a list of shares available to mount. See <a href="ch05.html#samba2-CHP-5-FIG-6">Figure 5-6</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-5-FIG-6"/><img src="figs/sam2_0506.gif"/></div><h4 class="head4">Figure 5-6. Selecting a share to mount</h4>
+
+<p>Only guest-accessible shares will show up in the list until
+you've authenticated. After pressing the
+Authenticate button, you'll be prompted for a
+workgroup, username, and password, as shown in <a href="ch05.html#samba2-CHP-5-FIG-7">Figure 5-7</a>. You'll also see this dialog
+if you provide a share name in the URI, but not a username and
+password.<a name="FNPTR-4"/><a href="#FOOTNOTE-4">[4]</a></p>
+
+<div class="figure"><a name="samba2-CHP-5-FIG-7"/><img src="figs/sam2_0507.gif"/></div><h4 class="head4">Figure 5-7. Client authentication</h4>
+
+<p>As usual for Mac OS X, shares are mounted under
+<em class="filename">/Volumes</em>, but show up in the root of the Finder
+hierarchy.</p>
+
+<p>If you have a WINS server on your network, you can provide the
+server's IP address in the Directory Access
+application, or by using the <tt class="literal">wins</tt>
+<tt class="literal">server</tt> parameter in
+<em class="filename">/etc/smb.conf</em>.</p>
+
+<p>If you don't know the name of a server to which you
+wish to connect, you can look for it in the browse list, using the
+graphical frontend to the <em class="emphasis">nmblookup</em> command
+provided with Samba. Click the downward-pointing arrow in the Connect
+to Server . . . dialog box to show a hierarchical, column-based view
+of available workgroups and servers, similar to that shown in <a href="ch05.html#samba2-CHP-5-FIG-8">Figure 5-8</a>. If your client is also acting as an SMB file
+server, it won't show up in its own browse
+list.<a name="INDEX-80"/></p>
+
+<div class="figure"><a name="samba2-CHP-5-FIG-8"/><a name="INDEX-81"/><img src="figs/sam2_0508.gif"/></div><h4 class="head4">Figure 5-8. Browsing the network</h4>
+
+
+</div>
+
+
+</div>
+
+<hr/><h4 class="head4">Footnotes</h4><blockquote><a name="FOOTNOTE-1"/> <p><a href="#FNPTR-1">[1]</a> An alternative to extracting
+the tar archive directly to the SMB share is to use the Unix
+system's <em class="emphasis">tar</em> command to extract
+it to a directory on the Unix server, then copy the desired file(s)
+to a shared directory. This allows a greater amount of control over
+the restoration process, as when correcting for an accidental file
+deletion or reverting a set of files to a previous condition.</p>
+<a name="FOOTNOTE-2"/> <p><a href="#FNPTR-2">[2]</a> Samba Versions
+2.2.4 and later have support for Unix CIFS extensions developed by
+Hewlett-Packard, which add full support for Unix ownership, group,
+and permissions in smbfs filesystems when shared between two Samba
+systems. You will also need a recent version of smbfs in your Linux
+kernel.</p> <a name="FOOTNOTE-3"/> <p><a href="#FNPTR-3">[3]</a> At the
+time of this writing, <em class="emphasis">smbsh</em> does not work on
+HP/UX or Linux. However, Linux support might return in the
+future.</p> <a name="FOOTNOTE-4"/> <p><a href="#FNPTR-4">[4]</a> If you've previously
+stored your authentication information in a Keychain, you will
+instead be prompted for your Keychain password.</p> </blockquote><hr/><h4 class="head4"><a href="toc.html">TOC</a></h4></body></html>
diff --git a/docs/htmldocs/using_samba/ch06.html b/docs/htmldocs/using_samba/ch06.html
new file mode 100644
index 0000000000..a507b7c9d9
--- /dev/null
+++ b/docs/htmldocs/using_samba/ch06.html
@@ -0,0 +1,2727 @@
+<html>
+<body bgcolor="#ffffff">
+
+<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
+hspace="10" align="left" />
+
+<h1 class="head0">Chapter 6. The Samba Configuration File</h1>
+
+
+<p><a name="INDEX-1"/>In
+previous chapters, we showed you how to install Samba on a Unix
+server and set up Windows clients to use a simple disk share. This
+chapter will show you how Samba can assume more productive roles on
+your network.</p>
+
+<p>Samba's daemons, <em class="emphasis">smbd</em> and
+<em class="emphasis">nmbd</em>, are controlled through a single ASCII
+file, <em class="filename">smb.conf</em>, that can contain over 300 unique
+options (also called parameters). Some of these options you will use
+and change frequently; others you might never use, depending on how
+much functionality you want Samba to offer its clients.</p>
+
+<p>This chapter introduces the structure of the Samba configuration file
+and shows you how to use options to create and modify disk shares.
+Subsequent chapters will discuss browsing, how to configure users,
+security, printing, and other topics related to implementing Samba on
+your network.</p>
+
+
+
+<div class="sect1"><a name="samba2-CHP-6-SECT-1"/>
+
+<h2 class="head1">The Samba Configuration File</h2>
+
+<p>The Samba configuration file, called <em class="filename">smb.conf</em> by
+default, uses the same format as Windows
+<em class="filename">.ini</em><a name="INDEX-2"/><a name="INDEX-3"/> files. If you have ever worked with a
+<em class="filename">.ini</em> file, you will find
+<em class="filename">smb.conf</em> easy to create and modify. Even if you
+haven't, you will find the format to be simple and
+easy to learn. Here is an example of a Samba
+<a name="INDEX-4"/>configuration
+file:</p>
+
+<blockquote><pre class="code">[global]
+    workgroup = METRAN
+    encrypt passwords = yes
+    wins support = yes
+    log level = 1 
+    max log size = 1000
+    read only = no
+[homes] 
+    browsable = no
+    map archive = yes
+[printers] 
+    path = /var/tmp
+    printable = yes
+    min print space = 2000
+[test]
+    browsable = yes
+    read only = yes
+    path = /usr/local/samba/tmp</pre></blockquote>
+
+<p>This configuration file is based on the one we created in <a href="ch02.html">Chapter 2</a> and sets up a workgroup in which Samba
+authenticates users using encrypted passwords and the default
+user-level security method. Samba is providing WINS name server
+support. We've configured very basic event logging
+to use a log file not to exceed 1MB in size. The
+<tt class="literal">[homes]</tt> share has been added to allow Samba to
+create a disk share for the home directory of each user who has a
+standard Unix account on the server. In addition, each printer
+registered on the server will be publicly available, as will a single
+read-only share that maps to the
+<em class="filename">/usr/local/samba/tmp</em> directory.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-6-SECT-1.1"/>
+
+<h3 class="head2">Configuration File Structure</h3>
+
+<p><a name="INDEX-5"/>Let's take another
+look at this configuration file, this time from a higher level:</p>
+
+<blockquote><pre class="code">[global] 
+    ...
+[homes] 
+    ...
+[printers] 
+    ...
+[test] 
+    ...</pre></blockquote>
+
+<p><a name="INDEX-6"/><a name="INDEX-7"/>The
+names inside the square brackets delineate unique
+<em class="firstterm">sections</em> of the <em class="filename">smb.conf</em>
+file; each section names the share (or service) to which the section
+refers. For example, the <tt class="literal">[test]</tt> and
+<tt class="literal">[homes]</tt> sections are unique disk shares; they
+contain options that map to specific directories on the Samba server.
+The <tt class="literal">[printers]</tt> share contains options that map to
+various printers on the server. All the sections defined in the
+<em class="filename">smb.conf</em> file, with the exception of the
+<tt class="literal">[global]</tt> section, will be available as a disk or
+printer share to clients connecting to the Samba server.</p>
+
+<p>The remaining lines are individual configuration options for that
+share. These options will continue until a new section is encountered
+or until the end of the file is reached. Each configuration option
+follows a simple format:</p>
+
+<blockquote><pre class="code"><em class="replaceable">option</em> = <em class="replaceable">value</em></pre></blockquote>
+
+<p><a name="INDEX-8"/>Options in
+the <em class="filename">smb.conf</em> file are set by assigning a value
+to them. We should warn you up front that some of the option names in
+Samba are poorly chosen. For example, <tt class="literal">read</tt>
+<tt class="literal">only</tt> is self-explanatory and is typical of many
+recent Samba options. The <tt class="literal">public</tt> option is an
+older option and is vague. It now has a less-confusing synonym
+<tt class="literal">guest</tt> <tt class="literal">ok</tt> (meaning it can be
+accessed by guests). <em class="emphasis">Appendix B</em> contains an
+alphabetical index of all the configuration options and their
+meanings.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-1.1.1"/>
+
+<h3 class="head3">Whitespace, quotes, and commas</h3>
+
+<p>An important item to remember about configuration options is that all
+whitespace within the <em class="replaceable">value</em> is
+significant. For example, consider the following option:</p>
+
+<blockquote><pre class="code">volume = The Big Bad Hard Drive Number 3543</pre></blockquote>
+
+<p>Samba strips away the spaces up to the first <tt class="literal">T</tt> in
+<tt class="literal">The</tt>. These whitespaces are insignificant. The rest
+of the whitespaces are significant and will be recognized and
+preserved by Samba when reading in the file. Space is not significant
+in option names (such as <tt class="literal">read</tt>
+<tt class="literal">only</tt>), but we recommend you follow convention and
+keep spaces between the words of options.</p>
+
+<p>If you feel safer including quotation marks at the beginning and end
+of a configuration option's value, you can do so.
+Samba will ignore these quotation marks when it encounters them.
+Never use quotation marks around an option name; Samba will treat
+this as an error.</p>
+
+<p>Usually, you can use whitespaces or commas to separate a series of
+values in a list. These two options are equivalent:</p>
+
+<blockquote><pre class="code">netbios aliases = sales, accounting, payroll
+netbios aliases = sales accounting payroll</pre></blockquote>
+
+<p>In some cases, you must use one form of separation&mdash;sometimes
+spaces are required, and sometimes commas.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-1.1.2"/>
+
+<h3 class="head3">Capitalization</h3>
+
+<p><a name="INDEX-9"/>Capitalization
+is not important in the Samba configuration file except in locations
+where it would confuse the underlying operating system. For example,
+let's assume that you included the following option
+in a share that pointed to <em class="filename">/export/samba/simple
+</em>:</p>
+
+<blockquote><pre class="code">PATH = /EXPORT/SAMBA/SIMPLE</pre></blockquote>
+
+<p>Samba would have no problem with the <tt class="literal">path</tt>
+configuration option appearing entirely in capital letters. However,
+when it tries to connect to the given directory, it would be
+unsuccessful because the Unix filesystem <em class="emphasis">is</em>
+case-sensitive. Consequently, the path listed would not be found, and
+clients could not connect to the share.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-1.1.3"/>
+
+<h3 class="head3">Line continuation</h3>
+
+<p><a name="INDEX-10"/>You can continue a line in the
+Samba configuration file using the backslash, like this:</p>
+
+<blockquote><pre class="code">comment = The first share that has the primary copies \
+          of the new Teamworks software product.</pre></blockquote>
+
+<p>Because of the backslash, these two lines will be treated as one line
+by Samba. The second line begins at the first nonwhitespace character
+that Samba encounters; in this case, the <tt class="literal">o</tt> in
+<tt class="literal">of</tt>.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-1.1.4"/>
+
+<h3 class="head3">Comments</h3>
+
+<p><a name="INDEX-11"/>You can
+insert comments in the <em class="filename">smb.conf</em> configuration
+file by starting a line with either a hash (<tt class="literal">#</tt>) or
+a semicolon ( <tt class="literal">;</tt> ). For this purpose, both
+characters are equivalent. For example, the first three lines in the
+following example would be considered comments:</p>
+
+<blockquote><pre class="code">#  This is the printers section. We have given a minimum print 
+;  space of 2000 to prevent some errors that we've seen when
+;  the spooler runs out of space.
+
+[printers] 
+    public = yes
+    min print space = 2000</pre></blockquote>
+
+<p>Samba will ignore all comment lines in its configuration file; there
+are no limitations to what can be placed on a comment line after the
+initial hash mark or semicolon. Note that the line continuation
+character (<tt class="literal">\</tt>) will <em class="emphasis">not</em> be
+honored on a commented line. Like the rest of the line, it is
+ignored.</p>
+<a name="samba2-CHP-6-NOTE-128"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>Samba does not allow mixing of comment lines and parameters. Be
+careful not to put comments on the same line as anything else, such
+as:</p>
+
+
+<blockquote><pre class="code">path = /d # server's data partition</pre></blockquote>
+
+
+<p>Errors such as this, where the parameter value is defined with a
+string, can be tricky to notice. The <em class="emphasis">testparm</em>
+program won't complain, and the only clues
+you'll receive are that
+<em class="emphasis">testparm</em> reports the <tt class="literal">path</tt>
+parameter set to <tt class="literal">/d # server's data partition</tt>, and
+the failures that result when clients attempt to access the share.</p>
+</blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-1.1.5"/>
+
+<h3 class="head3">Changes at runtime</h3>
+
+<p><a name="INDEX-12"/>You can modify the
+<em class="filename">smb.conf</em> configuration file and any of its
+options at any time while the Samba daemons are running. By default,
+Samba checks the configuration file every 60 seconds. If it finds any
+changes, they are immediately put into effect.</p>
+
+<a name="samba2-CHP-6-NOTE-129"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>Having Samba check the configuration file automatically can be
+convenient, but it also means that if you edit
+<em class="filename">smb.conf</em> directly, you might be immediately
+changing your network's <a name="INDEX-13"/>configuration every time you save the
+file. If you're making anything more than a minor
+change, it may be wiser to copy <em class="filename">smb.conf</em> to a
+temporary file, edit that, run <tt class="literal">testparm</tt>
+<em class="replaceable">filename</em> to check it, and then copy the
+temporary file back to <em class="filename">smb.conf</em>. That way, you
+can be sure to put all your changes into effect at once, and only
+after you are confident that you have created the exact configuration
+you wish to implement.</p>
+</blockquote>
+
+<p>If you don't want to wait for the configuration file
+to be reloaded automatically, you can force a reload either by
+sending a hangup signal to the <em class="emphasis">smbd</em> and
+<em class="emphasis">nmbd</em> processes or simply by restarting the
+daemons. Actually, it can be a good idea to restart the daemons
+because it forces the clients to disconnect and reconnect, ensuring
+that the new configuration is applied to all clients. We showed you
+how to restart the daemons in <a href="ch02.html">Chapter 2</a>, and
+sending them a hangup (HUP) signal is very similar. On Linux, it can
+be done with the command:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>killall -HUP smbd nmbd</b></tt></pre></blockquote>
+
+<p>In this case, not all changes will be immediately recognized by
+clients. For example, changes to a share that is currently in use
+will not be registered until the client disconnects and reconnects to
+that share. In addition, server-specific parameters such as the
+workgroup or NetBIOS name of the server will not go into effect
+immediately either. (This behavior was implemented intentionally
+because it keeps active clients from being suddenly disconnected or
+encountering unexpected access problems while a session is open.)
+<a name="INDEX-14"/></p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-6-SECT-1.2"/>
+
+<h3 class="head2">Variables</h3>
+
+<p><a name="INDEX-15"/>Because a
+new copy of the<em class="filename"> </em><em class="emphasis">smbd</em> daemon
+is created for each connecting client, it is possible for each client
+to have its own customized configuration file. Samba allows a
+limited, yet useful, form of variable substitution in the
+configuration file to allow information about the Samba server and
+the client to be included in the configuration at the time the client
+connects. Inside the configuration file, a variable begins with a
+percent sign (<tt class="literal">%</tt>), followed by a single upper- or
+lowercase letter, and can be used only on the right side of a
+configuration option (i.e., after the equal sign). An example is:</p>
+
+<blockquote><pre class="code">[pub]
+    path = /home/ftp/pub/%a</pre></blockquote>
+
+<p>The <tt class="literal">%a</tt><a name="INDEX-16"/> stands for the client
+system's architecture and will be replaced as shown
+in <a href="ch06.html#samba2-CHP-6-TABLE-1">Table 6-1</a>.</p>
+
+<a name="samba2-CHP-6-TABLE-1"/><h4 class="head4">Table 6-1. %a substitution</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Client operating system
+(&quot;architecture&quot;)</p>
+</th>
+<th>
+<p>Replacement string</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p>Windows for Workgroups</p>
+</td>
+<td>
+<p><tt class="literal">WfWg</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Windows 95 and Windows 98</p>
+</td>
+<td>
+<p><tt class="literal">Win95</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Windows NT</p>
+</td>
+<td>
+<p><tt class="literal">WinNT</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Windows 2000 and Windows XP</p>
+</td>
+<td>
+<p><tt class="literal">Win2K</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Samba</p>
+</td>
+<td>
+<p><tt class="literal">Samba</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Any OS not listed earlier</p>
+</td>
+<td>
+<p><tt class="literal">UNKNOWN</tt></p>
+</td>
+</tr>
+
+</table>
+
+<p>In this example, Samba will assign a unique path for the
+<tt class="literal">[pub]</tt> share to client systems based on what
+operating system they are running. The paths that each client would
+see as its share differ according to the client's
+architecture:</p>
+
+<blockquote><pre class="code">/home/ftp/pub/WfwG
+/home/ftp/pub/Win95
+/home/ftp/pub/WinNT
+/home/ftp/pub/Win2K
+/home/ftp/pub/Samba
+/home/ftp/pub/UNKNOWN</pre></blockquote>
+
+<p>Using variables in this manner comes in handy if you wish to have
+different users run custom configurations based on their own unique
+characteristics or conditions.
+<a name="INDEX-17"/><a name="INDEX-18"/>Samba
+has 20 variables, as shown in <a href="ch06.html#samba2-CHP-6-TABLE-2">Table 6-2</a>.</p>
+
+<a name="samba2-CHP-6-TABLE-2"/><h4 class="head4">Table 6-2. Samba variables</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Variable</p>
+</th>
+<th>
+<p>Definition</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><b class="emphasis-bold">Client variables</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%a</tt><a name="INDEX-19"/></p>
+</td>
+<td>
+<p>Client's architecture (see <a href="ch06.html#samba2-CHP-6-TABLE-1">Table 6-1</a>)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%I</tt><a name="INDEX-20"/></p>
+</td>
+<td>
+<p>Client's IP address (e.g., 172.16.1.2)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%m</tt><a name="INDEX-21"/></p>
+</td>
+<td>
+<p>Client's NetBIOS name</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%M</tt><a name="INDEX-22"/></p>
+</td>
+<td>
+<p>Client's DNS name</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><b class="emphasis-bold">User variables</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%u</tt><a name="INDEX-23"/></p>
+</td>
+<td>
+<p>Current Unix username</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%U</tt><a name="INDEX-24"/></p>
+</td>
+<td>
+<p>Requested client username (not always used by Samba)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%H</tt><a name="INDEX-25"/></p>
+</td>
+<td>
+<p>Home directory of <tt class="literal">%u</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%g</tt><a name="INDEX-26"/></p>
+</td>
+<td>
+<p>Primary group of <tt class="literal">%u</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%G</tt><a name="INDEX-27"/></p>
+</td>
+<td>
+<p>Primary group of <tt class="literal">%U</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p><b class="emphasis-bold">Share variables</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%S</tt><a name="INDEX-28"/></p>
+</td>
+<td>
+<p>Current share's name</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%P</tt><a name="INDEX-29"/></p>
+</td>
+<td>
+<p>Current share's root directory</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%p</tt><a name="INDEX-30"/></p>
+</td>
+<td>
+<p>Automounter's path to the share's
+root directory, if different from <tt class="literal">%P</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p><b class="emphasis-bold">Server variables</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%d</tt><a name="INDEX-31"/></p>
+</td>
+<td>
+<p>Current server process ID</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%h</tt><a name="INDEX-32"/></p>
+</td>
+<td>
+<p>Samba server's DNS hostname</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%L</tt><a name="INDEX-33"/></p>
+</td>
+<td>
+<p>Samba server's NetBIOS name</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%N</tt><a name="INDEX-34"/></p>
+</td>
+<td>
+<p>Home directory server, from the automount map</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%v</tt><a name="INDEX-35"/></p>
+</td>
+<td>
+<p>Samba version</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><b class="emphasis-bold">Miscellaneous variables</b></p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%R</tt><a name="INDEX-36"/></p>
+</td>
+<td>
+<p>The SMB protocol level that was negotiated</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%T</tt><a name="INDEX-37"/></p>
+</td>
+<td>
+<p>The current date and time</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><a name="INDEX-38"/>%$<em class="replaceable">var</em></p>
+</td>
+<td>
+<p>The value of environment variable <tt class="literal">var</tt></p>
+</td>
+</tr>
+
+</table>
+
+<p>Here's another example of using
+<a name="INDEX-39"/><a name="INDEX-40"/><a name="INDEX-41"/>variables: let's say there
+are five clients on your network, but one client,
+<tt class="literal">maya</tt>, requires a slightly different
+<tt class="literal">[homes]</tt> configuration. With Samba,
+it's simple to handle this:</p>
+
+<blockquote><pre class="code">[homes] 
+    ...
+    include = /usr/local/samba/lib/smb.conf.%m
+    ...</pre></blockquote>
+
+<p>The <tt class="literal">include</tt> option here causes a separate
+configuration file for each particular NetBIOS machine
+(<tt class="literal">%m</tt>) to be read in addition to the current file.
+If the hostname of the client system is <tt class="literal">maya</tt>, and
+if a <em class="filename">smb.conf.maya</em> file exists in the
+<em class="filename">/usr/local/samba/lib</em> directory, Samba will
+insert that configuration file into the default one. If any
+configuration options are restated in
+<em class="filename">smb.conf.maya</em>, those values will override any
+options previously encountered in that share. Note that we say
+&quot;previously.&quot; If any options are
+restated in the main configuration file after the
+<tt class="literal">include</tt> option, Samba will honor those restated
+values for the share in which they are defined.</p>
+
+<p>If the file specified by the <tt class="literal">include</tt> parameter
+does not exist, Samba will not generate an error. In fact, it
+won't do anything at all. This allows you to create
+only one extra configuration file for <tt class="literal">maya</tt> when
+using this strategy, instead of one for each client that is on the
+network.</p>
+
+<p>Client-specific configuration files can be used to customize
+particular clients. They also can be used to make debugging Samba
+easier. For example, if we have one client with a problem, we can use
+this approach to give it a private log file with a more verbose
+logging level. This allows us to see what Samba is doing without
+slowing down all the other clients or overflowing the disk with
+useless logs.</p>
+
+<p>You can use the variables in <a href="ch06.html#samba2-CHP-6-TABLE-2">Table 6-2</a> to give
+custom values to a variety of Samba options. We will highlight
+several of these options as we move through the next few chapters.
+<a name="INDEX-42"/></p>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-6-SECT-2"/>
+
+<h2 class="head1">Special Sections</h2>
+
+<p>Now that we've gotten our feet wet with variables,
+there are a few special sections of the Samba configuration file that
+we should talk about. Again, don't worry if you do
+not understand every configuration option listed here;
+we'll go over each of them in the upcoming chapters.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-6-SECT-2.1"/>
+
+<h3 class="head2">The [ global] Section</h3>
+
+<p>The <tt class="literal">[global]</tt><a name="INDEX-43"/><a name="INDEX-44"/> section appears in virtually
+every Samba configuration file, even though it is not mandatory.
+There are two purposes for the <tt class="literal">[global]</tt> section.
+Server-wide settings are defined here, and any options that apply to
+shares will be used as a default in all share definitions, unless
+overridden within the share definition.</p>
+
+<p>To illustrate this, let's again look at the example
+at the beginning of the chapter:</p>
+
+<blockquote><pre class="code">[global]
+    workgroup = METRAN
+    encrypt passwords = yes
+    wins support = yes
+    log level = 1 
+    max log size = 1000
+    read only = no
+[homes] 
+    browsable = no
+    map archive = yes
+[printers] 
+    path = /var/tmp
+    printable = yes
+    min print space = 2000
+[test]
+    browsable = yes
+    read only = yes
+    path = /usr/local/samba/tmp</pre></blockquote>
+
+<p>When a client connects to the <tt class="literal">[test]</tt> share, Samba
+first reads the <tt class="literal">[global]</tt> section and sets the
+option <tt class="literal">read</tt> <tt class="literal">only</tt>
+<tt class="literal">=</tt> <tt class="literal">no</tt> as the global default for
+each share it encounters throughout the configuration file. This
+includes the <tt class="literal">[homes]</tt> and <tt class="literal">[test]</tt>
+shares. When it reads the definition of the <tt class="literal">[test]</tt>
+share, it then finds the configuration option <tt class="literal">read</tt>
+<tt class="literal">only</tt> <tt class="literal">=</tt> <tt class="literal">yes</tt>
+and overrides the default from the <tt class="literal">[global]</tt>
+section with the value <tt class="literal">yes</tt>.</p>
+
+<p>Any option that appears before the first marked section is assumed to
+be a global option. This means that the <tt class="literal">[global]</tt>
+section heading is not absolutely required; however, we suggest you
+always include it for clarity and to ensure future compatibility.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-6-SECT-2.2"/>
+
+<h3 class="head2">The [ homes] Section</h3>
+
+<p>If a client attempts to connect to a share that
+doesn't appear in the <em class="filename">smb.conf</em>
+file, Samba will search for a
+<tt class="literal">[homes]</tt><a name="INDEX-45"/><a name="INDEX-46"/> share in the
+configuration file. If a <tt class="literal">[homes]</tt> share exists, the
+unresolved share name is assumed to be a Unix username. If that
+username appears in the password database on the Samba server, Samba
+assumes the client is a Unix user trying to connect to her home
+directory on the server.</p>
+
+<p>For example, assume a client system is connecting to the Samba server
+<tt class="literal">toltec</tt> for the first time and tries to connect to
+a share named <tt class="literal">[alice]</tt>. There is no
+<tt class="literal">[alice]</tt> share defined in the
+<em class="filename">smb.conf</em> file, but there is a
+<tt class="literal">[homes]</tt>, so Samba searches the password database
+file and finds an <tt class="literal">alice</tt> user account is present on
+the system. Samba then checks the password provided by the client
+against user <tt class="literal">alice</tt>'s Unix
+password&mdash;either with the password database file if
+it's using nonencrypted passwords or with
+Samba's <em class="filename">smbpasswd</em> file if
+encrypted passwords are in use. If the passwords match, Samba knows
+it has guessed right: the user <tt class="literal">alice</tt> is trying to
+connect to her home directory. Samba will then create a share called
+<tt class="literal">[alice]</tt> for her, with the share's
+path set to <tt class="literal">alice</tt>'s home
+directory.</p>
+
+<p>The process of using the <tt class="literal">[homes]</tt> section to create
+users (and dealing with their passwords) is discussed in more detail
+in <a href="ch09.html">Chapter 9</a>.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-6-SECT-2.3"/>
+
+<h3 class="head2">The [printers] Section</h3>
+
+<p>The third special section is called
+<tt class="literal">[printers]</tt><a name="INDEX-47"/><a name="INDEX-48"/> and is similar to
+<tt class="literal">[homes]</tt>. If a client attempts to connect to a
+share that isn't in the
+<em class="filename">smb.conf</em> file and its name
+can't be found in the password file, Samba will
+check to see if it is a printer share. Samba does this by reading the
+printer capabilities file (usually
+<em class="filename">/etc/printcap</em>) to see if the share name appears
+there.<a name="FNPTR-1"/><a href="#FOOTNOTE-1">[1]</a> If it does, Samba creates a share named after the
+printer.</p>
+
+<p>This means that as with <tt class="literal">[homes]</tt>, you
+don't have to maintain a share for each system
+printer in the <em class="filename">smb.conf</em> file. Instead, Samba
+honors the Unix printer registry if you ask it to, and it provides
+the registered printers to the client systems. However, there is a
+potential difficulty: if you have an account named
+<tt class="literal">fred</tt> and a printer named <tt class="literal">fred</tt>,
+Samba will always find the user account first, even if the client
+really needed to connect to the printer.</p>
+
+<p>The process of setting up the <tt class="literal">[printers]</tt> share is
+discussed in more detail in <a href="ch10.html">Chapter 10</a>.</p>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-6-SECT-3"/>
+
+<h2 class="head1">Configuration Options</h2>
+
+<p><a name="INDEX-49"/>Options in
+the Samba configuration files fall into one of two categories:
+<em class="firstterm">global</em> options or <em class="firstterm">share</em>
+options. Each category dictates where an option can appear in the
+configuration file.</p>
+
+<dl>
+<dt><b>Global options</b></dt>
+<dd>
+<p>Global options must appear in the <tt class="literal">[global]</tt> section
+and nowhere else. These are options that typically apply to the
+behavior of the Samba server itself and not to any of its shares.</p>
+</dd>
+
+
+
+<dt><b>Share options</b></dt>
+<dd>
+<p>Share options can appear in share definitions, the
+<tt class="literal">[global]</tt> section, or both. If they appear in the
+<tt class="literal">[global]</tt> section, they will define a default
+behavior for all shares unless a share overrides the option with a
+value of its own.</p>
+</dd>
+
+</dl>
+
+<p>In addition, configuration options can take three kinds of values.
+They are as follows:</p>
+
+<dl>
+<dt><b>Boolean</b></dt>
+<dd>
+<p>These are simply yes or no values, but can be represented by any of
+the following: <tt class="literal">yes</tt>, <tt class="literal">no</tt>,
+<tt class="literal">true</tt>, <tt class="literal">false</tt>,
+<tt class="literal">1</tt>, or <tt class="literal">0</tt>. The values are
+case-insensitive: <tt class="literal">YES</tt> is the same as
+<tt class="literal">yes</tt>.</p>
+</dd>
+
+
+
+<dt><b>Numeric</b></dt>
+<dd>
+<p>This is a decimal, hexadecimal, or octal number. The standard
+<tt class="literal">0x</tt><em class="emphasis">nn</em> syntax is used for
+hexadecimal and <tt class="literal">0</tt><em class="emphasis">nnn</em> for
+octal.</p>
+</dd>
+
+
+
+<dt><b>String</b></dt>
+<dd>
+<p>This is a string of case-sensitive characters, such as a filename or
+a username.</p>
+</dd>
+
+</dl>
+
+
+<div class="sect2"><a name="samba2-CHP-6-SECT-3.1"/>
+
+<h3 class="head2">Configuration File Options</h3>
+
+<p>You can instruct Samba to include or replace configuration options as
+it is processing them. The options to do this are summarized in <a href="ch06.html#samba2-CHP-6-TABLE-3">Table 6-3</a>.</p>
+
+<a name="samba2-CHP-6-TABLE-3"/><h4 class="head4">Table 6-3. Configuration file options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">config</tt> <tt class="literal">file</tt></p>
+</td>
+<td>
+<p>string (name of file)</p>
+</td>
+<td>
+<p>Sets the location of a configuration file to use instead of the
+current one</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">include</tt></p>
+</td>
+<td>
+<p>string (name of file)</p>
+</td>
+<td>
+<p>Specifies an additional set of configuration options to be included
+in the configuration file</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">copy</tt></p>
+</td>
+<td>
+<p>string (name of share)</p>
+</td>
+<td>
+<p>Allows you to clone the configuration options of another share in the
+current share</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-3.1.1"/>
+
+<h3 class="head3">config file</h3>
+
+<p>The global <tt class="literal">config</tt><a name="INDEX-50"/> <tt class="literal">file</tt>
+option specifies a replacement configuration file that will be loaded
+when the option is encountered. If the target file exists, the
+remainder of the current configuration file, as well as the options
+encountered so far, will be discarded, and Samba will configure
+itself entirely with the options in the new file. Variables can be
+used with the <tt class="literal">config</tt> <tt class="literal">file</tt>
+option, which is useful in the event that you want to use a special
+configuration file based on the NetBIOS machine name or user of the
+client that is connecting.</p>
+
+<p>For example, the following line instructs Samba to use a
+configuration file specified by the NetBIOS name of the client
+connecting, if such a file exists. If it does, options specified in
+the original configuration file are ignored:</p>
+
+<blockquote><pre class="code">[global]
+    config file = /usr/local/samba/lib/smb.conf.%m</pre></blockquote>
+
+<p>If the configuration file specified does not exist, the option is
+ignored, and Samba will continue to configure itself based on the
+current file. This allows a default configuration file to serve most
+clients, while providing for exceptions with customized configuration
+files.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-3.1.2"/>
+
+<h3 class="head3">include</h3>
+
+<p>This <a name="INDEX-51"/>option, discussed in greater detail
+earlier, copies the target file into the current configuration file
+at the point specified, as shown in <a href="ch06.html#samba2-CHP-6-FIG-1">Figure 6-1</a>.
+This option also can be used with variables. You can use this option
+as follows:</p>
+
+<blockquote><pre class="code">[global]
+    include = /usr/local/samba/lib/smb.conf.%m</pre></blockquote>
+
+<p>If the configuration file specified does not exist, the option is
+ignored. Options in the include file override any option specified
+previously, but not options that are specified later. In <a href="ch06.html#samba2-CHP-6-FIG-1">Figure 6-1</a>, all three options will override their
+previous values.</p>
+
+<div class="figure"><a name="samba2-CHP-6-FIG-1"/><img src="figs/sam2_0601.gif"/></div><h4 class="head4">Figure 6-1. The include option in a Samba configuration file</h4>
+
+<p>The <tt class="literal">include</tt> option does not work with the
+variables <tt class="literal">%u</tt> (user), <tt class="literal">%P</tt>
+(current share's root directory), or
+<tt class="literal">%S</tt> (current share's name) because
+they are not set at the time the <tt class="literal">include</tt> parameter
+is processed.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-3.1.3"/>
+
+<h3 class="head3">copy</h3>
+
+<p>The <tt class="literal">copy</tt><a name="INDEX-52"/> configuration option allows you to clone
+the configuration options of the share name that you specify in the
+current share. The target share must appear earlier in the
+configuration file than the share that is performing the copy. For
+example:</p>
+
+<blockquote><pre class="code">[template]
+    writable = yes
+    browsable = yes
+    valid users = andy, dave, jay
+
+[data]
+    path = /usr/local/samba
+    copy = template</pre></blockquote>
+
+<p>Note that any options in the share that invoked the
+<tt class="literal">copy</tt> directive will override those in the cloned
+share; it does not matter whether they appear before or after the
+<tt class="literal">copy</tt> directive. <a name="INDEX-53"/></p>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-6-SECT-4"/>
+
+<h2 class="head1">Server Configuration</h2>
+
+<p><a name="INDEX-54"/>We will now start from
+scratch and build a configuration file for our Samba server. First we
+will introduce three basic configuration options that can appear in
+the <tt class="literal">[global]</tt> section of the
+<em class="filename">smb.conf</em> file:</p>
+
+<blockquote><pre class="code">[global]
+    #  Server configuration parameters
+    netbios name = toltec
+    server string = Samba %v on %L
+    workgroup = METRAN
+    encrypt passwords = yes</pre></blockquote>
+
+<p>This configuration file is pretty simple; it advertises the Samba
+server under the NetBIOS name <tt class="literal">toltec</tt>. In addition,
+it places the system in the METRAN workgroup and displays a
+description to clients that includes the Samba version number, as
+well as the NetBIOS name of the Samba server.</p>
+
+<a name="samba2-CHP-6-NOTE-130"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>If you used the line <tt class="literal">encrypt passwords = yes</tt> in
+your earlier configuration file, you should do so here as well.</p>
+</blockquote>
+
+<p>If you like, you can go ahead and try this configuration file. Create
+a file named <em class="filename">smb.conf</em> under the
+<em class="filename">/usr/local/samba/lib</em> directory with the text
+listed earlier. Then restart the Samba server and use a Windows
+client to verify the results. Be sure that your Windows clients are
+in the METRAN workgroup as well. After double-clicking the Network
+Neighborhood on a Windows client, you should see a window similar to
+<a href="ch06.html#samba2-CHP-6-FIG-2">Figure 6-2</a>. (In this figure,
+<tt class="literal">Mixtec</tt> is another Samba server,
+<tt class="literal">a</tt>nd <tt class="literal">Zapotec</tt> is a Windows
+client.)</p>
+
+<div class="figure"><a name="samba2-CHP-6-FIG-2"/><img src="figs/sam2_0602.gif"/></div><h4 class="head4">Figure 6-2. Network Neighborhood showing Toltec, the Samba server</h4>
+
+<p>You can verify the <tt class="literal">server</tt>
+<tt class="literal">string</tt> by listing the details of the Network
+Neighborhood window (select Details in the View menu). You should see
+a window similar to <a href="ch06.html#samba2-CHP-6-FIG-3">Figure 6-3</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-6-FIG-3"/><img src="figs/sam2_0603.gif"/></div><h4 class="head4">Figure 6-3. Network Neighborhood details listing</h4>
+
+<p>If you were to click the <em class="filename">toltec</em> icon, a window
+should appear that shows the services that it provides. In this case,
+the window would be completely empty because there are no shares on
+the server yet.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-6-SECT-4.1"/>
+
+<h3 class="head2">Server Configuration Options</h3>
+
+<p><a href="ch06.html#samba2-CHP-6-TABLE-4">Table 6-4</a> summarizes the server configuration
+options introduced previously. All three of these options are global
+in scope, so they must appear in the <tt class="literal">[global]</tt>
+section of the configuration file.<a name="INDEX-55"/></p>
+
+<a name="samba2-CHP-6-TABLE-4"/><h4 class="head4">Table 6-4. Server configuration options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">netbios</tt> <tt class="literal">name</tt></p>
+</td>
+<td>
+<p>string</p>
+</td>
+<td>
+<p>NetBIOS name of the Samba server</p>
+</td>
+<td>
+<p>Server's unqualified DNS hostname</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">workgroup</tt></p>
+</td>
+<td>
+<p>string</p>
+</td>
+<td>
+<p>NetBIOS group to which the server belongs</p>
+</td>
+<td>
+<p>Defined at compile time</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">server</tt> <tt class="literal">string</tt></p>
+</td>
+<td>
+<p>string</p>
+</td>
+<td>
+<p>Descriptive string for the Samba server</p>
+</td>
+<td>
+<p><tt class="literal">Samba %v</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-4.1.1"/>
+
+<h3 class="head3">netbios name</h3>
+
+<p>The <tt class="literal">netbios</tt><a name="INDEX-56"/> <tt class="literal">name</tt> option
+allows you to set the NetBIOS name of the server. For example:</p>
+
+<blockquote><pre class="code">netbios name = YORKVM1</pre></blockquote>
+
+<p>The default value for this configuration option is the
+server's hostname&mdash;that is, the first part of
+its fully qualified domain name. For example, a system with the DNS
+name <tt class="literal">ruby.ora.com</tt> would be given the NetBIOS name
+<tt class="literal">RUBY</tt> by default. While you can use this option to
+restate the system's NetBIOS name in the
+configuration file (as we did previously), it is more commonly used
+to assign the Samba server a NetBIOS name other than its current DNS
+name. Remember that the name given must follow the rules for valid
+NetBIOS machine names as outlined in <a href="ch01.html">Chapter 1</a>.</p>
+
+<p>Changing the NetBIOS name of the server is not recommended unless you
+have a good reason. One such reason might be if the hostname of the
+system is not unique because the LAN is divided over two or more DNS
+domains. For example, YORKVM1 is a good NetBIOS candidate for
+<tt class="literal">vm1.york.example.com</tt> to differentiate it from
+<tt class="literal">vm1.falkirk.example.com</tt>, which has the same
+hostname but resides in a different DNS domain.</p>
+
+<p>Another use of this option is for relocating SMB services from a dead
+or retired system. For example, if <tt class="literal">SALES</tt> is the
+SMB server for the department and it suddenly dies, you could
+immediately reset <tt class="literal">netbios</tt> <tt class="literal">name</tt>
+<tt class="literal">=</tt> <tt class="literal">SALES</tt> on a backup Samba
+server that's taking over for it. Users
+won't have to change their drive mappings to a
+different server; new connections to <tt class="literal">SALES</tt> will
+simply go to the new server.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-4.1.2"/>
+
+<h3 class="head3">workgroup</h3>
+
+<p>The <tt class="literal">workgroup</tt><a name="INDEX-57"/> parameter sets the
+current workgroup (or domain) in which the Samba server will
+advertise itself. Clients that wish to access shares on the Samba
+server should be in the same NetBIOS group. Remember that workgroups
+are really just NetBIOS group names and must follow the standard
+NetBIOS naming conventions outlined in <a href="ch01.html">Chapter 1</a>.</p>
+
+<p>The default option for this parameter is set at compile time to
+<tt class="literal">WORKGROUP</tt>. Because this is the default workgroup
+name of every unconfigured Windows and Samba system, we recommend
+that you always set your workgroup name in the Samba configuration
+file. When choosing your workgroup name, try to avoid making it the
+same name as a server or user. This will avoid possible problems with
+WINS name resolution.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-4.1.3"/>
+
+<h3 class="head3">server string</h3>
+
+<p>The <tt class="literal">server</tt><a name="INDEX-58"/> <tt class="literal">string</tt>
+parameter defines a comment string that will appear next to the
+server name in both the Network Neighborhood (when shown with the
+Details view) and the comment entry of the Microsoft Windows printer
+manager.<a name="FNPTR-2"/><a href="#FOOTNOTE-2">[2]</a> </p>
+
+<p>You can use variables to provide
+information in the description. For example, our entry earlier was:</p>
+
+<blockquote><pre class="code">[global]
+    server string = Samba %v on (%h)</pre></blockquote>
+
+<p>The default for this option simply presents the current version of
+Samba and is equivalent to:</p>
+
+<a name="INDEX-59"/><blockquote><pre class="code">server string = Samba %v</pre></blockquote>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-6-SECT-5"/>
+
+<h2 class="head1">Disk Share Configuration</h2>
+
+<p><a name="INDEX-60"/><a name="INDEX-61"/>We mentioned in the previous section that
+there were no disk shares on the <tt class="literal">toltec</tt> server.
+Let's continue building the configuration file and
+create an empty disk share called <tt class="literal">[data]</tt>. Here are
+the additions that will do it:</p>
+
+<blockquote><pre class="code">[data]
+    path = /export/samba/data
+    comment = Data Drive
+    volume = Sample-Data-Drive
+    writable = yes</pre></blockquote>
+
+<p>The <tt class="literal">[data]</tt> share is typical for a Samba disk
+share. The share maps to the directory <em class="filename">/export/samba/data
+</em>on the Samba server. We've also provided
+a comment that describes the share as a <tt class="literal">Data</tt>
+<tt class="literal">Drive</tt>, as well as a volume name for the share
+itself.</p>
+
+<p>Samba's default is to create a read-only share. As a
+result, the <tt class="literal">writable</tt> option needs to be explicitly
+set for each disk share you wish to make writable.</p>
+
+<p>We will also need to create the
+<em class="filename">/export/samba/data</em> directory on the Samba server
+with the following commands:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>mkdir /export/samba/data</b></tt>
+# <tt class="userinput"><b>chmod 777 /export/samba/data</b></tt></pre></blockquote>
+
+<p>Now, if we connect to the <tt class="literal">toltec</tt> server again by
+double-clicking its icon in the Windows Network Neighborhood, we will
+see a single share entitled <tt class="literal">data</tt>, as shown in
+<a href="ch06.html#samba2-CHP-6-FIG-4">Figure 6-4</a>. This share has read/write access, so
+files can be copied to or from it.</p>
+
+<div class="figure"><a name="samba2-CHP-6-FIG-4"/><img src="figs/sam2_0604.gif"/></div><h4 class="head4">Figure 6-4. The initial data share on the Samba server</h4>
+
+
+<div class="sect2"><a name="samba2-CHP-6-SECT-5.1"/>
+
+<h3 class="head2">Disk Share Configuration Options</h3>
+
+<p>The basic Samba configuration options for disk shares previously
+introduced are listed in <a href="ch06.html#samba2-CHP-6-TABLE-5">Table 6-5</a>.</p>
+
+<a name="samba2-CHP-6-TABLE-5"/><h4 class="head4">Table 6-5. Basic share configuration options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">path</tt> <tt class="literal">(directory)</tt></p>
+</td>
+<td>
+<p>string (directory name)</p>
+</td>
+<td>
+<p>Sets the Unix directory that will be provided for a disk share or
+used for spooling by a printer share.</p>
+</td>
+<td>
+<p><tt class="literal">/tmp</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">comment</tt></p>
+</td>
+<td>
+<p>string</p>
+</td>
+<td>
+<p>Sets the comment that appears with the share.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">volume</tt></p>
+</td>
+<td>
+<p>string</p>
+</td>
+<td>
+<p>Sets the MS-DOS volume name for the share.</p>
+</td>
+<td>
+<p>Share name</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">read only</tt></p>
+</td>
+<td>
+<p>boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, allows read-only access to a share.</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">writable</tt> <tt class="literal">(write ok or writeable)</tt></p>
+</td>
+<td>
+<p>boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">no</tt>, allows read-only access to a share. If
+<tt class="literal">yes</tt>, both reading and writing are allowed.</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-5.1.1"/>
+
+<h3 class="head3">path</h3>
+
+<p>This <a name="INDEX-63"/>option, which has the synonym
+<tt class="literal">directory</tt>, indicates the pathname for the root of
+the shared directory or printer. You can choose any directory on the
+Samba server, so long as the owner of the Samba process that is
+connecting has read and write access to that directory. If the path
+is for a printing share, it should point to a temporary directory
+where files can be written on the server before being spooled to the
+target printer ( <em class="filename"> /tmp</em> and
+<em class="filename">/var/spool</em> are popular choices). If this path is
+for a disk share, the contents of the folder representing the share
+name on the client will match the contents of the directory on the
+Samba server.</p>
+
+<p>The directory specified as the value for <tt class="literal">path</tt> can
+be given as a relative path, in which case it will be relative to the
+directory specified by the <tt class="literal">root</tt>
+<tt class="literal">directory</tt> parameter. Because
+<tt class="literal">root</tt> <tt class="literal">directory</tt> defaults to root
+(<em class="filename">/</em> ), it is generally a good idea to use
+absolute paths for the <tt class="literal">path</tt> parameter, unless
+<tt class="literal">root</tt> <tt class="literal">directory</tt> has been set to
+something other than the default.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-5.1.2"/>
+
+<h3 class="head3">comment</h3>
+
+<p>The <tt class="literal">comment</tt><a name="INDEX-64"/> option allows you to enter a
+comment that will be sent to the client when it attempts to browse
+the share. The user can see the comment by using the Details view on
+the share folder or with the <em class="emphasis">net view</em> command at
+an MS-DOS prompt. For example, here is how you might insert a comment
+for a share:</p>
+
+<blockquote><pre class="code">[network]
+    comment = Network Drive
+    path = /export/samba/network</pre></blockquote>
+
+<p>Be sure not to confuse the <tt class="literal">comment</tt> option, which
+documents a Samba server's shares, with the
+<tt class="literal">server</tt> <tt class="literal">string</tt> option, which
+documents the server itself.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-5.1.3"/>
+
+<h3 class="head3">volume</h3>
+
+<p>This <a name="INDEX-65"/>option allows you to specify the volume
+name of the share, which would otherwise default to the name of the
+share given in the <em class="filename">smb.conf</em> file.</p>
+
+<p>Some software installation programs check the volume name of the
+distribution CD-ROM to make sure the correct CD-ROM is in the drive
+before attempting to install from it. If you copy the contents of the
+CD-ROM into a network share and wish to install from there, you can
+use this option to make sure the installation program sees the
+correct volume name:</p>
+
+<blockquote><pre class="code">[network]
+    comment = Network Drive
+    volume = ASVP-102-RTYUIKA
+    path = /home/samba/network</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-5.1.4"/>
+
+<h3 class="head3">read only, writable</h3>
+
+<p>The options <tt class="literal">read</tt><a name="INDEX-66"/> <tt class="literal">only</tt>
+and <tt class="literal">writable</tt><a name="INDEX-67"/> (also called
+<tt class="literal">writeable</tt><a name="INDEX-68"/> or
+<tt class="literal">write</tt><a name="INDEX-69"/> <tt class="literal">ok</tt> ) are really two
+ways of saying the same thing, but they are approached from opposite
+ends. For example, you can set either of the following options in the
+<tt class="literal">[global]</tt> section or in an individual share:</p>
+
+<blockquote><pre class="code">read only = yes
+writable = no</pre></blockquote>
+
+<p>If either option is set as shown, data can be read from a share, but
+cannot be written to it. You might think you would need this option
+only if you were creating a read-only share. However, note that this
+read-only behavior is the <em class="emphasis">default</em> action for
+shares; if you want to be able to write data to a share, you must
+explicitly specify one of the following options in the configuration
+file for each share:</p>
+
+<blockquote><pre class="code">read only = no
+writable = yes</pre></blockquote>
+
+<p>If you specify more than one occurrence of either option, Samba will
+adhere to the last value it encounters for the share. <a name="INDEX-70"/><a name="INDEX-71"/></p>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-6-SECT-6"/>
+
+<h2 class="head1">Networking Options with Samba</h2>
+
+<p><a name="INDEX-72"/><a name="INDEX-73"/>If
+you're running <a name="INDEX-74"/><a name="INDEX-75"/>Samba on a multihomed
+system (on multiple subnets), you will need to configure Samba to use
+all the network interfaces. Another use for the options presented in
+this section is to implement better security by allowing or
+disallowing connections on the specified interfaces.</p>
+
+<p>Let's assume that our Samba server can access both
+the subnets 192.168.220.* and 134.213.233.*. Here are our additions
+to the configuration file to add the networking configuration
+options:</p>
+
+<blockquote><pre class="code">[global]
+    #  Networking configuration options
+    hosts allow = 192.168.220. 134.213.233.
+    hosts deny = 192.168.220.102
+    interfaces = 192.168.220.100/255.255.255.0 \
+                    134.213.233.110/255.255.255.0
+    bind interfaces only = yes</pre></blockquote>
+
+<p>Take a look at the <tt class="literal">hosts</tt><a name="INDEX-76"/> <tt class="literal">allow</tt>
+and <tt class="literal">hosts</tt><a name="INDEX-77"/> <tt class="literal">deny</tt> options. If these
+options sound familiar, you're probably thinking of
+the <em class="filename">hosts.allow</em> and
+<em class="filename">hosts.deny</em> files that are found in the
+<em class="filename">/etc</em> directories of many Unix systems. The
+purpose of these options is identical to those files; they provide a
+means of security by allowing or denying the connections of other
+hosts based on their IP addresses. We could use the
+<em class="filename">hosts.allow</em> and <em class="filename">hosts.deny</em>
+files, but we are using this method instead because there might be
+services on the server that we want others to access without also
+giving them access to Samba's disk or printer
+shares.</p>
+
+<p>With the <tt class="literal">hosts</tt> <tt class="literal">allow</tt> option,
+we've specified a 192.168.220 IP address, which is
+equivalent to saying: &quot;All hosts on the 192.168.220
+subnet.&quot; However, we've explicitly
+specified in a <tt class="literal">hosts</tt> <tt class="literal">deny</tt> line
+that 192.168.220.102 is not to be allowed access.</p>
+
+<p>You might be wondering why 192.168.220.102 will be denied even though
+it is still in the subnet matched by the <tt class="literal">hosts</tt>
+<tt class="literal">allow</tt> option. It is important to understand how
+Samba sorts out the rules specified by <tt class="literal">hosts</tt>
+<tt class="literal">allow</tt> and <tt class="literal">hosts</tt> <tt class="literal">deny</tt>
+:</p>
+
+<ol><li>
+<p>If no <tt class="literal">allow</tt> or <tt class="literal">deny</tt> options are
+defined anywhere in <em class="filename">smb.conf</em>, Samba will allow
+connections from any system.</p>
+</li><li>
+<p>If <tt class="literal">hosts</tt> <tt class="literal">allow</tt> or
+<tt class="literal">hosts</tt> <tt class="literal">deny</tt> options are defined
+in the <tt class="literal">[global]</tt> section of
+<em class="filename">smb.conf</em>, they will apply to all shares, even if
+either option is defined in one or more of the shares.</p>
+</li><li>
+<p>If only a <tt class="literal">hosts</tt> <tt class="literal">allow</tt> option is
+defined for a share, only the hosts listed will be allowed to use the
+share. All others will be denied.</p>
+</li><li>
+<p>If only a <tt class="literal">hosts</tt> <tt class="literal">deny</tt> option is
+defined for a share, any client which is not on the list will be able
+to use the share.</p>
+</li><li>
+<p>If both a <tt class="literal">hosts</tt> <tt class="literal">allow</tt> and
+<tt class="literal">hosts</tt> <tt class="literal">deny</tt> option are defined,
+a host must appear in the allow list and not appear in the deny list
+(in any form) to access the share. Otherwise, the host will not be
+allowed.</p>
+</li></ol><a name="samba2-CHP-6-NOTE-131"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>Take care that you don't explicitly allow a host to
+access a share, but then deny access to the entire subnet of which
+the host is part.</p>
+</blockquote>
+
+<p>Let's look at another example of that final item.
+Consider the following options:</p>
+
+<blockquote><pre class="code">hosts allow = 111.222.
+hosts deny = 111.222.333.</pre></blockquote>
+
+<p>In this case, only the hosts that belong to the subnet 111.222.*.*
+will be allowed access to the Samba shares. However, if a client
+belongs to the 111.222.333.* subnet, it will be denied access, even
+though it still matches the qualifications outlined by
+<tt class="literal">hosts</tt> <tt class="literal">allow</tt>. The client must
+appear on the <tt class="literal">hosts</tt> <tt class="literal">allow</tt> list
+and <em class="emphasis">must not</em> appear on the
+<tt class="literal">hosts</tt> <tt class="literal">deny</tt> list to gain access
+to a Samba share.</p>
+
+<p>The other two options that we've specified are
+<tt class="literal">interfaces</tt> and <tt class="literal">bind</tt>
+<tt class="literal">interface</tt> <tt class="literal">only</tt>.
+Let's look at the <tt class="literal">interfaces</tt>
+option first. Samba, by default, sends data only from the primary
+network interface, which in our example is the 192.168.220.100
+subnet. If we would like it to send data to more than that one
+interface, we need to specify the complete list with the
+<tt class="literal">interfaces</tt> option. In the previous example,
+we've bound Samba to interface with both subnets
+(192.168.220 and 134.213.233) on which the system is operating by
+specifying the other network interface address: 134.213.233.100. If
+you have more than one interface on your computer, you should always
+set this option, as there is no guarantee that the primary interface
+that Samba chooses will be the right one.</p>
+
+<p>Finally, the <tt class="literal">bind</tt> <tt class="literal">interfaces</tt>
+<tt class="literal">only</tt> option instructs the
+<em class="filename">nmbd</em> process not to accept any broadcast
+messages other than on the subnets specified with the
+<tt class="literal">interfaces</tt> option. This is different from the
+<tt class="literal">hosts</tt> <tt class="literal">allow</tt> and
+<tt class="literal">hosts</tt> <tt class="literal">deny</tt> options, which
+prevent clients from making connections to services, but not from
+receiving broadcast messages. Using the <tt class="literal">bind</tt>
+<tt class="literal">interfaces</tt> <tt class="literal">only</tt> option is a way
+to shut out all datagrams from foreign subnets. In addition, it
+instructs the <em class="emphasis">smbd</em> process to bind to only the
+interface list given by the <em class="emphasis">interfaces</em> option.
+This restricts the networks that Samba will serve.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-6-SECT-6.1"/>
+
+<h3 class="head2">Networking Options</h3>
+
+<p>The networking options we introduced earlier are summarized in <a href="ch06.html#samba2-CHP-6-TABLE-6">Table 6-6</a>.</p>
+
+<a name="samba2-CHP-6-TABLE-6"/><h4 class="head4">Table 6-6. Networking configuration options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">hosts allow (allow</tt> <tt class="literal">hosts)</tt></p>
+</td>
+<td>
+<p>string (list of hostnames)</p>
+</td>
+<td>
+<p>Client systems that can connect to Samba.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">hosts deny (deny</tt> <tt class="literal">hosts)</tt></p>
+</td>
+<td>
+<p>string (list of hostnames)</p>
+</td>
+<td>
+<p>Client systems that cannot connect to Samba.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">interfaces</tt></p>
+</td>
+<td>
+<p>string (list of IP/netmask combinations)</p>
+</td>
+<td>
+<p>Network interfaces Samba will respond to. Allows correcting defaults.</p>
+</td>
+<td>
+<p>System-dependent</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">bind</tt></p>
+
+<p><tt class="literal">interfaces only</tt></p>
+</td>
+<td>
+<p>boolean</p>
+</td>
+<td>
+<p>If set to <tt class="literal">yes</tt>, Samba will bind only to those
+interfaces specified by the <tt class="literal">interfaces</tt> option.</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-6.1.1"/>
+
+<h3 class="head3">hosts allow</h3>
+
+<p>The <tt class="literal">hosts</tt> <tt class="literal">allow</tt> option
+(sometimes written as <tt class="literal">allow</tt>
+<tt class="literal">hosts</tt>) specifies the clients that have permission
+to access shares on the Samba server, written as a comma- or
+space-separated list of hostnames of systems or their IP addresses.
+You can gain quite a bit of security by simply placing your
+LAN's subnet address in this option.</p>
+
+<p>You can specify any of the following formats for this option:</p>
+
+<ul><li>
+<p>Hostnames, such as <tt class="literal">ftp.example.com</tt> .</p>
+</li><li>
+<p>IP addresses, such as <tt class="literal">130.63.9.252</tt>.</p>
+</li><li>
+<p>Domain names, which can be differentiated from individual hostnames
+because they start with a dot. For example,
+<tt class="literal">.ora.com</tt> represents all systems within the
+<em class="emphasis">ora.com</em> domain.</p>
+</li><li>
+<p>Netgroups, which start with an at sign (<tt class="literal">@</tt>), such
+as <tt class="literal">@printerhosts</tt>. Netgroups are usually available
+only on systems running NIS or NIS+. If netgroups are supported on
+your system, there should be a <tt class="literal">netgroups</tt> manual
+page that describes them in more detail.</p>
+</li><li>
+<p>Subnets, which end with a dot. For example,
+<tt class="literal">130.63.9</tt>. means all the systems whose IP addresses
+begin with 130.63.9.</p>
+</li><li>
+<p>The keyword <tt class="literal">ALL</tt>, which allows any client access.</p>
+</li><li>
+<p>The keyword <tt class="literal">EXCEPT</tt> followed by one or more names,
+IP addresses, domain names, netgroups, or subnets. For example, you
+could specify that Samba allow all hosts except those on the
+192.168.110 subnet with <tt class="literal">hosts</tt>
+<tt class="literal">allow</tt> <tt class="literal">=</tt> <tt class="literal">ALL</tt>
+<tt class="literal">EXCEPT</tt> <tt class="literal">192.168.110</tt>. (remember
+to include the trailing dot).</p>
+</li></ul>
+<p>Using the <tt class="literal">ALL</tt> keyword by itself is almost always a
+bad idea because it means that crackers on any network can access
+your Samba server.</p>
+
+<p>The hostname <tt class="literal">localhost</tt>, for the loopback address
+127.0.0.1, is included in the <tt class="literal">hosts</tt>
+<tt class="literal">allow</tt> list by default and does not need to be
+listed explicitly unless you have specified the
+<tt class="literal">bind</tt> <tt class="literal">interfaces</tt>
+<tt class="literal">only</tt> parameter. This address is required for Samba
+to work properly.</p>
+
+<p>Other than that, there is no default value for the
+<tt class="literal">hosts</tt> <tt class="literal">allow</tt> configuration
+option. The default course of action in the event that neither the
+<tt class="literal">hosts</tt> <tt class="literal">allow</tt> or
+<tt class="literal">hosts</tt> <tt class="literal">deny</tt> option is specified
+in <em class="filename">smb.conf</em> is to allow access from all sources.</p>
+
+<a name="samba2-CHP-6-NOTE-132"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>If you specify <tt class="literal">hosts allow</tt> in the
+<tt class="literal">[global]</tt> section, that definition will override
+any <tt class="literal">hosts allow</tt> lines in the share definitions.
+This is the opposite of the usual behavior, which is for parameters
+set in share definitions to override default values set in the
+<tt class="literal">[global]</tt> section.<a name="INDEX-78"/></p>
+</blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-6.1.2"/>
+
+<h3 class="head3">hosts deny</h3>
+
+<p>The <tt class="literal">hosts</tt> <tt class="literal">deny</tt> option
+(synonymous with <tt class="literal">deny</tt> <tt class="literal">hosts</tt>)
+specifies client systems that do not have permission to access a
+share, written as a comma- or space-separated list of hostnames or
+their IP addresses. Use the same format for specifying clients as the
+<tt class="literal">hosts</tt> <tt class="literal">allow</tt> option earlier. For
+example, to restrict access to the server from everywhere but
+<tt class="literal">example.com</tt>, you could write:</p>
+
+<blockquote><pre class="code">hosts deny = ALL EXCEPT .example.com</pre></blockquote>
+
+<p>There is no default value for the <tt class="literal">hosts</tt>
+<tt class="literal">deny</tt> configuration option, although the default
+course of action in the event that neither option is specified is to
+allow access from all sources. Also, if you specify this option in
+the <tt class="literal">[global]</tt> section of the configuration file, it
+will override any <tt class="literal">hosts</tt> <tt class="literal">deny</tt>
+options defined in shares. If you wish to deny access to specific
+shares, omit both the <tt class="literal">hosts</tt>
+<tt class="literal">allow</tt> and <tt class="literal">hosts</tt>
+<tt class="literal">deny</tt> options from the <tt class="literal">[global]</tt>
+section of the configuration file.</p>
+
+<a name="samba2-CHP-6-NOTE-133"/><blockquote class="note"><h4 class="objtitle">NOTE</h4>
+<p>Never include the loopback address (<tt class="literal">localhost</tt> at
+IP address 127.0.0.1) in the <tt class="literal">hosts deny</tt> list. The
+<em class="filename">smbpasswd</em> program needs to connect through the
+loopback address to the Samba server as a client to change a
+user's encrypted password. If the loopback address
+is disabled, the locally generated packets requesting the change of
+the encrypted password will be discarded by Samba.</p>
+
+
+<p>In addition, both local browsing propagation and some functions of
+SWAT require access to the Samba server through the loopback address
+and will not work correctly if this address is disabled.
+<a name="INDEX-79"/></p>
+</blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-6.1.3"/>
+
+<h3 class="head3">interfaces</h3>
+
+<p>The <tt class="literal">interfaces</tt><a name="INDEX-80"/> option specifies the
+networks that you want the Samba server to recognize and respond to.
+This option is handy if you have a computer that resides on more than
+one network subnet. If this option is not set, Samba searches for the
+primary network interface of the server (typically the first Ethernet
+card) upon startup and configures itself to operate on only that
+subnet. If the server is configured for more than one subnet and you
+do not specify this option, Samba will only work on the first subnet
+it encounters. You must use this option to force Samba to serve the
+other subnets on your network.</p>
+
+<p>The value of this option is one or more sets of IP address/netmask
+pairs, as in the following:</p>
+
+<blockquote><pre class="code">interfaces = 192.168.220.100/255.255.255.0 192.168.210.30/255.255.255.0</pre></blockquote>
+
+<p>You can optionally specify a
+<a name="INDEX-81"/><a name="INDEX-82"/>CIDR format bitmask, like this:</p>
+
+<blockquote><pre class="code">interfaces = 192.168.220.100/24 192.168.210.30/24</pre></blockquote>
+
+<p>The number after the slash specifies the number of bits that will be
+set in the netmask. For example, the number 24 means that the first
+24 (of 32) bits will be set in the bitmask, which is the same as
+specifying 255.255.255.0 as the netmask. Likewise, 16 would be
+equivalent to a netmask of 255.255.0.0, and 8 would be the same as a
+netmask of 255.0.0.0.</p>
+<a name="samba2-CHP-6-NOTE-135"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>This option might not work correctly if you are using DHCP.</p>
+</blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-6.1.4"/>
+
+<h3 class="head3">bind interfaces only</h3>
+
+<p>The <tt class="literal">bind</tt><a name="INDEX-83"/>
+<tt class="literal">interfaces</tt> <tt class="literal">only</tt> option can be
+used to force the <em class="emphasis">smbd</em> and
+<em class="emphasis">nmbd</em> processes to respond only to those
+addresses specified by the <tt class="literal">interfaces</tt> option. The
+<em class="emphasis">nmbd</em> process normally binds to the all-addresses
+interface (0.0.0.0.) on ports 137 and 138, allowing it to receive
+broadcasts from anywhere. However, you can override this behavior
+with the following:</p>
+
+<blockquote><pre class="code">bind interfaces only = yes</pre></blockquote>
+
+<p>This will cause Samba to ignore any packets (including broadcast
+packets) whose source address does not correspond to any of the
+network interfaces specified by the <tt class="literal">interfaces</tt>
+option. You should avoid using this option if you want to allow
+temporary network connections, such as those created through SLIP or
+PPP. It's very rare that this option is needed, and
+it should be used only by experts.</p>
+
+<a name="samba2-CHP-6-NOTE-136"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>If you set <tt class="literal">bind interfaces only</tt> to <tt class="literal">yes</tt>
+, add the <a name="INDEX-84"/><a name="INDEX-85"/><a name="INDEX-86"/>local host
+address (127.0.01) to the
+&quot;interfaces&quot; list. Otherwise,
+<em class="emphasis">smbpasswd</em> will be unable to connect to the
+server using its default mode in order to change a password, local
+browse list propagation will fail, and some functions of swat will
+not work properly. <a name="INDEX-87"/><a name="INDEX-88"/></p>
+</blockquote>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-6-SECT-7"/>
+
+<h2 class="head1">Virtual Servers</h2>
+
+<p><a name="INDEX-89"/>Virtual
+servers can be used to create the illusion of having multiple servers
+on the network, when in reality there is only one. The technique is
+simple to implement: a system simply registers more than one NetBIOS
+name in association with its IP address. There are tangible benefits
+to doing this.</p>
+
+<p>For example, the accounting department might have an
+<tt class="literal">accounting</tt> server, and clients of it would see
+just the accounting disks and printers. The marketing department
+could have its own server, <tt class="literal">marketing</tt>, with its own
+reports, and so on. However, all the services would be provided by
+one medium-size Unix server (and one relaxed administrator) instead
+of having one small server per department.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-6-SECT-7.1"/>
+
+<h3 class="head2">Virtual Server Configuration Options</h3>
+
+<p><a name="INDEX-90"/><a name="INDEX-91"/>Samba will allow a server to use more
+than one NetBIOS name with the <tt class="literal">netbios</tt>
+<tt class="literal">aliases</tt> option. See <a href="ch06.html#samba2-CHP-6-TABLE-7">Table 6-7</a>.</p>
+
+<a name="samba2-CHP-6-TABLE-7"/><h4 class="head4">Table 6-7. Virtual server configuration options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">netbios</tt> <tt class="literal">aliases</tt></p>
+</td>
+<td>
+<p>string (list of NetBIOS names)</p>
+</td>
+<td>
+<p>Additional NetBIOS names to respond to, for use with multiple
+&quot;virtual&quot; Samba servers</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-7.1.1"/>
+
+<h3 class="head3">netbios aliases</h3>
+
+<p>The <tt class="literal">netbios</tt><a name="INDEX-92"/>
+<tt class="literal">aliases</tt> option can be used to give the Samba
+server more than one NetBIOS name. Each NetBIOS name listed as a
+value will be displayed in the Network Neighborhood of Windows
+clients. When a connection is requested to any of the servers, it
+will connect to the same Samba server.</p>
+
+<p>This might come in handy, for example, if you're
+transferring three departments' data to a single
+Unix server with larger and faster disks and are retiring or
+reallocating the old Windows NT/2000 servers. If the three servers
+are called <tt class="literal">sales</tt>, <tt class="literal">accounting</tt>,
+and <tt class="literal">admin</tt>, you can have Samba represent all three
+servers with the following options:</p>
+
+<blockquote><pre class="code">[global]
+    netbios aliases = sales accounting admin
+    include = /usr/local/samba/lib/smb.conf.%L</pre></blockquote>
+
+<p>See <a href="ch06.html#samba2-CHP-6-FIG-5">Figure 6-5</a> for what the Network Neighborhood
+would display from a client. When a client attempts to connect to
+Samba, it will specify the name of the server to which
+it's trying to connect, which is made available in
+the configuration file through the <tt class="literal">%L</tt> variable. If
+the requested server is <tt class="literal">sales</tt>, Samba will include
+the file <em class="filename">/usr/local/samba/lib/smb.conf.sales</em>.
+This file might contain global and share declarations exclusively for
+the sales team, such as the following:</p>
+
+<blockquote><pre class="code">[global]
+    workgroup = SALES
+    hosts allow = 192.168.10.255
+
+[sales2003]
+    path = /usr/local/samba/sales/sales2003/
+...</pre></blockquote>
+
+<p>This particular example would set the workgroup to SALES as well and
+set the IP address to allow connections only from the SALES subnet
+(192.168.10). In addition, it would offer shares specific to the
+sales department.</p>
+
+<div class="figure"><a name="samba2-CHP-6-FIG-5"/><img src="figs/sam2_0605.gif"/></div><h4 class="head4">Figure 6-5. Using NetBIOS aliases for a Samba server</h4>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-6-SECT-8"/>
+
+<h2 class="head1">Logging Configuration Options</h2>
+
+<p><a name="INDEX-93"/><a name="INDEX-94"/>Occasionally,
+we need to find out what Samba is up to. This is especially true when
+Samba is performing an unexpected action or is not performing at all.
+To find out this information, we need to check
+Samba's log files to see exactly why it did what it
+did.</p>
+
+<p>Samba <a name="INDEX-95"/>log files
+can be as brief or verbose as you like. Here is an example of what a
+Samba log file looks like:</p>
+
+<blockquote><pre class="code">[2002/07/21 13:23:25, 3] smbd/service.c:close_cnum(514)
+  maya (172.16.1.6) closed connection to service IPC$
+[2002/07/21 13:23:25, 3] smbd/connection.c:yield_connection(40)
+  Yielding connection to IPC$
+[2002/07/21 13:23:25, 3] smbd/process.c:process_smb(615)
+  Transaction 923 of length 49
+[2002/07/21 13:23:25, 3] smbd/process.c:switch_message(448)
+  switch message SMBread (pid 467)
+[2002/07/21 13:23:25, 3] lib/doscalls.c:dos_ChDir(336)
+  dos_ChDir to /home/samba
+[2002/07/21 13:23:25, 3] smbd/reply.c:reply_read(2199)
+  read fnum=4207 num=2820 nread=2820
+[2002/07/21 13:23:25, 3] smbd/process.c:process_smb(615)
+  Transaction 924 of length 55
+[2002/07/21 13:23:25, 3] smbd/process.c:switch_message(448)
+  switch message SMBreadbraw (pid 467)
+[2002/07/21 13:23:25, 3] smbd/reply.c:reply_readbraw(2053)
+  readbraw fnum=4207 start=130820 max=1276 min=0 nread=1276
+[2002/07/21 13:23:25, 3] smbd/process.c:process_smb(615)
+  Transaction 925 of length 55
+[2002/07/21 13:23:25, 3] smbd/process.c:switch_message(448)
+  switch message SMBreadbraw (pid 467)</pre></blockquote>
+
+<p>Much of this information is of use only to Samba programmers.
+However, we will go over the meaning of some of these entries in more
+detail in <a href="ch12.html">Chapter 12</a>.</p>
+
+<p>Samba contains six options that allow users to describe how and where
+logging information should be written. Each of these are global
+options and cannot appear inside a share definition. Here is an
+example of some logging options that we are adding to our
+configuration file:</p>
+
+<blockquote><pre class="code">[global]
+    log level = 2
+    log file = /var/log/samba.log.%m
+    max log size = 50
+    debug timestamp = yes</pre></blockquote>
+
+<p>Here, we've added a custom log file that reports
+information up to debug level 2. This is a relatively light debugging
+level. The logging level ranges from 1 to 10, where level 1 provides
+only a small amount of information and level 10 provides a plethora
+of low-level information. Levels 2 or 3 will provide us with useful
+debugging information without wasting disk space on our server. In
+practice, you should avoid using log levels greater than 3 unless you
+are working on the Samba source code.</p>
+
+<p>The logging file is located in the <em class="filename">/var/log</em>
+directory thanks to the <tt class="literal">log</tt>
+<tt class="literal">file</tt> configuration option. However, we can use
+variable substitution to create log files specifically for individual
+users or clients, such as with the <tt class="literal">%m</tt> variable in
+the following line:</p>
+
+<blockquote><pre class="code">log file = /usr/local/logs/samba.log.%m</pre></blockquote>
+
+<p>Isolating the log messages can be invaluable in tracking down a
+network error if you know the problem is coming from a specific
+client system or user.</p>
+
+<p>We've added a precaution to the log files: no one
+log file can exceed 50 KB in size, as specified by the
+<tt class="literal">max</tt> <tt class="literal">log</tt> <tt class="literal">size</tt>
+option. If a log file exceeds this size, the contents are moved to a
+file with the same name but with the suffix <em class="emphasis">.old</em>
+appended. If the <em class="emphasis">.old</em> file already exists, it is
+overwritten and its contents are lost. The original file is cleared,
+waiting to receive new logging information. This prevents the hard
+drive from being overwhelmed with Samba log files during the life of
+the Samba daemons.</p>
+
+<p>We have decided to write the timestamps of the messages in the logs
+with the <tt class="literal">debug</tt> <tt class="literal">timestamp</tt>
+option, which is the default behavior. This will place a timestamp in
+each message written to the logging file. If we were not interested
+in this information, we could specify <tt class="literal">no</tt> for this
+option instead.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-6-SECT-8.1"/>
+
+<h3 class="head2">Using syslog</h3>
+
+<p>If you wish to use the system logger
+(<a name="INDEX-96"/>syslog<em class="filename">
+</em>) in addition to or in place of the standard Samba logging
+file, Samba provides options for this as well. However, to use
+syslog, the first thing you will have to do is make sure that Samba
+was built with the <tt class="literal">configure</tt>
+<tt class="literal">--with-syslog</tt> option. See <a href="ch02.html">Chapter 2</a> for more information on configuring and
+compiling Samba. See <a href="appe.html">Appendix E</a> for more
+information about the <tt class="literal">--with-syslog</tt> option.</p>
+
+<p>Once that is done, you will need to configure your
+<em class="filename">/etc/syslog.conf</em><a name="INDEX-97"/> to accept logging information from Samba.
+If there is not already a <tt class="literal">daemon.*</tt> entry in the
+<em class="filename">/etc/syslog.conf</em> file, add the following:</p>
+
+<blockquote><pre class="code">daemon.*        /var/log/daemon.log</pre></blockquote>
+
+<p>This specifies that any logging information from system daemons will
+be stored in the <em class="filename">/var/log/daemon.log</em> file. This
+is where the Samba information will be stored as well. From there,
+you can set a value for the <tt class="literal">syslog</tt> parameter in
+your Samba configuration file to specify which logging messages are
+to be sent to syslog. Only messages that have debug levels lower than
+the value of the <tt class="literal">syslog</tt> parameter will be sent to
+syslog. For example, setting the following:</p>
+
+<blockquote><pre class="code">syslog = 3</pre></blockquote>
+
+<p>specifies that any logging messages with a level of 2 or below will
+be sent to both syslog and the Samba logging files. (The mappings to
+<em class="filename">syslog</em> priorities are described in the upcoming
+section &quot;syslog.&quot;) To continue the
+example, let's assume that we have set the
+<tt class="literal">log</tt> <tt class="literal">level</tt> option to 4. Logging
+messages with levels of 2 and 1 will be sent to both syslog and the
+Samba logging files, and messages with a level of 3 or 4 will be sent
+to the Samba logging files, but not to syslog. If the
+<tt class="literal">syslog</tt> value exceeds the <tt class="literal">log</tt>
+<tt class="literal">level</tt> value, nothing will be sent to syslog.</p>
+
+<p>If you want to specify that messages be sent only to syslog&mdash;and
+not to the standard Samba logging files&mdash;you can place this
+option in the configuration file:</p>
+
+<blockquote><pre class="code">syslog only = yes</pre></blockquote>
+
+<p>If this is the case, any logging information above the number
+specified in the <tt class="literal">syslog</tt> option will be discarded,
+as with the <tt class="literal">log</tt> <tt class="literal">level</tt> option.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-6-SECT-8.2"/>
+
+<h3 class="head2">Logging Configuration Options</h3>
+
+<p><a href="ch06.html#samba2-CHP-6-TABLE-8">Table 6-8</a> lists each logging configuration option
+that Samba can use.</p>
+
+<a name="samba2-CHP-6-TABLE-8"/><h4 class="head4">Table 6-8. Logging configuration options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">log file</tt></p>
+</td>
+<td>
+<p>string (name of file)</p>
+</td>
+<td>
+<p>Name of the log file that Samba is to use. Works with all variables.</p>
+</td>
+<td>
+<p>Specified in Samba makefile</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">log level</tt></p>
+
+<p><tt class="literal">(debug level)</tt></p>
+</td>
+<td>
+<p>numeric (0-10)</p>
+</td>
+<td>
+<p>Amount of log/debug messages that are sent to the log file. 0 is
+none; 3 is considerable.</p>
+</td>
+<td>
+<p><tt class="literal">1</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">max log size</tt></p>
+</td>
+<td>
+<p>numeric (size in KB)</p>
+</td>
+<td>
+<p>Maximum size of log file.</p>
+</td>
+<td>
+<p><tt class="literal">5000</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">debug timestamp</tt> <tt class="literal">(timestamp logs)</tt></p>
+</td>
+<td>
+<p>boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">no</tt>, doesn't timestamp logs,
+making them easier to read during heavy debugging.</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">syslog</tt></p>
+</td>
+<td>
+<p>numeric (0-10)</p>
+</td>
+<td>
+<p>Level of messages sent to <em class="emphasis">syslog</em>. Those levels
+below <tt class="literal">syslog</tt> <tt class="literal">level</tt> will be sent
+to the system logger.</p>
+</td>
+<td>
+<p><tt class="literal">1</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">syslog only</tt></p>
+</td>
+<td>
+<p>boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, uses <em class="emphasis">syslog</em> entirely
+and sends no output to the Samba log files.</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-8.2.1"/>
+
+<h3 class="head3">log file</h3>
+
+<p>By default, Samba writes log information to text files in the
+<em class="filename">/usr/local/samba/var</em> directory. The
+<tt class="literal">log</tt><a name="INDEX-98"/> <tt class="literal">file</tt> option can be
+used to set the name of the log file to another location. For
+example, to put the Samba log information in
+<em class="filename">/usr/local/logs/samba.log</em>, you could use the
+following:</p>
+
+<blockquote><pre class="code">[global]
+    log file = /usr/local/logs/samba.log</pre></blockquote>
+
+<p>You can use variable substitution to create log files specifically
+for individual users or clients.</p>
+
+<p>You can override the default log file location using the
+<em class="emphasis">-l</em> command-line switch when either daemon is
+started. However, this does not override the <tt class="literal">log</tt>
+<tt class="literal">file</tt> option. If you do specify this parameter,
+initial logging information will be sent to the file specified after
+<em class="emphasis">-l</em> (or the default specified in the Samba
+makefile) until the daemons have processed the
+<em class="filename">smb.conf</em> file and know to redirect it to a new
+log file.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-8.2.2"/>
+
+<h3 class="head3">log level</h3>
+
+<p>The <tt class="literal">log</tt><a name="INDEX-99"/> <tt class="literal">level</tt> option
+sets the amount of data to be logged. Normally this is set to 0 or 1.
+However, if you have a specific problem, you might want to set it at
+3, which provides the most useful debugging information you would
+need to track down a problem. Levels above 3 provide information
+that's primarily for the developers to use for
+chasing internal bugs, and it slows down the server considerably.
+Therefore, we recommend that for normal day-to-day operation, you
+avoid setting this option to anything above 3.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-8.2.3"/>
+
+<h3 class="head3">max log size</h3>
+
+<p>The <tt class="literal">max</tt><a name="INDEX-100"/> <tt class="literal">log</tt>
+<tt class="literal">size</tt> option sets the maximum size, in kilobytes,
+of the debugging log file that Samba keeps. When the log file exceeds
+this size, the current log file is renamed to add a
+<em class="filename">.old</em> extension (erasing any previous file with
+that name) and a new debugging log file is started with the original
+name. For example:</p>
+
+<blockquote><pre class="code">[global]
+    log file = /usr/local/logs/samba.log.%m
+    max log size = 1000</pre></blockquote>
+
+<p>Here, if the size of any log file exceeds 1MB, Samba renames the log
+file <em class="emphasis">samba.log</em>.
+<em class="replaceable">machine-name</em><em class="emphasis">.old</em>,
+and a new log file is generated. If there is already a file with the
+<em class="emphasis">.old</em> extension, Samba deletes it. We highly
+recommend setting this option in your configuration files because
+debug logging (even at lower levels) can quietly eat away at your
+available disk space. Using this option protects unwary
+administrators from suddenly discovering that most of the space on a
+disk or partition has been swallowed up by a single Samba log file.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-8.2.4"/>
+
+<h3 class="head3">debug timestamp or timestamp logs</h3>
+
+<p>If you happen to be debugging a network problem and you find that the
+timestamp information within the Samba log lines gets in the way, you
+can turn it off by giving either the
+<tt class="literal">timestamp</tt><a name="INDEX-101"/> <tt class="literal">logs</tt> or the
+synonymous <tt class="literal">debug</tt><a name="INDEX-102"/>
+<tt class="literal">timestamp</tt> option a value of <tt class="literal">no</tt>.
+For example, a regular Samba log file presents its output in the
+following form:</p>
+
+<blockquote><pre class="code">12/31/01 12:03:34 toltec (172.16.1.1) connect to server network as user jay</pre></blockquote>
+
+<p>With a <tt class="literal">no</tt> value for this option, the output would
+appear without the timestamp:</p>
+
+<blockquote><pre class="code">toltec (172.16.1.1) connect to server network as user jay</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-8.2.5"/>
+
+<h3 class="head3">syslog</h3>
+
+<p>The <tt class="literal">syslog</tt><a name="INDEX-103"/> option causes Samba log
+messages to be sent to the Unix system logger. The type of log
+information to be sent is specified as a numeric value. Like the
+<tt class="literal">log</tt> <tt class="literal">level</tt> option, it can be a
+number from 0 to 10. Logging information with a level less than the
+number specified will be sent to the system logger. Debug logs
+greater than or equal to the <tt class="literal">syslog</tt> level, but
+less than log level, will still be sent to the standard Samba log
+files. For example:</p>
+
+<blockquote><pre class="code">[global]
+    log level = 3
+    syslog = 1</pre></blockquote>
+
+<p>With this, all logging information with a level of 0 would be sent to
+the standard Samba logs and the system logger, while information with
+levels 1, 2, and 3 would be sent only to the standard Samba logs.
+Levels above 3 are not logged at all. All messages sent to the system
+logger are mapped to a priority level that the syslogd daemon
+understands, as shown in <a href="ch06.html#samba2-CHP-6-TABLE-9">Table 6-9</a>. The default
+level is 1.</p>
+
+<a name="samba2-CHP-6-TABLE-9"/><h4 class="head4">Table 6-9. syslog priority conversion</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Log level</p>
+</th>
+<th>
+<p>syslog priority</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p>0</p>
+</td>
+<td>
+<p><tt class="literal">LOG_ERR</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>1</p>
+</td>
+<td>
+<p><tt class="literal">LOG_WARNING</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>2</p>
+</td>
+<td>
+<p><tt class="literal">LOG_NOTICE</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>3</p>
+</td>
+<td>
+<p><tt class="literal">LOG_INFO</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p>4 and above</p>
+</td>
+<td>
+<p><tt class="literal">LOG_DEBUG</tt></p>
+</td>
+</tr>
+
+</table>
+
+<p>If you wish to use <em class="emphasis">syslog</em>, you will have to run
+<tt class="literal">configure</tt> <tt class="literal">--with-syslog</tt> when
+compiling Samba, and you will need to configure your
+<em class="filename">/etc/syslog.conf</em> to suit. (See <a href="ch06.html#samba2-CHP-6-SECT-8.1">Section 6.8.1</a>, earlier in this chapter.)</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-6-SECT-8.2.6"/>
+
+<h3 class="head3">syslog only</h3>
+
+<p>The <tt class="literal">syslog</tt><a name="INDEX-104"/> <tt class="literal">only</tt> option
+tells Samba not to use its own logging files at all and to use only
+the system logger. To enable this, specify the following option in
+the global section of the Samba configuration file:</p>
+
+<a name="INDEX-105"/><a name="INDEX-106"/><a name="INDEX-107"/><blockquote><pre class="code">[global]
+    syslog only = yes</pre></blockquote>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+<hr/><h4 class="head4">Footnotes</h4><blockquote><a name="FOOTNOTE-1"/> <p><a href="#FNPTR-1">[1]</a> Depending on your system, this file might not
+be <em class="emphasis">/etc/printcap</em>. You can use the
+<em class="emphasis">testparm</em> command that comes with Samba to dump
+the parameter definitions and determine the value of the
+<tt class="literal">printcap</tt> <tt class="literal">name</tt> configuration
+option. The value assigned to it is the default value chosen when
+Samba was configured and compiled, which should be correct.</p>
+<a name="FOOTNOTE-2"/> <p><a href="#FNPTR-2">[2]</a> We are referring here to the window that
+opens when a printer icon in the Printers control panel is
+double-clicked.</p> </blockquote><hr/><h4 class="head4"><a href="toc.html">TOC</a></h4></body></html>
diff --git a/docs/htmldocs/using_samba/ch07.html b/docs/htmldocs/using_samba/ch07.html
new file mode 100644
index 0000000000..a6dc8d94b0
--- /dev/null
+++ b/docs/htmldocs/using_samba/ch07.html
@@ -0,0 +1,2139 @@
+<html>
+<body bgcolor="#ffffff">
+
+<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
+hspace="10" align="left" />
+
+<h1 class="head0">Chapter 7. Name Resolution and Browsing</h1>
+
+
+
+
+<p><a name="INDEX-1"/><em class="firstterm">Name
+resolution</em> is critical to Samba's
+operation because names are used to find the servers that share files
+or printers. <em class="firstterm">Browsing</em> takes the task of
+finding servers to a new level of sophistication by allowing a user
+to delve down into a hierarchy of networks, domains, hosts, and
+services offered by each server.</p>
+
+<p>While name resolution and
+<a name="INDEX-2"/>browsing are not
+difficult to configure, some complexity is introduced by the variety
+of available name-resolution systems. Historically, Unix and other
+TCP/IP users have moved from a flat hosts file to the Domain Name
+System, with the Network Information System being another popular
+choice. Meanwhile, Microsoft has moved from a broadcasting system to
+a simple, LAN-only name server called WINS and ultimately to DNS.</p>
+
+<p>The reason for going over that history is that all previous systems
+of name resolution are still in use today! Finding a host is so
+crucial to networking that sites want robust (if limited)
+name-resolution systems to fall back on in case the main system
+fails. Browsing is also complicated by the frequent need to show
+hosts in other subnets. This chapter shows you how to configure your
+network to handle name resolution and browsing any way you want.</p>
+
+<p>Some of the differences between Unix and Microsoft networking
+implementations are the result of fundamental design goals. Unix
+networking was originally designed largely to implement a relatively
+formal group of systems that were assumed to be small in number,
+well-maintained, and highly available, that have static IP addresses,
+and that wouldn't physically move around from place
+to place. Bringing a new server online was a labor-intensive task,
+but it did not have to be performed frequently. In contrast, Windows
+networking was originally developed as a peer-to-peer collection of
+small personal computers on a single subnet, having no centrally or
+hierarchically organized structure.</p>
+
+<p>SMB networking is dynamic. Computers are allowed to leave the network
+at any time, sometimes without warning, and also to join or rejoin
+the network at any time. Furthermore, any user in a Windows network
+can add a new shared resource to the network or remove a resource
+that he had previously added. The change in the
+network's configuration is handled automatically by
+the rest of the network without requiring a system administrator to
+take any action.</p>
+
+
+
+<div class="sect1"><a name="samba2-CHP-7-SECT-1"/>
+
+<h2 class="head1">Name Resolution</h2>
+
+<p>TCP/IP networks identify systems by IP addresses and always associate
+these addresses with more human-readable text names. In
+Microsoft's earliest networking implementations (for
+MS-DOS and Windows for Workgroups), the translation of names to
+network addresses was carried out in a manner that was very simple,
+yet very inefficient. When a system on the network needed an IP
+address corresponding to a name, it broadcasted the name to every
+other system on the network and waited for the system that owned the
+name to respond with its IP address.</p>
+
+<p>The main problem with performing <a name="INDEX-3"/>name resolution using broadcast
+packets is poor performance of the network as a whole, including CPU
+time consumed by each host on the network, which has to accept every
+broadcast packet and decide whether to respond to it. Also, broadcast
+packets usually aren't forwarded by routers,
+limiting name resolution to the local subnet.
+Microsoft's solution was to add WINS (Windows
+Internet Name Service) support to Windows NT so that the computers on
+the network can perform a direct query of the WINS server instead of
+using broadcast packets.</p>
+
+<p>Modern Windows clients use a variety of methods for translating
+hostnames into IP addresses. The exact method varies depending on the
+version of Windows the client is running, how the client is
+configured (i.e., whether DNS server and/or WINS server IP addresses
+are provided), and whether the application software is accessing the
+network through Microsoft's Winsock or TCP/IP API.
+In general, Windows uses some combination of the following
+methods:<a name="INDEX-4"/></p>
+
+<ul><li>
+<p>Looking up the name in its cache of recently resolved names</p>
+</li><li>
+<p>Querying DNS servers</p>
+</li><li>
+<p>Using the DNS <em class="filename">Hosts</em> file</p>
+</li><li>
+<p>Querying WINS servers</p>
+</li><li>
+<p>Using the WINS <em class="filename">LMHOSTS</em> file</p>
+</li><li>
+<p>Performing broadcast name resolution</p>
+</li></ul>
+<p>The first method is pretty much self-explanatory. A hostname is
+checked against a cache of hostnames that have been recently resolved
+to IP addresses. This helps to save time and network bandwidth for
+resolving names that are used frequently.</p>
+
+<p>When a Windows system is configured with the IP address of at least
+one <a name="INDEX-5"/>DNS server, it can use DNS to
+resolve fully qualified domain names, such as those for sites on the
+Internet. The DNS servers can be either Windows NT/2000 or Unix
+systems. You can learn more about DNS and DNS server configuration in
+the O'Reilly book <em class="citetitle">DNS and
+BIND</em>.</p>
+
+<p>In this chapter, we focus mainly on name resolution using WINS, which
+is supported by Samba with the <em class="emphasis">nmbd</em> daemon.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-7-SECT-1.1"/>
+
+<h3 class="head2">WINS Clients and Server Interaction</h3>
+
+<p>There are two types of interaction between a
+<a name="INDEX-6"/>WINS client and a server: the
+client keeps its own NetBIOS name<a name="FNPTR-1"/><a href="#FOOTNOTE-1">[1]</a> registered with the server and
+queries the server to get the IP address corresponding to the NetBIOS
+name of another system.</p>
+
+<p>When a WINS client joins the network, it registers its NetBIOS name
+with the WINS server, which stores it along with the
+client's IP address in the WINS database. This entry
+is marked <em class="firstterm">active</em>. The client is then expected
+to renew the registration of its name periodically (typically, every
+four days) to inform the server that it is still using the name. This
+period is called the <em class="firstterm">time to live</em>, or TTL.
+When the client leaves the network by being shut down gracefully, it
+informs the server, and the server marks the
+client's entry in its database as
+<em class="firstterm">released</em>.</p>
+
+<p>When a client leaves the network without telling the WINS server to
+release its name, the server waits until after it fails to receive
+the expected registration renewal from the client and then marks the
+entry as released.</p>
+
+<p>In either case, the released name is available for use by other
+clients joining the network. It might persist in the released state
+in the WINS database, and if it is not reregistered, the entry will
+eventually be deleted.</p>
+
+<p>More information on WINS can be found in the Microsoft white paper
+<em class="citetitle">Windows Internet Naming Service (WINS) Architecture and
+Capacity Planning</em><a name="INDEX-7"/>. It can be downloaded from the
+Microsoft web site at <a href="http://www.microsoft.com">http://www.microsoft.com</a>.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-7-SECT-1.2"/>
+
+<h3 class="head2">The lmhosts File</h3>
+
+<p>In <a href="ch03.html">Chapter 3</a> we showed you how to configure
+Windows systems to use the
+<em class="filename">LMHOSTS</em><a name="INDEX-8"/>
+file as an alternative to the WINS server for name resolution. Samba
+also can use an <em class="filename">LMHOSTS</em> file, which by default
+is <em class="filename">/usr/local/samba/lib/lmhosts</em>.
+Samba's <em class="filename">lmhosts</em> is the same
+format as the Windows version. A simple <em class="filename">lmhosts</em>
+file might look like this:</p>
+
+<blockquote><pre class="code">172.16.1.1    toltec
+172.16.1.6    maya</pre></blockquote>
+
+<p>The names on the right side of the entries are NetBIOS names, so you
+can assign resource types to them and add additional entries for
+computers:</p>
+
+<blockquote><pre class="code">172.16.1.1    toltec#20
+172.16.1.1    metran#1b
+172.16.1.6    maya#20</pre></blockquote>
+
+<p>Here, we've made <tt class="literal">toltec</tt> the
+primary domain controller of the <tt class="literal">METRAN</tt> domain on
+the second line. This line starts with
+<tt class="literal">toltec</tt>'s IP address, followed by
+the name metran and the resource type &lt;1B&gt;. The other lines are
+entries for <tt class="literal">toltec</tt> and <tt class="literal">maya</tt> as
+standard workstations.</p>
+
+<p>If you wish to place an <em class="emphasis">lmhosts</em> file somewhere
+other than the default location, you will need to notify the
+<em class="emphasis">nmbd</em> process upon startup using the
+<em class="emphasis">-H</em> option, followed by the name of your
+<em class="filename">lmhosts</em> file, as follows:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>nmbd -H /etc/samba/lmhosts -D</b></tt></pre></blockquote>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-7-SECT-1.3"/>
+
+<h3 class="head2">Configuring Name Resolution for the Samba Suite</h3>
+
+<p>Various daemons and tools in the Samba suite need to perform
+<a name="INDEX-9"/>name resolution. You can define the
+order in which the programs try each name-resolution method through
+the <tt class="literal">name</tt><a name="INDEX-10"/><a name="INDEX-11"/>
+<tt class="literal">resolve</tt> <tt class="literal">order</tt> parameter, like
+this:</p>
+
+<blockquote><pre class="code">[global]
+    name resolve order = wins lmhosts hosts bcast</pre></blockquote>
+
+<p>The string used to define the parameter can take up to four values:</p>
+
+<dl>
+<dt><b>lmhosts</b></dt>
+<dd>
+<p>Uses the Samba server's local
+<em class="filename">lmhosts</em> file</p>
+</dd>
+
+
+
+<dt><b>hosts</b></dt>
+<dd>
+<p>Uses the standard Unix name-resolution methods, which can be
+<em class="emphasis">/etc/hosts</em>, DNS, NIS, or a combination,
+depending on how the local system is configured</p>
+</dd>
+
+
+
+<dt><b>wins</b></dt>
+<dd>
+<p>Uses the WINS server</p>
+</dd>
+
+
+
+<dt><b>bcast</b></dt>
+<dd>
+<p>Uses the broadcast method</p>
+</dd>
+
+</dl>
+
+<p>The order in which they are specified is the order in which name
+resolution will be attempted. In our example, Samba will attempt to
+use its WINS server first for name resolution, followed by the
+<em class="emphasis">lmhosts</em> file on the local system. Next, the
+<tt class="literal">hosts</tt> value tells it to use Unix name-resolution
+methods. The word <tt class="literal">hosts</tt> can be misleading; it
+covers not only the <em class="filename">/etc/hosts</em> file, but also
+the use of DNS or NIS (as configured on the Unix host). Finally, if
+those three do not work, it will perform a broadcast name resolution.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-7-SECT-1.4"/>
+
+<h3 class="head2">Setting Up Samba as a WINS Server</h3>
+
+<p>You can set up Samba as a <a name="INDEX-12"/>WINS server by setting the
+<tt class="literal">wins</tt><a name="INDEX-13"/> <tt class="literal">support</tt>
+parameter in the configuration file, like this:</p>
+
+<blockquote><pre class="code">[global]
+    wins support = yes</pre></blockquote>
+
+<p>Believe it or not, that's all you need to do! The
+<tt class="literal">wins</tt> <tt class="literal">support</tt> option turns Samba
+into a WINS server. For most installations, Samba's
+default configuration is sufficient.</p>
+<a name="samba2-CHP-7-NOTE-137"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>Remember, Samba cannot communicate with Windows WINS servers. If you
+are using Samba as your WINS server, you must make sure not to allow
+any Windows systems or other Samba servers on your network to be
+configured as WINS servers. If you do, their WINS databases will not
+synchronize, resulting in inconsistent name resolution.</p>
+</blockquote>
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-1.4.1"/>
+
+<h3 class="head3">Configuring a DNS proxy</h3>
+
+<p>A Samba <a name="INDEX-14"/><a name="INDEX-15"/>WINS server can check with the
+system's DNS server if a requested host cannot be
+found in its WINS database. With a typical Linux system, for example,
+you can find the IP address of the DNS server by searching the
+<em class="filename">/etc/resolv.conf</em><a name="INDEX-16"/><a name="INDEX-17"/> file. In it, you might see an entry such
+as the following:</p>
+
+<blockquote><pre class="code">nameserver 127.0.0.1
+nameserver 172.16.1.192</pre></blockquote>
+
+<p>This tells us that the Linux system is configured to use a DNS server
+located at 172.16.1.192. (The 127.0.0.1 is the
+<tt class="literal">localhost</tt> address and is never a valid DNS server
+address.)</p>
+
+<p>Now it is a simple matter of using the
+<tt class="literal">dns</tt><a name="INDEX-18"/> <tt class="literal">proxy</tt> option to tell
+Samba to use the DNS server:</p>
+
+<blockquote><pre class="code">[global]
+    dns proxy = yes</pre></blockquote>
+
+<a name="samba2-CHP-7-NOTE-138"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>Although this allows Windows clients to resolve fully qualified
+Internet domain names through the Samba WINS server, it will work
+only for domain names that fit within the 15-character limitation of
+NetBIOS names. For this reason, we recommend you use <tt class="literal">dns
+proxy</tt> only to act as a supplement to your WINS server,
+rather than as a replacement for a DNS server.</p>
+</blockquote>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-7-SECT-1.5"/>
+
+<h3 class="head2">Setting Up Samba to Use Another WINS Server</h3>
+
+<p>You can configure Samba to use a <a name="INDEX-19"/>WINS server somewhere else on the
+network by simply providing it with the IP address of the WINS
+server. This is done with the global
+<tt class="literal">wins</tt><a name="INDEX-20"/> <tt class="literal">server</tt>
+configuration option, as shown here:</p>
+
+<blockquote><pre class="code">[global]
+    wins server = 172.16.1.1</pre></blockquote>
+
+<p>With this option enabled, Samba will direct all WINS requests to the
+server located at 172.16.1.1. Note that because the request is
+directed at a single machine, we don't have to worry
+about any of the problems inherent in broadcasting. However, Samba
+will not necessarily use the WINS server before other forms of name
+resolution. The order in which Samba attempts various name-resolution
+techniques is given with the <tt class="literal">name</tt>
+<tt class="literal">resolve</tt> <tt class="literal">order</tt> configuration
+option, which we discussed earlier.</p>
+
+<p>The <tt class="literal">wins</tt> <tt class="literal">support</tt> and the
+<tt class="literal">wins</tt> <tt class="literal">server</tt> parameters are
+mutually exclusive; you cannot simultaneously offer Samba as the WINS
+server and use another system as the server! Typically, one Samba
+server is set up as the WINS server using <tt class="literal">wins</tt>
+<tt class="literal">support</tt>, and all other Samba servers are
+configured with the <tt class="literal">wins</tt> <tt class="literal">server</tt>
+parameter pointing to the Samba WINS server.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-1.5.1"/>
+
+<h3 class="head3">Configuring a WINS proxy</h3>
+
+<p><a name="INDEX-21"/>If you have a Samba server on a
+subnet that doesn't have a WINS server, and the
+Samba server has been configured with a WINS server on another
+subnet, you can tell the Samba server to forward any name-resolution
+requests with the <tt class="literal">wins</tt><a name="INDEX-22"/>
+<tt class="literal">proxy</tt> option:</p>
+
+<blockquote><pre class="code">[global]
+    wins server = 172.16.200.12
+    wins proxy = yes</pre></blockquote>
+
+<p>Use this only in situations where the WINS server resides on another
+subnet. Otherwise, the broadcast will reach the WINS server
+regardless of any proxying.</p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-7-SECT-1.6"/>
+
+<h3 class="head2">Name-Resolution Configuration Options</h3>
+
+<p><a name="INDEX-23"/>Samba's <a name="INDEX-24"/>name-resolution options
+are shown in <a href="ch07.html#samba2-CHP-7-TABLE-1">Table 7-1</a>.</p>
+
+<a name="samba2-CHP-7-TABLE-1"/><h4 class="head4">Table 7-1. Name-resolution options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">wins support</tt></p>
+</td>
+<td>
+<p>boolean</p>
+</td>
+<td>
+<p>If set to <tt class="literal">yes</tt>, allows Samba to act as a WINS server</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">wins server</tt></p>
+</td>
+<td>
+<p>string (IP address or DNS name)</p>
+</td>
+<td>
+<p>Identifies a WINS server for Samba to use for name registration and
+resolution</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">wins proxy</tt></p>
+</td>
+<td>
+<p>boolean</p>
+</td>
+<td>
+<p>Allows Samba to act as a proxy to a WINS server on another subnet</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">wins hook</tt></p>
+</td>
+<td>
+<p>string</p>
+</td>
+<td>
+<p>Command to run when the WINS database changes</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">dns proxy</tt></p>
+</td>
+<td>
+<p>boolean</p>
+</td>
+<td>
+<p>If set to <tt class="literal">yes</tt>, allows a Samba WINS server to
+search DNS if it cannot find a name in WINS</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">name resolve</tt> <tt class="literal">order</tt></p>
+</td>
+<td>
+<p>string</p>
+</td>
+<td>
+<p>The order of methods used to resolve NetBIOS names</p>
+</td>
+<td>
+<p><tt class="literal">lmhosts</tt> <tt class="literal">hosts wins bcast</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">max ttl</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Maximum TTL in seconds for a requested NetBIOS name</p>
+</td>
+<td>
+<p><tt class="literal">259200</tt> ( 3 days)</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">max wins ttl</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Maximum TTL in seconds for NetBIOS names given out by Samba as a WINS
+server</p>
+</td>
+<td>
+<p><tt class="literal">518400</tt> (6 days)</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">min wins ttl</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Minimum TTL in seconds for NetBIOS names given out by Samba as a WINS
+server</p>
+</td>
+<td>
+<p><tt class="literal">21600</tt> (6 hours)</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-1.6.1"/>
+
+<a name="INDEX-25"/><h3 class="head3">wins support</h3>
+
+<p>Samba will provide WINS name service to all machines in the network
+if you set the following in the <tt class="literal">[global]</tt> section
+of the <em class="filename">smb.conf</em> file:</p>
+
+<blockquote><pre class="code">[global]
+    wins support = yes</pre></blockquote>
+
+<p>The default value is <tt class="literal">no</tt>, which is typically used
+to allow a Windows NT/2000 server or another Samba server to be the
+WINS server. If you enable this option, remember that a Samba WINS
+server currently cannot exchange data with other WINS servers, so do
+not allow any other WINS servers on the network. When set to
+<tt class="literal">yes</tt>, this option is mutually exclusive with the
+<tt class="literal">wins</tt> <tt class="literal">server</tt> parameter.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-1.6.2"/>
+
+<a name="INDEX-26"/><h3 class="head3">wins server</h3>
+
+<p>Samba will use an existing WINS server on the network if you specify
+the <tt class="literal">wins</tt> <tt class="literal">server</tt> global option
+in your configuration file. The value of this option is either the IP
+address or DNS name (not NetBIOS name) of the WINS server. For
+example:</p>
+
+<blockquote><pre class="code">[global]
+    wins server = 172.16.220.110</pre></blockquote>
+
+<p>or:</p>
+
+<blockquote><pre class="code">[global]
+    wins server = wins.metran.cx</pre></blockquote>
+
+<p>For this option to work, the <tt class="literal">wins</tt>
+<tt class="literal">support</tt> option must be set to
+<tt class="literal">no</tt> (the default). Otherwise, Samba will report an
+error. You can specify only one WINS server using this option.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-1.6.3"/>
+
+<a name="INDEX-27"/><h3 class="head3">wins proxy</h3>
+
+<p>This option allows Samba to act as a proxy to another WINS server,
+and thus relay name registration and resolution requests from itself
+to the real WINS server, often outside the current subnet. The WINS
+server can be indicated through the <tt class="literal">wins</tt>
+<tt class="literal">server</tt> option. The proxy will then return the WINS
+response back to the client. You can enable this option by specifying
+the following in the <tt class="literal">[global]</tt> section:</p>
+
+<blockquote><pre class="code">[global]
+    wins proxy = yes</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-1.6.4"/>
+
+<a name="INDEX-28"/><h3 class="head3">wins hook</h3>
+
+<p>This option allows you to run a script or other program whenever the
+WINS database is modified. One application might be to set up another
+Samba server to act as a backup for another Samba WINS server. This
+is done by having the <tt class="literal">wins</tt> <tt class="literal">hook</tt>
+script call <em class="emphasis">rsync</em> to synchronize the WINS
+databases (<em class="filename">/usr/local/samba/var/locks/wins.dat</em>)
+on the two systems whenever an entry is added or deleted. The script
+would be specified in the Samba configuration file like this:</p>
+
+<blockquote><pre class="code">[global]
+    wins hook = /usr/local/bin/sync_wins</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-1.6.5"/>
+
+<a name="INDEX-29"/><h3 class="head3">dns proxy</h3>
+
+<p>If you want the DNS to be used if a NetBIOS name
+isn't found in WINS, you can set the following
+option:</p>
+
+<blockquote><pre class="code">[global]
+    dns proxy = yes</pre></blockquote>
+
+<p>This will permit <em class="filename">nmbd</em> to query the
+server's standard DNS. You might wish to deactivate
+this option if you do not have a permanent connection to your DNS
+server. This option should not be used in place of a DNS server on
+your network; it is intended for resolving NetBIOS names rather than
+fully qualified Internet domain names.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-1.6.6"/>
+
+<h3 class="head3">name resolve order</h3>
+
+<p>The global <tt class="literal">name</tt><a name="INDEX-30"/>
+<tt class="literal">resolve</tt> <tt class="literal">order</tt> option specifies
+the order of services that Samba will use in performing name
+resolution. The default order is to use the
+<em class="emphasis">lmhosts</em> file, followed by standard Unix
+name-resolution methods (some combination of
+<em class="filename">/etc/hosts</em>, DNS, and NIS), then to query a WINS
+server, and finally to use broadcasting to determine the address of a
+NetBIOS name. You can override this option by specifying something
+like the following:</p>
+
+<blockquote><pre class="code">[global]
+    name resolve order = lmhosts wins hosts bcast</pre></blockquote>
+
+<p>This causes resolution to use the <em class="emphasis">lmhosts</em> file
+first, followed by a query to a WINS server, the
+<em class="filename">/etc/hosts</em> file, and finally broadcasting. You
+need not use all four options. This option is covered in more detail
+in <a href="ch07.html#samba2-CHP-7-SECT-1.4">Section 7.1.4</a>,
+earlier in this chapter.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-1.6.7"/>
+
+<a name="INDEX-31"/><h3 class="head3">max ttl</h3>
+
+<p>This option is used when Samba is not acting as a WINS server but is
+using another system on the network for its WINS server. It sets the
+maximum T T L for NetBIOS names registered by the Samba server with
+the WINS server. You should never need to alter this value.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-1.6.8"/>
+
+<a name="INDEX-32"/><h3 class="head3">max wins ttl</h3>
+
+<p>This option is used when Samba is providing WINS name service, and it
+sets the maximum T T L for NetBIOS names registered with Samba. You
+should never need to change this value from its default.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-1.6.9"/>
+
+<a name="INDEX-33"/><h3 class="head3">min wins ttl</h3>
+
+<p>This option is used when Samba is providing WINS name service, and it
+sets the minimum T T L for NetBIOS names registered with Samba. You
+should never need to alter this value from its default. <a name="INDEX-34"/> <a name="INDEX-35"/> <a name="INDEX-36"/></p>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-7-SECT-2"/>
+
+<h2 class="head1">Browsing</h2>
+
+<p><a name="INDEX-37"/>Browsing
+was developed by Microsoft to help users find shared resources on the
+network. In a networked computing environment where users can add or
+remove shares at any time, it is important to have some automatic
+means of keeping track of the shared resources and allowing users to
+&quot;browse&quot; through them to find the
+ones they wish to use.</p>
+
+<p>Before browsing was added to SMB networking, when anyone added a new
+share, the people with whom they wished to share the data or printer
+would have to be informed of the share's UNC, using
+some relatively low-tech method such as speaking to them in person or
+over the phone, or sending email. Already, this was very inconvenient
+in large organizations. To further complicate matters, the users
+working on client computers had to type in the
+share's UNC to connect to it. The only way to get
+around typing in the share's UNC every time it was
+used was to map a network drive to it, and with a large number of
+shares on the network, this could easily get out of hand.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-7-SECT-2.1"/>
+
+<h3 class="head2">Browsing in a Windows Network</h3>
+
+<p><a name="INDEX-38"/>To keep things simple, we will
+first describe network browsing in a network that contains only
+Windows systems and then show you how to add a Samba server.</p>
+
+<p>The basic way browsing works is that one computer in the network
+takes on the role of the <em class="firstterm">master
+browser</em><a name="INDEX-39"/> (also
+called <em class="firstterm">local master
+browser</em><a name="INDEX-40"/>,<em class="firstterm"> browse
+master</em><a name="INDEX-41"/>, or
+<em class="firstterm">browse server</em><a name="INDEX-42"/>) and
+keeps a list of all the computers on the local subnet that are acting
+as SMB servers. The list of computers is called the <em class="firstterm">browse
+list</em><a name="INDEX-43"/> and includes all Samba servers, Windows
+NT/2000/XP systems, and any Windows 95/98/Me systems that have the
+&quot;File and printer sharing for Microsoft
+Networks&quot; networking component installed. The browse
+list also contains the names of all workgroups and domains. At this
+level, browsing is limited to the local subnet because the browsing
+protocol depends on broadcast packets, which are typically not
+forwarded to other subnets by routers.</p>
+
+<p>A user at any Windows system can view the browse list by opening up
+the Network Neighborhood (or My Network Places), as we showed you in
+<a href="ch01.html">Chapter 1</a>. Or, the <em class="emphasis">net
+view</em><a name="INDEX-44"/> command can be used from a Windows
+command prompt:</p>
+
+<blockquote><pre class="code">C:\&gt;<tt class="userinput"><b>net view</b></tt>
+Server Name            Remark
+
+-------------------------------------------------------------------------------
+\\MAYA                 Windows 98
+\\MIXTEC               Samba 2.2.5
+\\OLMEC                Windows XP Pro on Pentium/ASUS
+\\TOLTEC               Samba 2.2.5
+\\YAQUI                Windows 95 on mixtec/VMware
+\\ZAPOTEC
+The command completed successfully.</pre></blockquote>
+
+<p>Then, <em class="emphasis">net view</em> can be used with a computer name
+as an argument to contact a server directly and list the resources it
+is sharing:</p>
+
+<blockquote><pre class="code">C:\&gt;<tt class="userinput"><b>net view \\maya</b></tt>
+Shared resources at \\maya
+
+Windows 98
+
+Share name   Type         Used as  Comment
+
+-------------------------------------------------------------------------------
+D            Disk
+E            Disk
+HP           Print
+The command completed successfully.</pre></blockquote>
+
+<p>The computers on the network involved in browsing are more than just
+the master browser and its clients. There are also backup browsers,
+which maintain copies of the browse list and respond to client
+requests for it. Backup browsers are therefore able to take over the
+role of master browser seamlessly in case it fails. The master
+browser usually doesn't serve the browse list
+directly to clients. Instead, its job is mainly to keep the master
+copy of the browse list up-to-date, and also periodically update the
+backup browsers. Clients are expected to get their copies of the
+browse list from backup browsers, selecting among them randomly to
+help to distribute the load on the backup browsers more evenly.
+Ideally, the interaction between any client and the master browser is
+limited to the client announcing when it joins or leaves the network
+(if it is a server) and requesting a list of backup browsers.</p>
+
+<p>There can be more than one <a name="INDEX-45"/>backup browser. A workgroup will have a
+backup browser if two or more computers are running Windows 95/98/Me
+or Windows NT Workstation (or another nonserver version of Windows
+NT/2000/XP) on the subnet. For every 32 additional computers, another
+backup browser is added.</p>
+
+<p>In a Windows NT domain, the <a name="INDEX-46"/>primary domain controller is
+always the local master browser, and if it fails, another Windows
+NT/2000 server (if one exists) will take over the role of local
+master browser. Other versions of Windows can function as backup
+browsers, but will never become a master browser if a Windows NT/2000
+server is available.</p>
+
+<p>In addition to acting as the local master browser, the primary domain
+controller also acts as the <em class="firstterm">domain master
+browser</em><a name="INDEX-47"/>, which ties subnets together and allows
+browse lists to be shared between master and backup browsers on
+separate subnets. This is how browsing is extended to function beyond
+the local subnet. Each subnet functions as a separate browsing
+entity, and the domain master browser synchronizes the master
+browsers of each subnet. In a Windows-only network, browsing cannot
+function across subnets unless a Windows NT/2000 PDC exists on the
+network. Samba can act as a domain master browser and can perform
+that task even in a workgroup network, which means that the Windows
+PDC is not required for this task. (It is also possible to use the
+<tt class="literal">remote</tt> <tt class="literal">browse</tt>
+<tt class="literal">sync</tt> parameter to configure a Samba server to
+synchronize its browse list with a Samba server on another subnet. In
+this case, each server must be acting as the local master browser of
+its subnet.)</p>
+
+<p>Unless it is configured never to act as a browser, each computer on
+the subnet is considered a <em class="firstterm">potential browser</em>
+and can be ordered by the browse master to become a backup browser,
+or it can identify itself as a backup browser and accept the role on
+its own.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-7-SECT-2.2"/>
+
+<h3 class="head2">Browser Elections</h3>
+
+<p><a name="INDEX-48"/>When no master browser is running on
+the subnet, potential browsers choose a new master browser among
+themselves in a process called an <em class="firstterm">election</em>. An
+election is started by a computer in the subnet when it discovers
+that no master browser is currently running. If a master browser is
+shut down gracefully, it will broadcast an election request datagram,
+initiating an election by the remaining computers. If the master
+browser fails, the election can be started by a client computer that
+requests a list of backup browsers from the master browser or by a
+backup browser that requests to have its browse list updated from the
+master browser. In each case, the system fails to receive a reply
+from the master browser and initiates the election.</p>
+
+<p>Browser elections are decided in multiple rounds of self-elimination.
+During each round, potential browsers broadcast election request
+datagrams containing their qualifications to notify other potential
+browsers that an election is happening and that if the recipient is
+more qualified, it should also broadcast a bid. When a potential
+browser receives an election request datagram from a more qualified
+opponent, it drops out, disqualifying itself from becoming the master
+browser. Otherwise, it responds with its own election request
+datagram. After a few rounds, only one potential browser is left in
+the election. After an additional four rounds of sending out an
+election request datagram and receiving no response, it becomes the
+master browser and sends a broadcast datagram announcing itself as
+the local master browser for the subnet. It then assigns runners-up
+in the election as backup browsers, as needed.</p>
+
+<p>A potential browser's qualifications include the
+following:</p>
+
+<ul><li>
+<p>Whether it has recently lost an election</p>
+</li><li>
+<p>The version of the election protocol it is running</p>
+</li><li>
+<p>Its election criteria</p>
+</li><li>
+<p>The amount of time the system has been up</p>
+</li><li>
+<p>The computer's NetBIOS name</p>
+</li></ul>
+<p>If the potential browser has lost an election recently, it
+immediately disqualifies itself. The version of the election protocol
+it is running is checked, but so far, all Windows systems (and Samba)
+use the same election protocol, so the check is not very meaningful.
+The election criteria are usually what determine which computer
+becomes the local master browser. There are two parts to the election
+criteria, shown in Tables <a href="ch07.html#samba2-CHP-7-TABLE-2">Table 7-2</a> and <a href="ch07.html#samba2-CHP-7-TABLE-3">Table 7-3</a>.</p>
+
+<a name="samba2-CHP-7-TABLE-2"/><h4 class="head4">Table 7-2. Operating-system values in an election</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Operating system</p>
+</th>
+<th>
+<p>Value</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p>Windows NT/2000 Server, running as PDC</p>
+</td>
+<td>
+<p>32</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Windows NT/2000/XP, if not the PDC</p>
+</td>
+<td>
+<p>16</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Windows 95/98/Me</p>
+</td>
+<td>
+<p>1</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Windows for Workgroups</p>
+</td>
+<td>
+<p>1</p>
+</td>
+</tr>
+
+</table>
+
+<a name="samba2-CHP-7-TABLE-3"/><h4 class="head4">Table 7-3. Computer-role settings in an election</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Role</p>
+</th>
+<th>
+<p>Value</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p>Domain master browser</p>
+</td>
+<td>
+<p>128</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>WINS client</p>
+</td>
+<td>
+<p>32</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Preferred master</p>
+</td>
+<td>
+<p>8</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Running master</p>
+</td>
+<td>
+<p>4</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Recent backup browser</p>
+</td>
+<td>
+<p>2</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Backup browser</p>
+</td>
+<td>
+<p>1</p>
+</td>
+</tr>
+
+</table>
+
+<p>The operating-system type is compared first, and the system with the
+highest value wins. The values have been chosen to cause the primary
+domain controller, if there is one, to become the local master
+browser. Otherwise, a Windows NT/2000/XP system will win over a
+Windows for Workgroups or Windows 95/98/Me system.</p>
+
+<p>When an operating-system type comparison results in a tie, the role
+of the computer is compared. A computer can have more than one of the
+values in <a href="ch07.html#samba2-CHP-7-TABLE-3">Table 7-3</a>, in which case the values are
+added.</p>
+
+<p>A domain master browser has a role value of 128 to weight the
+election so heavily in its favor that it will also become the local
+master browser on its own subnet. Although the primary domain
+controller (which is always the domain master browser) will win the
+election based solely on its operating system value, sometimes there
+is no primary domain controller on the network, and the domain master
+browser would not otherwise be distinguished from other potential
+browsers.</p>
+
+<p>Systems that are using a WINS server for name resolution are weighted
+heavily over ones that use broadcast name resolution with a role
+value of 32.</p>
+
+<p>A <em class="firstterm">preferred master</em> is a computer that has been
+selected and configured manually by a system administrator to be
+favored as the choice master browser. When a preferred master starts
+up, it forces a browser election, even if an existing master browser
+is still active. A preferred master has a role value of 8, and the
+existing master browser gets a value of 4.</p>
+
+<p>A backup browser that has recently been a master browser and still
+has an up-to-date browse list is given a role value of 2, and a
+potential browser that has been running as a backup browser gets a
+value of 1.</p>
+
+<p>If comparing the operating-system type and role results in a tie, the
+computer that has been running the longest wins. In the unlikely
+event that the two have been up for the same amount of time, the
+computer that wins is the one with the NetBIOS name that sorts first
+alphabetically.</p>
+
+<p>You can tell if a machine is a local master browser by using the
+Windows <em class="emphasis">nbtstat</em><a name="INDEX-49"/> command. Place the NetBIOS name of the
+machine you wish to check after the <em class="emphasis">-a</em> option:</p>
+
+<blockquote><pre class="code">C:\&gt;<tt class="userinput"><b>nbtstat -a toltec</b></tt>
+
+Local Area Connection:
+Node IpAddress: [172.16.1.4] Scope Id: []
+
+           NetBIOS Remote Machine Name Table
+
+       Name               Type         Status
+    ---------------------------------------------
+    TOLTEC         &lt;00&gt;  UNIQUE      Registered
+    TOLTEC         &lt;03&gt;  UNIQUE      Registered
+    TOLTEC         &lt;20&gt;  UNIQUE      Registered
+    ..__MSBROWSE__.&lt;01&gt;  GROUP       Registered
+    METRAN         &lt;00&gt;  GROUP       Registered
+    METRAN         &lt;1B&gt;  UNIQUE      Registered
+    METRAN         &lt;1C&gt;  GROUP       Registered
+    METRAN         &lt;1D&gt;  UNIQUE      Registered
+    METRAN         &lt;1E&gt;  GROUP       Registered
+
+    MAC Address = 00-00-00-00-00-00</pre></blockquote>
+
+<p>The resource entry that you're looking for is
+<tt class="literal">.._ _MSBROWSE_ _.&lt;01&gt;</tt><a name="INDEX-50"/>. This indicates
+that the server is currently acting as the local master browser for
+the current subnet. If the machine is a Samba server, you can check
+the Samba <em class="filename">nmbd</em> log file for an entry such as:</p>
+
+<blockquote><pre class="code">nmbd/nmbd_become_lmb.c:become_local_master_stage2(406)
+*****
+Samba name server TOLTEC is now a local master browser for
+workgroup METRAN on subnet 172.16.1.0</pre></blockquote>
+
+<p>Or, you can use the
+<em class="emphasis">nmblookup</em><a name="INDEX-51"/> command with the
+<em class="emphasis">-M</em> option and the workgroup or domain name on
+any Samba server to find the IP address of the local master:</p>
+
+<a name="INDEX-52"/><blockquote><pre class="code">$ <tt class="userinput"><b>nmblookup -M metran</b></tt>
+querying metran on 172.16.1.255
+172.16.1.1 metran&lt;1d&gt;</pre></blockquote>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-7-SECT-2.3"/>
+
+<h3 class="head2">Server Announcements</h3>
+
+<p><a name="INDEX-53"/>After
+the master browser election is decided, each server on the network
+announces itself to the network to allow the master and backup
+browsers to build their browse lists. At first, the server
+announcements happen every minute, but the interval is gradually
+stretched out to every 12 minutes. When a server is shut down
+gracefully, it sends an announcement that it is going offline to
+allow the master and backup browsers to remove it from the browse
+list. However, when a server goes offline by crashing or by some
+other failure, the master browser notices its disappearance only
+because it stops receiving server announcements. The master browser
+waits for three of the server's announcement periods
+before deciding that it is offline, which can take up to 36 minutes.
+Because backup browsers have their browse lists updated from the
+master browser once every 15 minutes, it can take up to 51 minutes
+for clients to be informed of a failed server.</p>
+
+<p>For more detailed information on Microsoft's
+browsing protocols, consult the Microsoft documents
+<em class="citetitle">Browsing and Windows 95
+Networking</em><a name="INDEX-54"/> and
+<em class="citetitle">CIFS/E Browser Protocol</em>. You can find these by
+searching for the titles on the Microsoft web site at <a href="http://www.microsoft.com">http://www.microsoft.com</a>.</p>
+
+<p>More information on configuring Samba for browsing can be found in
+<em class="filename">BROWSING.txt</em><a name="INDEX-55"/> and
+<em class="filename">BROWSING-Config.txt</em> in the Samba
+distribution's <em class="filename">docs/textdocs</em>
+directory. <a name="INDEX-56"/></p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-7-SECT-2.4"/>
+
+<h3 class="head2">Configuring Samba for Browsing</h3>
+
+<p><a name="INDEX-57"/><a name="INDEX-58"/><a name="INDEX-59"/>Samba has full support for browsing
+and can participate as a master browser, a backup browser, a domain
+master browser, a potential browser, or just a server that
+doesn't participate in browsing elections. If you
+want to make sure your Samba server never becomes a master or backup
+browser, simply set:</p>
+
+<a name="INDEX-60"/><blockquote><pre class="code">[global]
+    local master = no</pre></blockquote>
+
+<p>Usually, you will want Samba to be available as a local master or at
+least a backup browser. In the simplest case, you
+don't need to do anything because
+Samba's default is to participate in browsing
+elections with its operating system value set to 20, which will beat
+any Windows system less than a Windows NT/2000 primary domain
+controller (see <a href="ch07.html#samba2-CHP-7-TABLE-2">Table 7-2</a>). The operating-system
+value Samba reports for itself in browser elections can be set using
+the <tt class="literal">os</tt><a name="INDEX-61"/> <tt class="literal">level</tt>
+parameter:</p>
+
+<blockquote><pre class="code">[global]
+    os level = 33</pre></blockquote>
+
+<p>The preceding value will allow Samba to beat even a Windows 2000
+Advanced Server acting as a primary domain controller. As we show in
+the following section, though, forcing Samba to win this way is not
+recommended.</p>
+
+<p>If you want to allow a Windows XP Professional system to be the
+master browser, you would need to set Samba lower:</p>
+
+<blockquote><pre class="code">[global]
+    os level = 8</pre></blockquote>
+
+<p>The maximum value for <tt class="literal">os</tt> <tt class="literal">level</tt>
+is 255 because it is handled as an 8-bit unsigned integer. Supposing
+we wanted to make absolutely sure our Samba server will be the local
+master browser at all times, we might say:</p>
+
+<blockquote><pre class="code">[global]
+    local master = yes
+    os level = 255
+    preferred master = yes</pre></blockquote>
+
+<p>The addition of the
+<tt class="literal">preferred</tt><a name="INDEX-62"/>
+<tt class="literal">master</tt> parameter causes Samba to start a browser
+election as soon as it starts up, and the <tt class="literal">os</tt>
+<tt class="literal">level</tt> of 255 allows it to beat any other system on
+the network. This includes other Samba servers, assuming they are
+configured properly! If another server is using a similar
+configuration file (with <tt class="literal">os</tt>
+<tt class="literal">level</tt> <tt class="literal">=</tt> <tt class="literal">255</tt>
+and <tt class="literal">preferred</tt> <tt class="literal">master</tt>
+<tt class="literal">=</tt> <tt class="literal">yes</tt>), the two will fight each
+other for the master browser role, winning elections based on minor
+criteria, such as uptime or their current role. To avoid this, other
+Samba servers should be set with a lower <tt class="literal">os</tt>
+<tt class="literal">level</tt> and not configured to be the preferred
+master.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-7-SECT-2.5"/>
+
+<h3 class="head2">Samba as the Domain Master Browser</h3>
+
+<p><a name="INDEX-63"/>Previously we mentioned that for a Windows
+workgroup or domain to extend into multiple subnets, one system would
+have to take the role of the domain master browser. The domain master
+browser propagates browse lists across each subnet in the workgroup.
+This works because each local master browser periodically
+synchronizes its browse list with the domain master browser. During
+this synchronization, the local master browser passes on the name of
+any server that the domain master browser does not have in its browse
+list, and vice versa. Each local master browser eventually holds the
+browse list for the entire domain.</p>
+
+<p>There is no election to determine which machine assumes the role of
+the domain master browser. Instead, the administrator has to set it
+manually. By Microsoft design, however, the domain master browser and
+the PDC both register a resource type of &lt;1B&gt;, so the
+roles&mdash;and the machines&mdash;are inseparable.</p>
+
+<p>If you have a Windows NT server on the network acting as a PDC, we
+recommend that you do not try to use Samba to become the domain
+master browser. The reverse is true as well: if Samba is taking on
+the responsibilities of a PDC, we recommend making it the domain
+master browser as well. Although it is possible to split the roles
+with Samba, this is not a good idea. Using two different machines to
+serve as the PDC and the domain master browser can cause random
+errors to occur in a Windows workgroup.</p>
+
+<p>Samba can assume the role of a domain master browser for all subnets
+in the workgroup with the following options:</p>
+
+<blockquote><pre class="code">[global]
+    domain master = yes
+    preferred master = yes
+    local master = yes
+    os level = 255</pre></blockquote>
+
+<p>The final three parameters ensure that the server is also the local
+master browser, which is vital for it to work properly as the domain
+master browser. You can verify that a Samba machine is in fact the
+<a name="INDEX-64"/>domain master browser by checking the
+<em class="emphasis">nmbd</em><a name="INDEX-65"/><a name="INDEX-66"/> log file:</p>
+
+<blockquote><pre class="code">nmbd/nmbd_become_dmb.c:become_domain_master_stage2(118)
+*****
+Samba name server TOLTEC is now a domain master browser for
+workgroup METRAN on subnet 172.16.1.0</pre></blockquote>
+
+<p>Or you can use the
+<em class="emphasis">nmblookup</em><a name="INDEX-67"/> command that comes with the Samba
+distribution to query for a unique &lt;1B&gt; resource type in the
+workgroup:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>nmblookup METRAN#1B</b></tt>
+Sending queries to 172.16.1.255
+172.16.1.1 METRAN&lt;1b&gt;</pre></blockquote>
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-2.5.1"/>
+
+<h3 class="head3">Multiple subnets</h3>
+
+<p><a name="INDEX-68"/>You must
+remember three rules when creating a
+<a name="INDEX-69"/>workgroup/domain
+that spans more than one subnet:</p>
+
+<ul><li>
+<p>You must have either a Windows NT/2000 or Samba server acting as a
+local master browser on each subnet in the workgroup/domain.</p>
+</li><li>
+<p>You must have a Windows NT/2000 Server edition or a Samba server
+acting as a domain master browser somewhere in the workgroup/domain.</p>
+</li><li>
+<p>A WINS server should be on the network, with each system on the
+network configured to use it for name resolution.</p>
+</li></ul>
+<p>Samba has some additional features you can use if you
+don't have or want a domain master browser on your
+network and still need to have <a name="INDEX-70"/>cross-subnet browsing. Consider the
+subnets shown in <a href="ch07.html#samba2-CHP-7-FIG-1">Figure 7-1</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-7-FIG-1"/><a name="INDEX-71"/><a name="INDEX-72"/><img src="figs/sam2_0701.gif"/></div><h4 class="head4">Figure 7-1. Multiple subnets with Samba servers</h4>
+
+<p>First, a Samba server that is a local master browser can use the
+<tt class="literal">remote</tt><a name="INDEX-73"/> <tt class="literal">announce</tt>
+configuration option to make sure that computers in different subnets
+are sent broadcast announcements about the server. This has the
+effect of ensuring that the Samba server appears in the browse lists
+of foreign subnets. To achieve this, however, the directed broadcasts
+must reach the local master browser on the other subnet. Be aware
+that many routers do not allow directed broadcasts by default; you
+might have to change this setting on the router for the directed
+broadcasts to get through to its subnet.</p>
+
+<p>With the <tt class="literal">remote</tt> <tt class="literal">announce</tt>
+option, list the subnets and the workgroup that should receive the
+broadcast. For example, to ensure that machines in the 172.16.2 and
+172.16.3 subnets and the METRAN workgroup are sent broadcast
+information from our Samba server, we could specify the following:</p>
+
+<blockquote><pre class="code">[global]
+    remote announce = 172.16.2.255/METRAN \
+        172.16.3.255/METRAN</pre></blockquote>
+
+<p>Instead of supplying a broadcast address of the remote subnet, you
+are allowed to specify the exact address where broadcasts should be
+sent if the local master browser on the foreign subnet is guaranteed
+to always have the same IP address.</p>
+
+<p>A Samba local master browser can synchronize its browse list directly
+with one or more Samba servers, each acting as a local master browser
+on a different subnet. This is another way to implement browsing
+across subnets. For example, let's assume that Samba
+is configured as a local master browser, and Samba local master
+browsers exist at 172.16.2.130 and 172.16.3.120. We can use the
+<tt class="literal">remote</tt> <tt class="literal">browse</tt>
+<tt class="literal">sync</tt> option to sync directly with the Samba
+servers, as follows:</p>
+
+<blockquote><pre class="code">[global]
+    remote browse sync = 172.16.2.130 172.16.3.120</pre></blockquote>
+
+<p>For this to work, the other Samba machines must also be local master
+browsers. You can also use directed broadcasts with this option if
+you do not know specific IP addresses of local master browsers.</p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-7-SECT-2.6"/>
+
+<h3 class="head2">Making a Share Invisible</h3>
+
+<p><a name="INDEX-74"/><a name="INDEX-75"/><a name="INDEX-76"/>You can keep a share from being in the
+browse list by using the
+<tt class="literal">browsable</tt><a name="INDEX-77"/> option. This Boolean option
+prevents a share from being seen in the Network Neighborhood or My
+Network Places. For example, to prevent the <tt class="literal">[data]</tt>
+share from being visible, we could write:</p>
+
+<blockquote><pre class="code">[data]
+    path = /export/samba/userdata
+    browsable = no</pre></blockquote>
+
+<p>Although you typically don't want to do this to an
+ordinary disk share, the <tt class="literal">browsable</tt> option is
+useful in the event that you need to create a share with contents
+that you do not want others to see, such as a
+<tt class="literal">[netlogon]</tt><a name="INDEX-78"/> share for storing logon scripts
+for Windows domain control (see <a href="ch04.html">Chapter 4</a> for more
+information on logon scripts).</p>
+
+<p>Another example is the
+<tt class="literal">[homes]</tt><a name="INDEX-79"/> share. This share is often marked
+nonbrowsable so that a share named <tt class="literal">[homes]</tt>
+won't appear when its machine's
+resources are browsed. However, if a user <tt class="literal">alice</tt>
+logs on and looks at the machine's shares, an
+<tt class="literal">[alice]</tt> share will appear under the machine.</p>
+
+<p>What if we wanted to make sure
+<tt class="literal">alice</tt>'s share appeared to
+everyone before she logs on? This could be done with the global
+<tt class="literal">auto</tt><a name="INDEX-80"/> <tt class="literal">services</tt>
+option. This option preloads shares into the browse list to ensure
+that they are always visible:</p>
+
+<blockquote><pre class="code">[global]
+    auto services = alice</pre></blockquote>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-7-SECT-2.7"/>
+
+<h3 class="head2">Browsing Options</h3>
+
+<p><a href="ch07.html#samba2-CHP-7-TABLE-4">Table 7-4</a> <a name="INDEX-81"/><a name="INDEX-82"/>shows
+options that define how Samba handles browsing tasks.</p>
+
+<a name="samba2-CHP-7-TABLE-4"/><h4 class="head4">Table 7-4. Browsing configuration options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">announce as</tt></p>
+</td>
+<td>
+<p>string</p>
+</td>
+<td>
+<p>Operating system that Samba will announce itself as.</p>
+</td>
+<td>
+<p><tt class="literal">N T Server</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">announce</tt> <tt class="literal">version</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Version of the operating system that Samba will announce itself as.</p>
+</td>
+<td>
+<p><tt class="literal">4.5</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">browsable</tt> <tt class="literal">(browseable)</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>Allows share to be displayed in list of machine resources.</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">browse list</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, allows Samba to provide a browse list on
+this server.</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">auto services</tt> <tt class="literal">(preload)</tt></p>
+</td>
+<td>
+<p>string (share list)</p>
+</td>
+<td>
+<p>List of shares that will always appear in the browse list.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">default</tt> <tt class="literal">service (default)</tt></p>
+</td>
+<td>
+<p>string (share name)</p>
+</td>
+<td>
+<p>Name of a share (service) that will be provided if the client
+requests a share not listed in <em class="emphasis">smb.conf</em>.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">local master</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, allows Samba to participate in browsing
+elections.</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">lm announce</tt></p>
+</td>
+<td>
+<p><tt class="literal">yes</tt>, <tt class="literal">no</tt>, or
+<tt class="literal">auto</tt></p>
+</td>
+<td>
+<p>Enables or disables LAN Manager-style host announcements.</p>
+</td>
+<td>
+<p><tt class="literal">auto</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">lm interval</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Frequency in seconds that LAN Manager announcements will be made if
+activated.</p>
+</td>
+<td>
+<p><tt class="literal">60</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">preferred</tt> <tt class="literal">master (prefered
+master)</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, allows Samba to use the preferred master
+browser bit to attempt to become the local master browser.</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">domain master</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, allows Samba to become the domain browser
+master for the workgroup or domain.</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">os level</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Operating system level of Samba in an election for local master
+browser.</p>
+</td>
+<td>
+<p><tt class="literal">0</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">remote browse</tt> <tt class="literal">sync</tt></p>
+</td>
+<td>
+<p>string (list of IP addresses)</p>
+</td>
+<td>
+<p>Samba servers to synchronize browse lists with.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">remote</tt> <tt class="literal">announce</tt></p>
+</td>
+<td>
+<p>string (IP address/workgroup pairs)</p>
+</td>
+<td>
+<p>Subnets and workgroups to send directed broadcast packets to,
+allowing Samba to appear in their browse lists.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-2.7.1"/>
+
+<a name="INDEX-83"/><h3 class="head3">announce as</h3>
+
+<p>This global configuration option specifies the type of operating
+system that Samba announces to other machines on the network. The
+default value for this option is <tt class="literal">N T</tt>
+<tt class="literal">Server</tt>, which causes Samba to masquerade as a
+Windows NT Server operating system. Other possible values are
+<tt class="literal">NT</tt>, <tt class="literal">NT</tt>
+<tt class="literal">Workstation</tt>, <tt class="literal">Win95</tt>, and
+<tt class="literal">W f W</tt> for a Windows for Workgroup operating
+system. You can override the default value with the following:</p>
+
+<blockquote><pre class="code">[global]
+    announce as = Win95</pre></blockquote>
+
+<p>We recommend against changing the default value of this configuration
+option.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-2.7.2"/>
+
+<a name="INDEX-84"/><h3 class="head3">announce version</h3>
+
+<p>This global option is frequently used with the
+<tt class="literal">announce</tt> <tt class="literal">as</tt> configuration
+option; it specifies the version of the operating system that Samba
+announces to other machines on the network. The default value of this
+option is 4.5, which places Samba above Windows NT Version 4.0, but
+below Windows 2000. You can specify a new value with a global entry
+such as the following:</p>
+
+<blockquote><pre class="code">[global]
+    announce version = 4.3</pre></blockquote>
+
+<p>We recommend against changing the default value of this configuration
+option.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-2.7.3"/>
+
+<h3 class="head3">browsable</h3>
+
+<p>The <tt class="literal">browsable</tt><a name="INDEX-85"/> option (also spelled
+<tt class="literal">browseable</tt>) indicates whether the share referenced
+should appear in the list of available resources for the system on
+which it resides. This option is always set to <tt class="literal">yes</tt>
+by default. If you wish to prevent the share from being seen in a
+client's browser, you can reset this option to
+<tt class="literal">no</tt>.</p>
+
+<p>Note that this does not prevent someone from accessing the share
+using other means, such as specifying a UNC location (e.g.,
+<tt class="literal">\\server\accounting)</tt> in Windows Explorer. It only
+prevents the share from being listed under the
+system's resources when being browsed.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-2.7.4"/>
+
+<a name="INDEX-86"/><h3 class="head3">browse list</h3>
+
+<p>You should never need to change this parameter from its default value
+of <tt class="literal">yes</tt>. If your Samba server is acting as a local
+master browser (i.e., it has won the browsing election), you can use
+the global <tt class="literal">browse</tt> <tt class="literal">list</tt> option
+to instruct Samba to provide or withhold its browse list to all
+clients. By default, Samba always provides a browse list. You can
+withhold this information by specifying the following:</p>
+
+<blockquote><pre class="code">[global]
+    browse list = no</pre></blockquote>
+
+<p>If you disable the browse list, clients cannot browse the names of
+other machines, their services, and other domains currently available
+on the network. Note that this won't make any
+particular machine inaccessible; if someone knows a valid machine
+name/address and a share on that machine, he can still connect to it
+explicitly using the Windows <em class="emphasis">net use</em> command or
+by mapping a drive letter to it using Windows Explorer. It simply
+prevents information in the browse list from being retrieved by any
+client that requests it.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-2.7.5"/>
+
+<h3 class="head3">auto services</h3>
+
+<p>The global <tt class="literal">auto</tt><a name="INDEX-87"/>
+<tt class="literal">services</tt> option, which is also called
+<tt class="literal">preload</tt> <a name="INDEX-88"/>, ensures that the specified
+shares are always visible in the browse list. One common use for this
+option is to advertise specific user or printer shares that are
+created by the <tt class="literal">[homes]</tt> or
+<tt class="literal">[printers]</tt> shares, but are not otherwise
+browsable.</p>
+
+<p>This option works best with disk shares. If you wish to force each of
+your system printers (i.e., those listed in the printer capabilities
+file) to appear in the browse list, we recommend using the
+<tt class="literal">load</tt> <tt class="literal">printers</tt> option instead.</p>
+
+<p>Shares listed with the <tt class="literal">auto</tt>
+<tt class="literal">services</tt> option will not be displayed if the
+<tt class="literal">browse</tt> <tt class="literal">list</tt> option is set to
+<tt class="literal">no</tt>.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-2.7.6"/>
+
+<h3 class="head3">default service</h3>
+
+<p>The global <tt class="literal">default</tt><a name="INDEX-89"/>
+<tt class="literal">service</tt> option (sometimes called
+<tt class="literal">default</tt>) names a
+&quot;last-ditch&quot; share. The value is
+set to an existing share name without the enclosing brackets. When a
+client requests a nonexistent disk or printer share, Samba will
+attempt to connect the user to the share specified by this option
+instead. The option is specified as follows:</p>
+
+<blockquote><pre class="code">[global]
+    default service = helpshare</pre></blockquote>
+
+<p>When Samba redirects the requested, nonexistent service to the
+service specified by <tt class="literal">default</tt>
+<tt class="literal">service</tt>, the <tt class="literal">%S</tt> option takes on
+the value of the requested service, with any underscores (
+<tt class="literal">_</tt> ) in the requested service replaced by forward slashes
+(<tt class="literal">/</tt>).</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-2.7.7"/>
+
+<a name="INDEX-90"/><h3 class="head3">local master</h3>
+
+<p>This global option specifies whether Samba will attempt to become the
+local master browser for the subnet when it starts up. If this option
+is set to <tt class="literal">yes</tt>, Samba will participate in
+elections. However, setting this option by itself does not guarantee
+victory. (Other parameters, such as <tt class="literal">preferred</tt>
+<tt class="literal">master</tt> and <tt class="literal">os</tt>
+<tt class="literal">level</tt>, help Samba win browsing elections.) If this
+option is set to <tt class="literal">no</tt>, Samba will lose all browsing
+elections, regardless of which values are specified by the other
+configuration options. The default value is <tt class="literal">yes</tt>.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-2.7.8"/>
+
+<h3 class="head3">lm announce</h3>
+
+<p>The global <tt class="literal">lm</tt><a name="INDEX-91"/>
+<tt class="literal">announce</tt> option tells Samba's
+<em class="emphasis">nmbd</em> whether to send <a name="INDEX-92"/>LAN Manager host
+announcements on behalf of the server. These host announcements might
+be required by older clients, such as IBM's OS/2
+operating system. This announcement allows the server to be added to
+the browse lists of the client. If activated, Samba will announce
+itself repetitively at the number of seconds specified by the
+<tt class="literal">lm</tt> <tt class="literal">interval</tt> option.</p>
+
+<p>You can specify the option as follows:</p>
+
+<blockquote><pre class="code">[global]
+    lm announce = yes</pre></blockquote>
+
+<p>This configuration option takes the standard Boolean values,
+<tt class="literal">yes</tt> and <tt class="literal">no</tt>, which enable or
+disable LAN Manager announcements, respectively. In addition, a third
+option, <tt class="literal">auto</tt>, causes <em class="emphasis">nmbd</em> to
+listen passively for LAN Manager announcements, but not to send any
+of its own initially. If LAN Manager announcements are detected for
+another machine on the network, <em class="emphasis">nmbd</em> will start
+sending its own LAN Manager announcements to ensure that it is
+visible. The default value is <tt class="literal">auto</tt>. You probably
+won't need to change this value from its default.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-2.7.9"/>
+
+<a name="INDEX-93"/><h3 class="head3">lm interval</h3>
+
+<p>This option, which is used in conjunction with <tt class="literal">lm</tt>
+<tt class="literal">announce</tt>, indicates the number of seconds
+<em class="emphasis">nmbd</em> will wait before repeatedly broadcasting
+LAN Manager-style announcements. LAN Manager announcements must be
+enabled for this option to work. The default value is 60 seconds. If
+you set this value to 0, Samba will not send any LAN Manager host
+announcements, regardless of the value of the <tt class="literal">lm</tt>
+<tt class="literal">announce</tt> option. You can reset the value of this
+option as follows:</p>
+
+<blockquote><pre class="code">[global]
+    lm interval = 90</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-2.7.10"/>
+
+<h3 class="head3">preferred master</h3>
+
+<p>The <tt class="literal">preferred</tt><a name="INDEX-94"/>
+<tt class="literal">master</tt> option requests that Samba set the
+preferred master bit when participating in an election. This gives
+the server a higher preferred status in the workgroup than other
+machines at the same operating-system level. If you are configuring
+your Samba machine to become the local master browser, it is wise to
+set the following value:</p>
+
+<blockquote><pre class="code">[global]
+    preferred master = yes</pre></blockquote>
+
+<p>Otherwise, you should leave it set to its default,
+<tt class="literal">no</tt>. If Samba is configured as a preferred master
+browser, it will force an election when it first comes online.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-2.7.11"/>
+
+<a name="INDEX-95"/><h3 class="head3">domain master</h3>
+
+<p>If Samba is the primary domain controller for your workgroup or NT
+domain, it should also be made the domain master browser. The domain
+master browser is a special machine that has the NetBIOS resource
+type &lt;1B&gt; and is used to propagate browse lists to and from
+each local master browser in individual subnets across the domain. To
+force Samba to become the <a name="INDEX-96"/>domain master browser, set the following in
+the <tt class="literal">[global]</tt> section of the
+<em class="filename">smb.conf</em>:</p>
+
+<blockquote><pre class="code">[global]
+    domain master = yes</pre></blockquote>
+
+<p>If you have a Windows NT server on the network acting as a primary
+domain controller (PDC), we recommend that you do not use Samba to
+become the domain master browser. The reverse is true as well: if
+Samba is taking on the responsibilities of a PDC, we recommend making
+it the domain master browser. Splitting the PDC and the domain master
+browser will cause unpredictable errors to occur on the network.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-2.7.12"/>
+
+<h3 class="head3">os level</h3>
+
+<p>The global <tt class="literal">os</tt><a name="INDEX-97"/> <tt class="literal">level</tt> option
+defines the operating-system value with which Samba will masquerade
+during a browser election. If you wish to have Samba win an election
+and become the master browser, set the <tt class="literal">os</tt>
+<tt class="literal">level</tt> higher than that of any other system on the
+subnet. The values are shown in <a href="ch07.html#samba2-CHP-7-TABLE-2">Table 7-2</a>. The
+default level is 20, which means that Samba will win elections
+against all versions of Windows, except Windows NT/2000 if it is
+operating as the PDC. If you wish Samba to win all elections, you can
+set its operating system value as follows:</p>
+
+<blockquote><pre class="code">[global]
+    os level = 255</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-2.7.13"/>
+
+<h3 class="head3">remote browse sync</h3>
+
+<p>The global <tt class="literal">remote</tt><a name="INDEX-98"/>
+<tt class="literal">browse</tt> <tt class="literal">sync</tt> option specifies
+that Samba should synchronize its browse lists with local master
+browsers in other subnets. However, the synchronization can occur
+only with other Samba servers and not with Windows computers. For
+example, if your Samba server were a master browser on the subnet
+172.16.235, and Samba local master browsers existed on other subnets
+located at 172.16.234.92 and 172.16.236.2, you would specify the
+following:</p>
+
+<blockquote><pre class="code">[global]
+    remote browse sync = 172.16.234.92 172.16.236.2</pre></blockquote>
+
+<p>The Samba server would then directly contact the other machines on
+the address list and synchronize browse lists. You can also say:</p>
+
+<blockquote><pre class="code">[global]
+    remote browse sync = 172.16.234.255 172.16.236.255</pre></blockquote>
+
+<p>This forces Samba to broadcast queries to determine the IP addresses
+of the local master browser on each subnet, with which it will then
+synchronize browse lists. This works, however, only if your router
+doesn't block directed broadcast requests ending in
+255.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-7-SECT-2.7.14"/>
+
+<h3 class="head3">remote announce</h3>
+
+<p>Samba servers are capable of providing browse lists to foreign
+subnets with the <tt class="literal">remote</tt><a name="INDEX-99"/>
+<tt class="literal">announce</tt> option. This is typically sent to the
+local master browser of the foreign subnet in question. However, if
+you do not know the address of the local master browser, you can do
+the following:</p>
+
+<blockquote><pre class="code">[global]
+    remote announce = 172.16.234.255/ACCOUNTING \       
+                        172.16.236.255/ACCOUNTING</pre></blockquote>
+
+<p>With this, Samba will broadcast host announcements to all machines on
+subnets 172.16.234 and 172.16.236, which will hopefully reach the
+local master browser of the subnet.</p>
+
+<p>You can also specify exact IP addresses, if they are known, but this
+works only if the systems are guaranteed to maintain the role of
+master browser on their subnets. By appending a workgroup or domain
+name to the IP address, Samba announces that it is in that workgroup
+or domain. If this is left out, the workgroup set by the
+<tt class="literal">workgroup</tt> parameter is used. <a name="INDEX-100"/> <a name="INDEX-101"/><a name="INDEX-102"/></p>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+<hr/><h4 class="head4">Footnotes</h4><blockquote><a name="FOOTNOTE-1"/> <p><a href="#FNPTR-1">[1]</a> As we explained in
+<a href="ch01.html">Chapter 1</a>, a system can register under more than
+one NetBIOS name. We use the singular here only to keep our
+explanation simple.</p> </blockquote><hr/><h4 class="head4"><a href="toc.html">TOC</a></h4></body></html>
diff --git a/docs/htmldocs/using_samba/ch08.html b/docs/htmldocs/using_samba/ch08.html
new file mode 100644
index 0000000000..001a86a4a3
--- /dev/null
+++ b/docs/htmldocs/using_samba/ch08.html
@@ -0,0 +1,3744 @@
+<html>
+<body bgcolor="#ffffff">
+
+<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
+hspace="10" align="left" />
+
+<h1 class="head0">Chapter 8. Advanced Disk Shares</h1>
+
+
+<p>This chapter continues our discussion of configuring Samba from <a href="ch06.html">Chapter 6</a>. We will cover some more advanced issues
+regarding the integration of Unix and Windows filesystems, including
+hidden files, Unix links, file permissions, name mangling, case
+sensitivity of filenames, file locking, opportunistic locking
+(oplocks), connection scripts, supporting Microsoft Dfs (Distributed
+filesystem) shares, and using NIS home directories.</p>
+
+
+<div class="sect1"><a name="samba2-CHP-8-SECT-1"/>
+
+<h2 class="head1">Filesystem Differences</h2>
+
+<p>One of the biggest issues for which Samba has to correct is the
+difference between Unix and Microsoft filesystems. This includes
+items such as handling symbolic links, hidden files, and dot files.
+In addition, file permissions can also be a headache if not properly
+accounted for.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-8-SECT-1.1"/>
+
+<h3 class="head2">Hiding and Vetoing Files</h3>
+
+<p><a name="INDEX-1"/><a name="INDEX-2"/>Sometimes you need to ensure that a user
+cannot see or access a file at all. Other times, you
+don't want to keep users from accessing a
+file&mdash;you just want to hide it when they view the contents of
+the directory. On Windows systems, an attribute of files allows them
+to be hidden from a folder listing. With Unix, the traditional way of
+hiding files in a directory is to use a <a name="INDEX-3"/><a name="INDEX-4"/>dot (.) as the first character in the
+filename. This prevents items such as configuration files from being
+seen when performing an ordinary <em class="emphasis">ls</em> command.
+Keeping a user from accessing a file at all, however, involves
+working with permissions on files and directories.</p>
+
+<p>The first option we should discuss is the Boolean
+<tt class="literal">hide</tt><a name="INDEX-5"/><a name="INDEX-6"/> <tt class="literal">dot</tt>
+<tt class="literal">files</tt>. When it is set to <tt class="literal">yes</tt>,
+Samba reports files beginning with a period (.) as having their
+hidden attribute set. If the user has chosen to show all hidden files
+while browsing (e.g., using the Folder Options menu item under the
+View menu in Windows 98), he will still be able to see the files,
+although his icons will appear
+&quot;ghosted,&quot; or slightly grayed-out.
+If the client is configured not to show hidden files, the files will
+not appear at all.</p>
+
+<p>Instead of simply hiding files beginning with a dot, you can also
+specify a string pattern to Samba for files to hide, using the
+<tt class="literal">hide</tt><a name="INDEX-7"/> <tt class="literal">files</tt>
+option. For example, let's assume you specified the
+following in our example <tt class="literal">[data]</tt> share:</p>
+
+<blockquote><pre class="code">[data]
+    hide files = /*.java/*README*/</pre></blockquote>
+
+<p>Each entry for this option must begin, end, or be separated from
+another with a slash ( / ) character, even if only one pattern is
+listed. This convention allows spaces to appear in filenames. The
+slashes have nothing to do with Unix directories; they are instead
+acting as delimiters for the <tt class="literal">hide</tt>
+<tt class="literal">files</tt> values.</p>
+
+<p>If you want to prevent users from seeing files completely, you can
+instead use the <tt class="literal">veto</tt><a name="INDEX-8"/> <tt class="literal">files</tt>
+option. This option, which takes the same syntax as the
+<tt class="literal">hide</tt> <tt class="literal">files</tt> option, specifies a
+list of files that should never be seen by the user. For example,
+let's change the <tt class="literal">[data]</tt> share to
+the following:</p>
+
+<blockquote><pre class="code">[data]
+    veto files = /*.java/*README*/</pre></blockquote>
+
+<p>The syntax of this option is identical to the <tt class="literal">hide</tt>
+<tt class="literal">files</tt> configuration option: each entry must begin,
+end, or be separated from another with a slash (<tt class="literal">/</tt>)
+character, even if only one pattern is listed. If you do so, files
+that match the pattern, such as <em class="filename">hello.java</em> and
+<em class="filename">README.txt,</em> will simply disappear from the
+directory, and the user cannot access them through SMB.</p>
+
+<p><a name="INDEX-9"/>We need to address
+one other question. What happens if the user tries to delete a
+directory that contains vetoed files? This is where the
+<tt class="literal">delete</tt><a name="INDEX-10"/> <tt class="literal">veto</tt>
+<tt class="literal">files</tt> option comes in. If this Boolean option is
+set to <tt class="literal">yes</tt>, the user can delete both the regular
+files and the vetoed files in the directory, and the directory itself
+is removed. If the option is set to <tt class="literal">no</tt>, the user
+cannot delete the vetoed files, and consequently the directory is not
+deleted either. From the user's perspective, the
+directory appears empty, but cannot be removed.</p>
+
+<p>The <tt class="literal">dont</tt><a name="INDEX-11"/> <tt class="literal">descend</tt>
+directive specifies a list of directories whose contents Samba should
+not make visible. Note that we say <em class="emphasis">contents</em>, not
+the directory itself. Users can enter a directory marked as such, but
+they are prohibited from descending the directory tree any
+farther&mdash;they always see an empty folder. For example,
+let's use this option with a more basic form of the
+share that we defined earlier in the chapter:</p>
+
+<blockquote><pre class="code">[data]
+    dont descend = config defaults</pre></blockquote>
+
+<p>In addition, let's assume that the
+<em class="filename">/home/samba/data</em> directory has the following
+contents:</p>
+
+<blockquote><pre class="code">drwxr-xr-x   6 tom      users     1024 Jun 13 09:24 .
+drwxr-xr-x   8 root     root      1024 Jun 10 17:53 ..
+-rw-r--r--   2 tom      users     1024 Jun  9 11:43 README
+drwxr-xr-x   3 tom      users     1024 Jun 13 09:28 config
+drwxr-xr-x   3 tom      users     1024 Jun 13 09:28 defaults
+drwxr-xr-x   3 tom      users     1024 Jun 13 09:28 market</pre></blockquote>
+
+<p>If the user then connects to the share, she would see the directories
+in the share. However, the contents of the
+<em class="filename">/config</em> and <em class="filename">/defaults</em>
+directories would appear empty to her, even if other folders or files
+existed in them. In addition, users cannot write any data to the
+folder (which prevents them from creating a file or folder with the
+same name as one that is already there but invisible). If a user
+attempts to do so, she will receive an &quot;Access
+Denied&quot; message. The <tt class="literal">dont</tt>
+<tt class="literal">descend</tt> option is an administrative
+option&mdash;not a security option&mdash;and is not a substitute for
+good file permissions. <a name="INDEX-12"/><a name="INDEX-13"/></p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-8-SECT-1.2"/>
+
+<h3 class="head2">Links</h3>
+
+<p><a name="INDEX-14"/>When a client
+tries to open a symbolic link on a Samba server share, Samba attempts
+to follow the link to find the real file and let the client open it,
+as if the user were on a Unix machine. If you don't
+want to allow this, set the <tt class="literal">follow</tt>
+<tt class="literal">symlinks</tt> option like this:</p>
+
+<blockquote><pre class="code">[data]
+    follow symlinks = no</pre></blockquote>
+
+<p>You can test this by setting up and trying to access a symbolic link.
+Create a directory on the Unix server inside the share, acting as the
+user under which you will log in to Samba. Enter the following
+commands:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>echo &quot;This is a test&quot; &gt;hello.txt</b></tt>
+$ <tt class="userinput"><b>ln -s hello.txt hello-link.txt</b></tt></pre></blockquote>
+
+<p>This results in the text file <em class="filename">hello.txt</em> and a
+symbolic link to it called <em class="filename">hello-link.txt</em>.
+Normally, if you double-click either one, you will receive a file
+that has the text &quot;This is a test&quot;
+inside of it. However, with the <tt class="literal">follow</tt>
+<tt class="literal">symlinks</tt><a name="INDEX-15"/> option set to
+<tt class="literal">no</tt>, you will receive an error dialog if you
+double-click <em class="filename">hello-link.txt</em>.</p>
+
+<p>The <tt class="literal">wide</tt><a name="INDEX-16"/> <tt class="literal">links</tt>
+option, if set to <tt class="literal">no</tt>, prevents the client user
+from following symbolic links that point outside the shared directory
+tree. For example, let's assume that we modified the
+<tt class="literal">[data]</tt> share as follows:</p>
+
+<blockquote><pre class="code">[data]
+    follow symlinks = yes
+    wide links = no</pre></blockquote>
+
+<p>As long as the <tt class="literal">follow</tt><a name="INDEX-17"/>
+<tt class="literal">symlinks</tt> option is disabled, Samba will refuse to
+follow any symbolic links outside the current share tree. If we
+create a file outside the share (for example, in
+someone's home directory) and then create a link to
+it in the share as follows:</p>
+
+<blockquote><pre class="code">ln -s ~tom/datafile ./datafile</pre></blockquote>
+
+<p>the client cannot open the file in Tom's home
+directory.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-8-SECT-1.3"/>
+
+<h3 class="head2">Filesystem Options</h3>
+
+<p><a href="ch08.html#samba2-CHP-8-TABLE-1">Table 8-1</a> <a name="INDEX-18"/><a name="INDEX-19"/>shows a breakdown of the options we
+discussed earlier. We recommend the defaults for most, except those
+listed in the following descriptions.</p>
+
+<a name="samba2-CHP-8-TABLE-1"/><h4 class="head4">Table 8-1. Filesystem configuration options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">dont descend</tt></p>
+</td>
+<td>
+<p>string (list of directories)</p>
+</td>
+<td>
+<p>Indicates a list of directories whose contents Samba should make
+invisible to clients.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">follow</tt> <tt class="literal">symlinks</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If set to <tt class="literal">no</tt>, will not honor symbolic links.</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">getwd cache</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If set to <tt class="literal">yes</tt>, will use a cache for
+<tt class="literal">getwd( )</tt> calls.</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">wide links</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If set to <tt class="literal">yes</tt>, will follow symbolic links outside
+the share.</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">hide dot files</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If set to <tt class="literal">yes</tt>, treats Unix hidden files as hidden
+files in Windows.</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">hide files</tt></p>
+</td>
+<td>
+<p>string (list of files)</p>
+</td>
+<td>
+<p>List of file patterns to treat as hidden.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">veto files</tt></p>
+</td>
+<td>
+<p>string (list of files)</p>
+</td>
+<td>
+<p>List of file patterns to never show.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">delete veto</tt> <tt class="literal">files</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If set to <tt class="literal">yes</tt>, will delete files matched by
+<tt class="literal">veto files</tt> when the directory they reside in is
+deleted.</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-1.3.1"/>
+
+<h3 class="head3">dont descend</h3>
+
+<p>The <tt class="literal">dont</tt><a name="INDEX-20"/> <tt class="literal">descend</tt>
+option can be used to specify various directories that should appear
+empty to the client. Note that the directory itself will still
+appear. However, Samba will not show any of the contents of the
+directory to the client user. This is not a good option to use as a
+security feature; it is really meant only as a convenience to keep
+users from casually browsing into directories that might have
+sensitive files. See our example earlier in this section.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-1.3.2"/>
+
+<a name="INDEX-21"/><h3 class="head3">follow symlinks</h3>
+
+<p>This option controls whether Samba will follow a symbolic link in the
+Unix operating system to the target or if it should return an error
+to the client user. If the option is set to <tt class="literal">yes</tt>,
+the target of the link will be interpreted as the file. If set to
+<tt class="literal">no</tt>, an error will be generated if the symbolic
+link is accessed.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-1.3.3"/>
+
+<a name="INDEX-22"/><h3 class="head3">getwd cache</h3>
+
+<p>This global option specifies whether Samba should use a local cache
+for the Unix <em class="emphasis">getwd( )</em> ( get current working
+directory) system call. You can override the default value of
+<tt class="literal">yes</tt> as follows:</p>
+
+<blockquote><pre class="code">[global]
+    getwd cache = no</pre></blockquote>
+
+<p>Setting this option to <tt class="literal">no</tt> can significantly
+increase the time it takes to resolve the working directory,
+especially if the <tt class="literal">wide</tt> <tt class="literal">links</tt>
+option is set to <tt class="literal">no</tt>. You should normally not need
+to alter this option.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-1.3.4"/>
+
+<a name="INDEX-23"/><h3 class="head3">wide links</h3>
+
+<p>This option specifies whether the client user can follow symbolic
+links that point outside the shared directory tree. This includes any
+files or directories at the other end of the link, as long as the
+permissions are correct for the user. The default value for this
+option is <tt class="literal">yes</tt>. Note that this option will not be
+honored if the <tt class="literal">follow</tt> <tt class="literal">symlinks</tt>
+options is set to <tt class="literal">no</tt>. Setting this option to
+<tt class="literal">no</tt> slows <em class="emphasis">smbd</em> considerably
+because it will have to check each link it encounters.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-1.3.5"/>
+
+<h3 class="head3">hide dot files</h3>
+
+<p>The <tt class="literal">hide</tt><a name="INDEX-24"/><a name="INDEX-25"/> <tt class="literal">dot</tt>
+<tt class="literal">files</tt> option hides any files on the server that
+begin with a dot (.) character to mimic the functionality behind
+several shell commands that are present on Unix systems. Like
+<tt class="literal">hide</tt> <tt class="literal">files</tt>, those files that
+begin with a dot have the DOS hidden attribute set, which
+doesn't guarantee that a client cannot view them.
+The default value for this option is <tt class="literal">yes</tt>.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-1.3.6"/>
+
+<h3 class="head3">hide files</h3>
+
+<p>The <tt class="literal">hide</tt><a name="INDEX-26"/> <tt class="literal">files</tt> option
+provides one or more directory or filename patterns to Samba. Any
+file matching this pattern will be treated as a hidden file from the
+perspective of the client. Note that this simply means that the DOS
+hidden attribute is set, which might or might not mean that the user
+can actually see it while browsing.</p>
+
+<p>Each entry in the list must begin, end, or be separated from another
+entry with a slash (<tt class="literal">/</tt>) character, even if only one
+pattern is listed. This allows spaces to appear in the list.
+Asterisks can be used as a wildcard to represent zero or more
+characters. Questions marks can be used to represent exactly one
+character. For example:</p>
+
+<blockquote><pre class="code">hide files = /.jav*/README.???/</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-1.3.7"/>
+
+<a name="INDEX-27"/><h3 class="head3">veto files</h3>
+
+<p>More stringent than the hidden files state is the state provided by
+the <tt class="literal">veto</tt> <tt class="literal">files</tt> configuration
+option. Samba won't even admit these files exist.
+You cannot list or open them from the client. This should not be used
+as a means of implementing security. It is actually a mechanism to
+keep PC programs from deleting special files, such as ones used to
+store the resource fork of a Macintosh file on a Unix filesystem. If
+both Windows and Macs are sharing the same files, this can prevent
+ill-advised power users from removing files the Mac users need.</p>
+
+<p>The syntax of this option is identical to that of the
+<tt class="literal">hide</tt> <tt class="literal">files</tt> configuration
+option: each entry must begin, end, or be separated from another with
+a slash ( / ) character, even if only one pattern is listed.
+Asterisks can be used as a wildcard to represent zero or more
+characters. Question marks can be used to represent exactly one
+character. For example:</p>
+
+<blockquote><pre class="code">veto files = /*config/*default?/</pre></blockquote>
+
+<p>This option is primarily administrative and is not a substitute for
+good file permissions.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-1.3.8"/>
+
+<a name="INDEX-28"/><h3 class="head3">delete veto files</h3>
+
+<p>This option tells Samba to delete vetoed files when a user attempts
+to delete the directory in which they reside. The default value is
+<tt class="literal">no</tt>. This means that if a user tries to delete a
+directory that contains a vetoed file, the file (and the directory)
+will not be deleted. Instead, the directory remains and appears empty
+from the perspective of the user. If set to <tt class="literal">yes</tt>,
+the directory and the vetoed files will be deleted. <a name="INDEX-29"/><a name="INDEX-30"/></p>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-8-SECT-2"/>
+
+<h2 class="head1">File Permissions and Attributes on MS-DOS and Unix</h2>
+
+<p><a name="INDEX-31"/><a name="INDEX-32"/><a name="INDEX-33"/>Originally, DOS was not intended to be a
+multiuser, networked operating system. Unix, on the other hand, was
+designed for multiple users from the start. Consequently, Samba must
+not only be aware of, but also provide special solutions for,
+inconsistencies and gaps in coverage between the two filesystems. One
+of the biggest gaps is how Unix and DOS handle permissions on files.</p>
+
+<p>Let's take a look at how Unix assigns permissions.
+All Unix files have read, write, and execute bits for three
+classifications of users: owner, group, and world. These permissions
+can be seen at the extreme lefthand side when an <em class="emphasis">ls
+-al</em> command is issued in a Unix directory. For example:</p>
+
+<blockquote><pre class="code">-rwxr--r--   1 tom     users   2014 Apr 13 14:11 access.conf</pre></blockquote>
+
+<p>Windows, on the other hand, has four principal bits that it uses with
+any file: read-only, system, hidden, and archive. You can view these
+bits by right-clicking the file and choosing the Properties menu
+item. You should see a dialog similar to <a href="ch08.html#samba2-CHP-8-FIG-1">Figure 8-1</a>.<a name="FNPTR-1"/><a href="#FOOTNOTE-1">[1]</a></p>
+
+<div class="figure"><a name="samba2-CHP-8-FIG-1"/><img src="figs/sam2_0801.gif"/></div><h4 class="head4">Figure 8-1. DOS and Windows file properties</h4>
+
+<p>The definition of each bit follows:</p>
+
+<dl>
+<dt><b>Read-only</b></dt>
+<dd>
+<p>The file's contents can be read by a user but cannot
+be written to.</p>
+</dd>
+
+
+
+<dt><b>System</b></dt>
+<dd>
+<p>This file has a specific purpose required by the operating system.</p>
+</dd>
+
+
+
+<dt><b>Hidden</b></dt>
+<dd>
+<p>This file has been marked to be invisible to the user, unless the
+operating system is explicitly set to show it.</p>
+</dd>
+
+
+
+<dt><b>Archive</b></dt>
+<dd>
+<p>This file has been touched since the last DOS backup was performed on
+it.</p>
+</dd>
+
+</dl>
+
+<p>Note that there is no bit to specify that a file is executable. DOS
+and Windows NT filesystems identify executable files by giving them
+the extensions <em class="filename">.exe</em>, <em class="filename">.com</em>,
+<em class="filename">.cmd</em>, or <em class="filename">.bat</em>.</p>
+
+<p>Consequently, there is no use for any of the three Unix executable
+bits that are present on a file in a Samba disk share. DOS files,
+however, have their own attributes that need to be preserved when
+they are stored in a Unix environment: the archive, system, and
+hidden bits. Samba can preserve these bits by reusing the executable
+permission bits of the file on the Unix side&mdash;if it is
+instructed to do so. Mapping these bits, however, has an unfortunate
+side effect: if a Windows user stores a file in a Samba share, and
+you view it on Unix with the <em class="emphasis">ls -al</em> command,
+some of the executable bits won't mean what
+you'd expect them to.</p>
+
+<p>Three Samba options decide whether the bits are mapped:
+<tt class="literal">map</tt><a name="INDEX-34"/> <tt class="literal">archive</tt>,
+<tt class="literal">map</tt><a name="INDEX-35"/> <tt class="literal">system</tt> , and
+<tt class="literal">map</tt><a name="INDEX-36"/> <tt class="literal">hidden</tt>. These options
+map the archive, system, and hidden attributes to the owner, group,
+and world execute bits of the file, respectively. You can add these
+options to the <tt class="literal">[data]</tt> share, setting each of their
+values as follows:</p>
+
+<blockquote><pre class="code">[data]
+    map archive = yes
+    map system = yes
+    map hidden = yes</pre></blockquote>
+
+<p>After that, try creating a file in the share under Unix&mdash;such as
+<em class="emphasis">hello.java</em>&mdash;and change the permissions of
+the file to 755. With these Samba options set, you should be able to
+check the permissions on the Windows side and see that each of the
+three values has been checked in the Properties dialog box. What
+about the read-only attribute? By default, Samba sets this whenever a
+file does not have the Unix owner write permission bit set. In other
+words, you can set this bit by changing the permissions of the file
+to 555.</p>
+
+<p>The default value of the <tt class="literal">map</tt>
+<tt class="literal">archive</tt> option is <tt class="literal">yes</tt>, while
+the other two options have a default value of <tt class="literal">no</tt>.
+This is because many programs do not work properly if the archive bit
+is not stored correctly for DOS and Windows files. The system and
+hidden attributes, however, are not critical for a
+program's operation and are left to the discretion
+of the administrator.</p>
+
+<p><a href="ch08.html#samba2-CHP-8-FIG-2">Figure 8-2</a> summarizes the <a name="INDEX-37"/><a name="INDEX-38"/>Unix permission bits and
+illustrates how Samba maps those bits to DOS attributes. Note that
+the group read/write and world read/write bits do not directly
+translate to a DOS attribute, but they still retain their original
+Unix definitions on the Samba server.</p>
+
+<div class="figure"><a name="samba2-CHP-8-FIG-2"/><img src="figs/sam2_0802.gif"/></div><h4 class="head4">Figure 8-2. How Samba and Unix view the permissions of a file</h4>
+
+
+<div class="sect2"><a name="samba2-CHP-8-SECT-2.1"/>
+
+<h3 class="head2">Creation Masks</h3>
+
+<p><a name="INDEX-39"/>File and directory creation masks are
+similar to <a name="INDEX-40"/>umasks you
+have probably encountered while working with Unix systems. They are
+used to help define the permissions that will be assigned to a file
+or directory at the time it is created. Samba's
+masks work differently in that the bits that can be set are set in
+the creation mask, while in Unix umasks, the bits
+<em class="emphasis">cannot</em> be set are set in the umask. We think you
+will find Samba's method to be much more intuitive.
+Once in a while you might need to convert between a Unix umask and
+the equivalent Samba mask. It is simple: one is just the bitwise
+complement of the other. For example, an octal umask of 0022 has the
+same effect as a Samba mask of 0755.</p>
+
+<p>Unix umasks are set on a user-by-user basis, usually while executing
+the GUI's or command-line shell's
+startup scripts. When users connect to a Samba share from a network
+client, these scripts are not executed, so Samba supplies the ability
+to set the creation masks for files and directories. By default, this
+is done on a share-by-share basis, although you can use the
+<tt class="literal">include</tt> parameter in the Samba configuration file
+(as explained in <a href="ch06.html">Chapter 6</a>) to assign masks on a
+user-by-user basis, thus matching conventional Unix behavior.</p>
+
+<p>To show how Samba's create masks work, suppose we
+have a Windows Me user connecting to his Unix home directory through
+Samba, and Samba is configured with <tt class="literal">create</tt>
+<tt class="literal">mask</tt> <tt class="literal">=</tt> <tt class="literal">777</tt>
+in the <tt class="literal">[homes]</tt> share. With this value,
+<tt class="literal">create</tt> <tt class="literal">mask</tt> will not affect the
+bits that are set on new files. If the user creates a file with
+Wordpad, it will appear in the Unix filesystem like this:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>ls -l file.doc</b></tt>
+-rwxrw-rw-    1 jay      jay             0 Sep 21 11:02 file.doc</pre></blockquote>
+
+<p>Wordpad created the file with read/write permissions (i.e., the
+MS-DOS read-only attribute was not set), so Samba mapped the MS-DOS
+attributes to Unix read/write permissions for user, group, and other.
+The <a name="INDEX-41"/><a name="INDEX-42"/>execute bit is set for the owner
+because by default, the <tt class="literal">map</tt>
+<tt class="literal">archive</tt> parameter is set to
+<tt class="literal">yes</tt>. The other execute bits are not set because
+<tt class="literal">map</tt> <tt class="literal">system</tt> and
+<tt class="literal">map</tt> <tt class="literal">hidden</tt> are set to
+<tt class="literal">no</tt> by default. You can customize this behavior as
+you see fit, and unless you do backups from MS-DOS or Windows
+systems, you might want to specify <tt class="literal">map</tt>
+<tt class="literal">archive</tt> <tt class="literal">=</tt> <tt class="literal">no</tt>
+to avoid Windows files from appearing as executables on the Unix
+system.</p>
+
+<p>Now suppose we set
+<tt class="literal">create</tt><a name="INDEX-43"/> <tt class="literal">mask</tt> to have
+an effect. For example:</p>
+
+<blockquote><pre class="code">[homes]
+    create mask = 664</pre></blockquote>
+
+<p>This is equivalent to a Unix umask of 113. If the user creates the
+Wordpad document as before, it will show up as:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>ls -l file.doc</b></tt>
+-rw-rw-r--    1 jay      jay             0 Sep 22 16:38 file.doc</pre></blockquote>
+
+<p>Comparing this to the previous example, notice that not only has the
+write permission for other disappeared as we expected, but so has the
+execute permission for owner. This happened because the value of
+<tt class="literal">create</tt> <tt class="literal">mask</tt> logically ANDs the
+owner's permissions with a 6, which has masked off
+the execute bit. The lesson here is that if you want to enable any of
+<tt class="literal">map</tt> <tt class="literal">archive</tt>,
+<tt class="literal">map</tt> <tt class="literal">system</tt>, or
+<tt class="literal">map</tt> <tt class="literal">hidden</tt>, you must be careful
+not to mask off the corresponding execute bit with your
+<tt class="literal">create</tt> <tt class="literal">mask</tt>.</p>
+
+<p>The <tt class="literal">directory</tt><a name="INDEX-44"/> <tt class="literal">mask</tt>
+option works similarly, masking permissions for newly created
+directories. The following example will allow the permissions of a
+newly created directory to be, at most, 755:</p>
+
+<blockquote><pre class="code">[data]
+    directory mask = 755</pre></blockquote>
+
+<p>Also, you can force various bits with the <tt class="literal">force</tt>
+<tt class="literal">create</tt> <tt class="literal">mode</tt> and
+<tt class="literal">force</tt> <tt class="literal">directory</tt>
+<tt class="literal">mode</tt> options. These options will perform a logical
+OR against the file and directory creation masks, ensuring that those
+bits that are specified will always be set. You would typically set
+these options globally to ensure that group and world read/write
+permissions have been set appropriately for new files or directories
+in each share.</p>
+
+<p>In the same spirit, if you wish to set explicitly the Unix user and
+group attributes of a file created on the Windows side, you can use
+the <tt class="literal">force</tt><a name="INDEX-45"/> <tt class="literal">user</tt> and
+<tt class="literal">force</tt><a name="INDEX-46"/> <tt class="literal">group</tt>
+options. For example:</p>
+
+<blockquote><pre class="code">[data]
+    create mask = 744
+    directory mask = 755
+    force user = joe
+    force group = accounting</pre></blockquote>
+
+<p>These options assign the same Unix username and group to every client
+that connects to the share. However, this occurs
+<em class="emphasis">after</em> the client authenticates; it does not
+allow free access to a share. These options are frequently used for
+their side effects of assigning a specific user and group to each new
+file or directory that is created in a share. Use these options with
+discretion.</p>
+
+<p>Finally, one of the capabilities of Unix that DOS lacks is the
+ability to delete a read-only file from a writable directory. In
+Unix, if a directory is writable, a read-only file in that directory
+can still be removed. This could permit you to delete files in any of
+your directories, even if the file was left by someone else.</p>
+
+<p>DOS filesystems are not designed for multiple users, and so its
+designers decided that read-only means &quot;protected
+against accidental change, including deletion,&quot;
+rather than &quot;protected against some other user on a
+single-user machine.&quot; So the designers of DOS
+prohibited removal of a read-only file. Even today, Windows
+filesystems exhibit the same behavior.</p>
+
+<p>Normally, this is harmless. Windows programs don't
+try to remove read-only files because they know it's
+a bad idea. However, a number of source-code control
+programs&mdash;which were first written for Unix&mdash;run on Windows
+and require the ability to delete read-only files. Samba permits this
+behavior with the <tt class="literal">delete</tt><a name="INDEX-47"/>
+<tt class="literal">readonly</tt> option. To enable this functionality, set
+the option to <tt class="literal">yes</tt>:</p>
+
+<a name="INDEX-48"/><blockquote><pre class="code">[data]
+    delete readonly = yes</pre></blockquote>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-8-SECT-2.2"/>
+
+<h3 class="head2">File and Directory Permission Options</h3>
+
+<p><a name="INDEX-49"/><a name="INDEX-50"/><a name="INDEX-51"/>The
+options for file and directory permissions are summarized in <a href="ch08.html#samba2-CHP-8-TABLE-2">Table 8-2</a>; each option is then described in detail.</p>
+
+<a name="samba2-CHP-8-TABLE-2"/><h4 class="head4">Table 8-2. File and directory permission options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">create mask</tt> <tt class="literal">(create mode)</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Maximum permissions for files created by Samba.</p>
+</td>
+<td>
+<p><tt class="literal">0744</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">directory mask</tt> <tt class="literal">(directory mode)</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Maximum permissions for directories created by Samba.</p>
+</td>
+<td>
+<p><tt class="literal">0744</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">force create mode</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Forces the specified permissions (bitwise <tt class="literal">or</tt>) for
+directories created by Samba.</p>
+</td>
+<td>
+<p><tt class="literal">0000</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">force directory</tt> <tt class="literal">mode</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Forces the specified permissions (bitwise <tt class="literal">or</tt>) for
+directories created by Samba.</p>
+</td>
+<td>
+<p><tt class="literal">0000</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">force group</tt> <tt class="literal">(group)</tt></p>
+</td>
+<td>
+<p>string ( group name)</p>
+</td>
+<td>
+<p>Effective group for a user accessing this share.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">force user</tt></p>
+</td>
+<td>
+<p>string (username)</p>
+</td>
+<td>
+<p>Effective username for a user accessing this share.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">delete readonly</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>Allows a user to delete a read-only file from a writable directory.</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">map archive</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>Preserve DOS archive attribute in user execute bit (0100).</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">map system</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>Preserve DOS system attribute in group execute bit (0010).</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">map hidden</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>Preserve DOS hidden attribute in world execute bit (0001).</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">inherit permissions</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, permissions on new files and directories
+are inherited from parent directory.</p>
+</td>
+<td>
+<p>no</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-2.2.1"/>
+
+<a name="INDEX-52"/><h3 class="head3">create mask</h3>
+
+<p>The argument for this option is an octal number indicating which
+permission flags can be set at file creation by a client in a share.
+The default is 0744, which means that the Unix owner can at most
+read, write, and optionally execute her own files, while members of
+the user's group and others can only read or execute
+them. If you need to change it for nonexecutable files, we recommend
+0644, or <tt class="literal">rw-r--r--</tt>. Keep in mind that the execute
+bits can be used by the server to map certain DOS file attributes, as
+described earlier. If you're altering the create
+mask, those bits have to be part of the create mask as well.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-2.2.2"/>
+
+<a name="INDEX-53"/><h3 class="head3">directory mask</h3>
+
+<p>The argument for this option is an octal number indicating which
+permission flags can be set at directory creation by a client in a
+share. The default is 0744, which allows everyone on the Unix side
+to, at most, read and traverse the directories, but allows only you
+to modify them. We recommend the mask 0750, removing access by
+&quot;the world.&quot;</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-2.2.3"/>
+
+<a name="INDEX-54"/><h3 class="head3">force create mode</h3>
+
+<p>This option sets the permission bits that Samba will set when a file
+permission change is made. It's often used to force
+group permissions, as mentioned previously. It can also be used to
+preset any of the DOS attributes we mentioned: archive (0100), system
+(0010), or hidden (0001).</p>
+
+<a name="samba2-CHP-8-NOTE-139"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p><a name="INDEX-55"/>When saving
+documents, many Windows applications rename their datafiles with a
+<em class="filename">.bak</em> extension and create new ones. When the
+files are in a Samba share, this changes their ownership and
+permissions so that members of the same Unix group
+can't edit them. Setting <tt class="literal">force</tt>
+<tt class="literal">create mode = 0660</tt> will keep the new file editable
+by members of the group.</p>
+</blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-2.2.4"/>
+
+<a name="INDEX-56"/><h3 class="head3">force directory mode</h3>
+
+<p>This option sets the permission bits that Samba will set when a
+directory permission change is made or a directory is created.
+It's often used to force group permissions, as
+mentioned previously. This option defaults to 0000 and can be used
+just like the <tt class="literal">force</tt> <tt class="literal">create</tt>
+<tt class="literal">mode</tt> to add group or other permissions if needed.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-2.2.5"/>
+
+<a name="INDEX-57"/><h3 class="head3">force group</h3>
+
+<p>This option, sometimes called <tt class="literal">group</tt>, assigns a
+static group ID that will be used on all connections to a share after
+the client has successfully authenticated. This assigns a specific
+group to each new file or directory created from an SMB client.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-2.2.6"/>
+
+<h3 class="head3">force user</h3>
+
+<p>The <tt class="literal">force</tt><a name="INDEX-58"/> <tt class="literal">user</tt> option
+assigns a static user ID that will be used on all connections to a
+share after the client has successfully authenticated. This assigns a
+specific user to each new file or directory created from an SMB
+client.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-2.2.7"/>
+
+<a name="INDEX-59"/><h3 class="head3">delete readonly</h3>
+
+<p>This option allows a user to delete a directory containing a
+read-only file. By default, DOS and Windows will not allow such an
+operation. You probably will want to leave this option turned off
+unless a program (for example, an RCS program) needs this capability;
+many Windows users would be appalled to find that
+they'd accidentally deleted a file that they had set
+as read-only.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-2.2.8"/>
+
+<a name="INDEX-60"/><h3 class="head3">map archive</h3>
+
+<p>The DOS archive bit is used to flag a file that has been changed
+since it was last archived (e.g., backed up with the DOS archive
+program). Setting the Samba option <tt class="literal">map</tt>
+<tt class="literal">archive</tt> <tt class="literal">=</tt>
+<tt class="literal">yes</tt> maps the DOS archive flag to the Unix
+execute-by-owner (0100) bit. It's best to leave this
+option on if your Windows users are doing their own backups or are
+using programs that require the archive bit. Unix lacks the notion of
+an archive bit entirely. Backup programs typically keep a file that
+lists what files were backed up on what date, so comparing
+file-modification dates serves the same purpose.</p>
+
+<p>Setting this option to <tt class="literal">yes</tt> causes an occasional
+surprise on Unix when a user notices that a datafile is marked as
+executable, but rarely causes harm. If a user tries to run it, he
+will normally get a string of error messages as the shell tries to
+execute the first few lines as commands. The reverse is also
+possible; an executable Unix program looks like it
+hasn't been backed up recently on Windows. But
+again, this is rare and usually harmless.</p>
+
+<p>For map archive to work properly, the execute bit for owner must not
+be masked off with the <tt class="literal">create</tt>
+<tt class="literal">mask</tt> parameter.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-2.2.9"/>
+
+<a name="INDEX-61"/><h3 class="head3">map system</h3>
+
+<p>The DOS system attribute indicates files that are required by the
+operating system and should not be deleted, renamed, or moved without
+special effort. Set this option only if you need to store Windows
+system files on the Unix fileserver. Executable Unix programs will
+appear to be nonremovable, special Windows files when viewed from
+Windows clients. This might prove mildly inconvenient if you want to
+move or remove one. For most sites, however, this is fairly harmless.</p>
+
+<p>For map archive to work properly, the execute bit for group must not
+be masked off with the <tt class="literal">create</tt>
+<tt class="literal">mask</tt> parameter.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-2.2.10"/>
+
+<a name="INDEX-62"/><h3 class="head3">map hidden</h3>
+
+<p>DOS uses the hidden attribute to indicate that a file should not
+ordinarily be visible in directory listings. Unix
+doesn't have such a facility; it's
+up to individual programs (notably, the shell) to decide what to
+display and what not to display. Normally, you won't
+have any DOS files that need to be hidden, so the best thing to do is
+to leave this option turned off.</p>
+
+<p>Setting this option to <tt class="literal">yes</tt> causes the server to
+map the hidden flag onto the executable-by-others bit (0001). This
+feature can produce a rather startling effect. Any Unix program that
+is executable by world seems to vanish when you look for it from a
+Windows client. If this option is not set, however, and a Windows
+user attempts to mark a file hidden on a Samba share, it will not
+work&mdash;Samba has no place to store the hidden attribute!</p>
+
+<p>For map archive to work properly, the execute bit for other must not
+be masked off with the <tt class="literal">create</tt>
+<tt class="literal">mask</tt> parameter.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-2.2.11"/>
+
+<h3 class="head3">inherit permissions</h3>
+
+<p>When the <tt class="literal">inherit</tt><a name="INDEX-63"/>
+<tt class="literal">permissions</tt> option is set to
+<tt class="literal">yes</tt>, the <tt class="literal">create</tt>
+<tt class="literal">mask</tt>, <tt class="literal">directory</tt>
+<tt class="literal">mask</tt>, <tt class="literal">force</tt>
+<tt class="literal">create</tt> <tt class="literal">mode</tt>, and
+<tt class="literal">force</tt> <tt class="literal">directory</tt>
+<tt class="literal">mode</tt> are ignored. The normal behavior of setting
+the permissions on newly created files is overridden such that the
+new files and directories take on permissions from their parent
+directory. New directories will have exactly the same permissions as
+the parent, and new files will inherit the read and write bits from
+the parent directory, while the execute bits are determined as usual
+by the values of the <tt class="literal">map</tt>
+<tt class="literal">archive</tt>, <tt class="literal">map</tt>
+<tt class="literal">hidden</tt>, and <tt class="literal">map</tt>
+<tt class="literal">system</tt> parameters.</p>
+
+<p>By default, this option is set to <tt class="literal">no</tt>. <a name="INDEX-64"/><a name="INDEX-65"/><a name="INDEX-66"/> <a name="INDEX-67"/><a name="INDEX-68"/><a name="INDEX-69"/></p>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-8-SECT-3"/>
+
+<h2 class="head1">Windows NT/2000/XP ACLs</h2>
+
+<p><a name="INDEX-70"/><a name="INDEX-71"/><a name="INDEX-72"/><a name="INDEX-73"/>Unix and Windows
+have different <a name="INDEX-74"/>security models, and Windows NT/2000/XP
+has a security model that is different from Windows 95/98/Me. One
+area in which this is readily apparent is file protections. On Unix
+systems, the method used has traditionally been the 9-bit
+&quot;user, group, other&quot; system, in
+which read, write, and execute bits can be set separately for the
+owner of the file, the groups to which the owner belongs, and
+everyone else, respectively.</p>
+
+<p><a name="INDEX-75"/>Windows 95/98/Me has a file-protection
+system that is essentially no protection at all. This family of
+operating systems was developed from MS-DOS, which was implemented as
+a non-networked, single-user system. Multiuser security simply was
+never added. One apparent exception to this is user-level security
+for shared files, which we will discuss in <a href="ch09.html">Chapter 9</a>. Here, separate access permissions can be
+assigned to individual network client users or groups. However,
+user-level security on Windows 95/98/Me systems requires a Windows
+NT/2000 or Samba server to perform the actual authentication.</p>
+
+<p>On <a name="INDEX-76"/><a name="INDEX-77"/><a name="INDEX-78"/>Windows NT/2000/XP,
+user-level security is an extension of the native file security
+model, which involves access control lists (ACLs). This system is
+somewhat more extensive than the Unix security model, allowing the
+access rights on individual files to be set separately for any number
+of individual users and/or any number of arbitrary groups of users.
+<a href="ch08.html#samba2-CHP-8-FIG-3">Figure 8-3</a>, <a href="ch08.html#samba2-CHP-8-FIG-4">Figure 8-4</a>,
+and <a href="ch08.html#samba2-CHP-8-FIG-5">Figure 8-5</a> show the dialog boxes on a Windows
+2000 system in which the ACL is set for a file. By right-clicking a
+file's icon and selecting Properties, then selecting
+the Security tab, we get to the dialog box shown in <a href="ch08.html#samba2-CHP-8-FIG-3">Figure 8-3</a>. Here, we can set the basic permissions for a
+file, which are similar to Unix permissions, although not identical.</p>
+
+<div class="figure"><a name="samba2-CHP-8-FIG-3"/><img src="figs/sam2_0803.gif"/></div><h4 class="head4">Figure 8-3. The Security tab of the file Properties dialog</h4>
+
+<p>By clicking the Advanced tab, we can bring up the dialog box shown in
+<a href="ch08.html#samba2-CHP-8-FIG-4">Figure 8-4</a>, which shows the list of
+<a name="INDEX-79"/>access control entries (ACEs) in the ACL.
+In this dialog, ACEs can be added to or deleted from the ACL, or an
+existing ACE can be viewed and modified. Each ACE either allows or
+denies a set of permissions for a specific user or group.</p>
+
+<div class="figure"><a name="samba2-CHP-8-FIG-4"/><img src="figs/sam2_0804.gif"/></div><h4 class="head4">Figure 8-4. The Permissions tab of the Access Control Settings dialog</h4>
+
+<div class="figure"><a name="samba2-CHP-8-FIG-5"/><img src="figs/sam2_0805.gif"/></div><h4 class="head4">Figure 8-5. Permission Entry dialog, showing the settings of an ACE</h4>
+
+<p><a href="ch08.html#samba2-CHP-8-FIG-5">Figure 8-5</a> shows the dialog box for adding an ACE.
+As you can see, there are more options for permissions in an ACL than
+with the permission bits on typical Unix systems. You can learn more
+about these settings in <em class="citetitle">Essential Windows NT System
+Administration</em>, published by O'Reilly.</p>
+
+<p>In a networked environment where a Samba server is serving files to
+Windows NT/2000/XP clients, Samba has to map Unix permissions for
+files and directories to Windows NT/2000/XP access control lists.
+When a Windows NT/2000/XP client accesses a shared file or directory
+on a Samba server, Samba translates the object's
+ownership, group, and permissions into an ACL and returns them to the
+client.</p>
+
+<p><a href="ch08.html#samba2-CHP-8-FIG-6">Figure 8-6</a> shows the Properties dialog box for the
+file <em class="filename">shopping_list.doc</em> that resides on the Samba
+server.</p>
+
+<div class="figure"><a name="samba2-CHP-8-FIG-6"/><img src="figs/sam2_0806.gif"/></div><h4 class="head4">Figure 8-6. The Properties dialog for a file on the Samba server</h4>
+
+<p>From Unix, this file appears as:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>ls -l shopping_list.doc</b></tt>
+-rw-------    1 adilia   users          49 Mar 29 11:58 shopping_list.doc</pre></blockquote>
+
+<p>Notice that because the file has read permissions for the owner, the
+Read-only checkbox will show as cleared, even though the user on the
+Windows client (who is not <tt class="literal">adilia</tt> in this example)
+does not have read access permissions. The checkboxes here show only
+DOS attributes. By clicking the Security tab, we can start to examine
+the ACLs, as shown in <a href="ch08.html#samba2-CHP-8-FIG-7">Figure 8-7</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-8-FIG-7"/><img src="figs/sam2_0807.gif"/></div><h4 class="head4">Figure 8-7. The Security tab of the Properties dialog for a file on the Samba server</h4>
+
+<p>The owner of the file (<tt class="literal">adilia</tt>) is shown as one
+entry, while the group (<tt class="literal">users</tt>) and other
+permissions are presented as the groups called
+<tt class="literal">users</tt> and <tt class="literal">Everyone</tt>. Clicking
+one of the items in the upper windows causes the simplified view of
+the permissions in that item to appear in the bottom window. Here,
+the read/write permissions for <tt class="literal">adilia</tt> appear in a
+manner that makes the security model of Unix and Windows seem
+similar. However, clicking the Advanced . . . button brings up the
+additional dialog box shown in <a href="ch08.html#samba2-CHP-8-FIG-8">Figure 8-8</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-8-FIG-8"/><img src="figs/sam2_0808.gif"/></div><h4 class="head4">Figure 8-8. The Access Control Settings dialog for a file on the Samba server</h4>
+
+<p>In this dialog box, we see the actual ACL of the file. The ACEs for
+<tt class="literal">users</tt> and <tt class="literal">Everyone</tt> are listed
+with Take Ownership in the Permission column. This is a trick used by
+Samba for ACLs that have no permissions on the Unix side. On Windows,
+an ACL with nothing set results in no ACL at all, so Samba sets the
+Take Ownership permission to make sure that all the ACLs
+corresponding to the Unix &quot;user, group,
+other&quot; permissions will show up on Windows. The Take
+Ownership permission has no corresponding Unix attribute, so the
+setting on Windows does not affect the actual file on the Unix system
+in any way. Although Windows client users might be misled into
+thinking they can take ownership of the file (that is, change the
+ownership of the file to themselves), an actual attempt to do so will
+fail.</p>
+
+<p>The Permissions column for the <tt class="literal">adilia</tt> ACL is
+listed as Special because Samba reports permissions for the file that
+do not correspond to settings for which Windows has a more
+descriptive name. Clicking the entry and then clicking the View/Edit
+. . . button brings up the dialog box shown in <a href="ch08.html#samba2-CHP-8-FIG-9">Figure 8-9</a>, in which the details of the ACL permissions
+can be viewed and perhaps modified.</p>
+
+<div class="figure"><a name="samba2-CHP-8-FIG-9"/><img src="figs/sam2_0809.gif"/></div><h4 class="head4">Figure 8-9. Permission Entry dialog for a file served by Samba</h4>
+
+<p>We say &quot;perhaps&quot; here because
+checking or unchecking boxes in this dialog box might not result in
+settings that Samba is able to map back into the Unix security model.
+When a user attempts to modify a setting (either permissions or
+ownership) that she does not have authority to change, or does not
+correspond to a valid setting on the Unix system, Samba will respond
+with an error dialog or by quietly ignoring the unmappable settings.</p>
+
+<p>The ACLs for a directory are slightly different. <a href="ch08.html#samba2-CHP-8-FIG-10">Figure 8-10</a> shows the ACL view after clicking the Advanced
+button.</p>
+
+<div class="figure"><a name="samba2-CHP-8-FIG-10"/><img src="figs/sam2_0810.gif"/></div><h4 class="head4">Figure 8-10. The Access Control Settings dialog for a directory on the Samba server</h4>
+
+<p>Here, there are two ACLs each for <tt class="literal">users</tt> and
+<tt class="literal">Everyone</tt>. One ACL specifies the permissions for
+the directory itself, and the other specifies permissions for the
+directory's contents. When changing settings in the
+View/Edit... dialog, there is an extra drop-down menu to apply the
+settings either to just the directory or to some combination of the
+directory and the files and directories it contains. If settings are
+applied to more than just the directory, Samba will match the
+behavior of a Windows server and change the permissions on the
+contents of the directory, as specified in the dialog.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-8-SECT-3.1"/>
+
+<h3 class="head2">Unix ACLs</h3>
+
+<p><a name="INDEX-80"/><a name="INDEX-81"/>In
+most cases, users of Windows clients will find the Unix security
+model to be sufficient. However, in some cases, people might want the
+Samba server to support the full Windows ACL security model. Even if
+they don't need the fine-grained control over file
+and directory permissions, they might find Samba's
+translation between ACLs and Unix permissions to be a source of
+confusion or frustration.</p>
+
+<p>When the underlying Unix host operating system supports
+<a name="INDEX-82"/><a name="INDEX-83"/>POSIX.1e ACLs, Samba provides much better
+support of Windows NT/2000/XP ACLs. Versions of Unix that offer the
+necessary support include the following:</p>
+
+<ul><li>
+<p>Solaris 2.6 and later</p>
+</li><li>
+<p>SGI Irix</p>
+</li><li>
+<p>Linux, with Andreas Gr&uuml;nbacher's kernel
+patch from <a href="http://acl.bestbits.at">http://acl.bestbits.at</a>
+that adds ACL support to the Linux ext2 and ext3 filesystems</p>
+</li><li>
+<p>Linux, with the XFS filesystem</p>
+</li><li>
+<p>AIX</p>
+</li><li>
+<p>FreeBSD 5.0 and later</p>
+</li><li>
+<p>HP/UX 11.0 and later, with the JFS 3.3 filesystem layout Version 4</p>
+</li></ul>
+<p>If you are fortunate enough to have a Unix host operating system with
+ACL support already provided, all you need to do is recompile Samba
+using the <tt class="literal">--with-acl-support</tt> configure option, as
+we described in <a href="ch02.html">Chapter 2</a>. If you are running
+Linux and need to patch your kernel, things are much more
+complicated. We suggest you refer to the documentation that comes
+with the patch for details on using it.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-8-SECT-3.2"/>
+
+<h3 class="head2">Configuration Options for ACLs</h3>
+
+<p><a href="ch08.html#samba2-CHP-8-TABLE-3">Table 8-3</a> <a name="INDEX-84"/><a name="INDEX-85"/>shows the Samba configuration options
+for working with Windows NT/2000/XP access control lists.</p>
+
+<a name="samba2-CHP-8-TABLE-3"/><h4 class="head4">Table 8-3. ACL configuration options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">nt acl support</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, allows users on Windows NT/2000/XP clients
+to modify ACL settings</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">security mask</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Bitmask that allows or denies permission settings on files</p>
+</td>
+<td>
+<p><tt class="literal">0777</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">force security</tt> <tt class="literal">mode</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Bits that are always set when modifying file permissions</p>
+</td>
+<td>
+<p><tt class="literal">0000</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">directory</tt> <tt class="literal">security mask</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Bitmask that allows or denies permission settings on directories</p>
+</td>
+<td>
+<p><tt class="literal">0777</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">force directory</tt> <tt class="literal">security mode</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Bits that are always set when modifying directory permissions</p>
+</td>
+<td>
+<p><tt class="literal">0000</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-3.2.1"/>
+
+<a name="INDEX-86"/><h3 class="head3">nt acl support</h3>
+
+<p>This parameter defaults to <tt class="literal">yes</tt>, which allows users
+on Windows NT/2000/XP clients to modify ACL settings for files on the
+Samba server. When set to <tt class="literal">no</tt>, files show up as
+owned by <tt class="literal">Everyone</tt>, with permissions appearing as
+&quot;Full Control&quot;. However,
+<em class="emphasis">actual</em> ownership and permissions are enforced as
+whatever they are set to on the Samba server, and the user on the
+Windows client cannot view or modify them with the dialog boxes used
+for managing ACLs.</p>
+
+<p>When enabled, support for Windows NT/2000/XP ACLs is limited to
+whatever ownerships and permissions can map into valid users and
+permissions on the Samba server. If the server supports ACLs (either
+&quot;out of the box&quot; or with an
+additional patch to enhance the filesystem), Samba's
+ACL support more closely matches that of a Windows NT/2000/XP server.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-3.2.2"/>
+
+<h3 class="head3">security mask</h3>
+
+<p>Using the <tt class="literal">security</tt><a name="INDEX-87"/>
+<tt class="literal">mask</tt> option, it is possible to define which file
+permissions users can modify from Windows NT/2000/XP clients. This is
+for files only and not directories, which are handled with the
+<tt class="literal">directory</tt><a name="INDEX-88"/>
+<tt class="literal">security</tt> <tt class="literal">mask</tt> option. The
+parameter is assigned a numeric value that is a Unix-style
+permissions mask. For bits in the mask that are set, the client can
+modify the corresponding bits in the files'
+permissions. If the bit is zero, the client cannot modify that
+permission. For example, if <tt class="literal">security</tt>
+<tt class="literal">mask</tt> is set as:</p>
+
+<blockquote><pre class="code">[data]
+    security mask = 0777</pre></blockquote>
+
+<p>the client can modify all the user/group/other permissions for the
+files in the share. This is the default. A value of
+<tt class="literal">0</tt> would deny clients from changing any of the
+permissions, and setting <tt class="literal">security</tt>
+<tt class="literal">mask</tt> as:</p>
+
+<blockquote><pre class="code">[data]
+    security mask = 0666</pre></blockquote>
+
+<p>would allow client users to modify the read and write permissions,
+but not the execute permissions.</p>
+
+<p>Do not count on <tt class="literal">security</tt> <tt class="literal">mask</tt>
+for complete control because if the user can access the files on the
+Samba server through any other means (for example, by logging
+directly into the Unix host), he can modify the permissions using
+that method.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-3.2.3"/>
+
+<h3 class="head3">force security mode</h3>
+
+<p>The <tt class="literal">force</tt><a name="INDEX-89"/>
+<tt class="literal">security</tt> <tt class="literal">mode</tt> option can be
+used to define a set of permissions that are always set whenever the
+user on a Windows NT/2000/XP client modifies a
+file's permissions. (See the
+<tt class="literal">force</tt> <tt class="literal">directory</tt>
+<tt class="literal">security</tt> <tt class="literal">mode</tt> option for
+handling directories.)</p>
+
+<p>Be careful to understand this properly. The mask given as the
+parameter's value is not necessarily equal to the
+resulting permissions on the file. The permissions that the client
+user attempts to modify are logically OR'd with the
+<tt class="literal">force</tt> <tt class="literal">security</tt>
+<tt class="literal">mode</tt> <tt class="literal">mask</tt> option, and any bits
+that are turned on will cause the file's
+corresponding permissions to be set. As an example, suppose
+<tt class="literal">force</tt> <tt class="literal">security</tt>
+<tt class="literal">mode</tt> is set in a share thusly:</p>
+
+<blockquote><pre class="code">[data]
+    force security mode = 0440</pre></blockquote>
+
+<p>(This sets the read bit for owner and group, but not other.) If a
+user on a Windows NT/2000/XP client modifies an ACL on a file in the
+<tt class="literal">[data]</tt> share and attempts to remove all read
+permissions, the read permission for other
+(<tt class="literal">Everyone</tt>) will be removed, but the read
+permission for the owner and group will remain. Note that this
+parameter cannot force a permission bit to be turned off.</p>
+
+<p>As with the <tt class="literal">security</tt> <tt class="literal">mask</tt>
+option, if a user can access the files in the share through any means
+other than Samba, she can easily work around Samba's
+enforcement of this parameter.</p>
+
+<p>The default value of <tt class="literal">force</tt>
+<tt class="literal">security</tt> <tt class="literal">mode</tt> is
+<tt class="literal">0000</tt>, which allows users to remove any permission
+from files.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-3.2.4"/>
+
+<a name="INDEX-90"/><h3 class="head3">directory security mask</h3>
+
+<p>This option works exactly the same as the <tt class="literal">security</tt>
+<tt class="literal">mask</tt> option, except that it operates on
+directories rather than files. As with <tt class="literal">security</tt>
+<tt class="literal">mask</tt>, it has a default value of
+<tt class="literal">0777</tt>, which allows Windows NT/2000/XP client users
+to modify all Unix permissions on directories in the share.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-3.2.5"/>
+
+<a name="INDEX-91"/><h3 class="head3">force directory security mode</h3>
+
+<p>This option works exactly the same as the <tt class="literal">force</tt>
+<tt class="literal">security</tt> <tt class="literal">mode</tt> option, except
+that it operates on directories rather than files. It also has a
+default value of <tt class="literal">0000</tt>, which allows Windows
+NT/2000/XP client users to remove any permissions from directories in
+the share. <a name="INDEX-92"/><a name="INDEX-93"/><a name="INDEX-94"/><a name="INDEX-95"/> <a name="INDEX-96"/><a name="INDEX-97"/></p>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-8-SECT-4"/>
+
+<h2 class="head1">Name Mangling and Case</h2>
+
+<p><a name="INDEX-98"/><a name="INDEX-99"/><a name="INDEX-100"/><a name="INDEX-101"/>Back
+in the days of DOS and Windows 3.1, every filename was limited to
+eight uppercase characters, followed by a dot, and three more
+uppercase characters. This was known as the <em class="firstterm">8.3
+format</em> and was a huge nuisance. Windows 95/98/Me, Windows
+NT/2000/XP, and Unix have since relaxed this problem by allowing
+longer, sometimes case-sensitive, filenames. <a href="ch08.html#samba2-CHP-8-TABLE-4">Table 8-4</a> shows the current naming state of several
+popular operating systems.</p>
+
+<a name="samba2-CHP-8-TABLE-4"/><h4 class="head4">Table 8-4. Operating system filename limitations</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Operating system</p>
+</th>
+<th>
+<p>File-naming rules</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p>DOS 6.22 or below</p>
+</td>
+<td>
+<p>Eight characters followed by a dot followed by a three-letter
+extension (8.3 format); case-insensitive</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Windows 3.1 for Workgroups</p>
+</td>
+<td>
+<p>Eight characters followed by a dot followed by a three-letter
+extension (8.3 format); case-insensitive</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Windows 95/98/Me</p>
+</td>
+<td>
+<p>255 characters; case-insensitive but case-preserving</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Windows NT/2000/XP</p>
+</td>
+<td>
+<p>255 characters; case-insensitive but case-preserving</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Unix</p>
+</td>
+<td>
+<p>255 characters; case-sensitive</p>
+</td>
+</tr>
+
+</table>
+
+<p>Samba still has to remain backward-compatible with network clients
+that store files in just the 8.3 format, such as Windows for
+Workgroups. If a user creates a file on a share called
+<em class="emphasis">antidisestablishmentarianism.txt</em>, a Windows for
+Workgroups client cannot tell it apart from another file in the same
+directory called <em class="emphasis">antidisease.txt</em>. Like Windows
+95/98/Me and Windows NT/2000/XP, Samba has to employ a special method
+for translating a long filename to an 8.3 filename in such a way that
+similar filenames will not cause collisions. This is called
+<em class="firstterm">name mangling</em>, and Samba deals with this in a
+manner that is similar, but not identical to, Windows 95 and its
+successors.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-8-SECT-4.1"/>
+
+<h3 class="head2">The Samba Mangling Operation</h3>
+
+<p><a name="INDEX-102"/>Here is how Samba mangles a long
+filename into an 8.3 filename:</p>
+
+<ul><li>
+<p>If the original filename does not begin with a dot, the first five
+characters before the dot (if there is one) are converted to
+uppercase. These characters are used as the first five characters of
+the 8.3 mangled filename.</p>
+</li><li>
+<p>If the original filename begins with a dot, the dot is removed and
+then the previous step is performed on what is left.</p>
+</li><li>
+<p>These characters are immediately followed by a special mangling
+character: by default, a tilde (~), although Samba allows you to
+change this character.</p>
+</li><li>
+<p>The base of the long filename before the last period is hashed into a
+two-character code; parts of the name after the last dot can be used
+if necessary. This two-character code is appended to the filename
+after the mangling character.</p>
+</li><li>
+<p>The first three characters after the last dot (if there is one) of
+the original filename are converted to uppercase and appended onto
+the mangled name as the extension. If the original filename began
+with a dot, three underscores ( <tt class="literal">_ _ _</tt> ) are used
+as the extension instead.</p>
+</li></ul>
+<p>Here are some examples:</p>
+
+<blockquote><pre class="code">virtuosity.dat                       VIRTU~F1.DAT
+.htaccess                            HTACC~U0._ _ _
+hello.java                           HELLO~1F.JAV
+team.config.txt                      TEAMC~04.TXT
+antidisestablishmentarianism.txt     ANTID~E3.TXT
+antidisease.txt                      ANTID~9K.TXT</pre></blockquote>
+
+<p>Using these rules will allow Windows for Workgroups to differentiate
+the two files on behalf of the poor individual who is forced to see
+the network through the eyes of that operating system. Note that the
+same long filename should always hash to the same mangled name with
+Samba; this doesn't always happen with Windows. The
+downside of this approach is that there can still be collisions;
+however, the chances are greatly reduced.</p>
+
+<p>You generally want to use the mangling configuration options with
+only the oldest clients. We recommend doing this without disrupting
+other clients by adding an <tt class="literal">include</tt> directive to
+the <em class="filename">smb.conf</em> file:</p>
+
+<blockquote><pre class="code">[global]
+    include = /usr/local/samba/lib/smb.conf.%a</pre></blockquote>
+
+<p>This resolves to <em class="filename">smb.conf.WfWg</em> when a Windows
+for Workgroups client attaches. Now you can create a file
+<em class="filename">/usr/local/samba/lib/smb.conf.WfWg</em>, which might
+contain these options:</p>
+
+<blockquote><pre class="code">[global]
+    case sensitive = no
+    default case = upper
+    preserve case = no
+    short preserve case = no
+    mangle case = yes
+    mangled names= yes</pre></blockquote>
+
+<p>If you are not using Windows for Workgroups, you probably do not need
+to change any of these options from their defaults.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-4.1.1"/>
+
+<h3 class="head3">Representing and resolving filenames with Samba</h3>
+
+<p><a name="INDEX-103"/>Another item that we should
+point out is that there is a difference between how an operating
+system <em class="emphasis">represents</em> a file and how it
+<em class="emphasis">resolves</em> it. For example, you have likely run
+across a file on a Windows system called
+<em class="filename">README.TXT</em>. The file can be represented by the
+operating system entirely in uppercase letters. However, if you open
+an MS-DOS command prompt and enter the command:</p>
+
+<blockquote><pre class="code">C:\&gt; <tt class="userinput"><b>notepad readme.txt</b></tt></pre></blockquote>
+
+<p>the all-caps file is loaded into the editing program, even though you
+typed the name in lowercase letters.</p>
+
+<p>This is because the Windows 95/98/Me and Windows NT/2000/XP families
+of operating systems resolve filenames in a case-insensitive manner,
+even though the files are represented in a case-sensitive manner.
+Unix-based operating systems, on the other hand, always resolve files
+in a case-sensitive manner; if you try to edit
+<em class="filename">README.TXT</em> with the command:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>vi readme.txt</b></tt></pre></blockquote>
+
+<p>you will likely be editing the empty buffer of a new file.</p>
+
+<p><a name="INDEX-104"/>Here is how Samba handles case: if the
+<tt class="literal">preserve</tt><a name="INDEX-105"/> <tt class="literal">case</tt> is set
+to <tt class="literal">yes</tt>, Samba will always use the case provided by
+the operating system for representing (not resolving) filenames. If
+it is set to <tt class="literal">no</tt>, it will use the case specified by
+the <tt class="literal">default</tt><a name="INDEX-106"/> <tt class="literal">case</tt> option.
+The same is true for
+<tt class="literal">short</tt><a name="INDEX-107"/>
+<tt class="literal">preserve</tt> <tt class="literal">case</tt>. If this option
+is set to <tt class="literal">yes</tt>, Samba will use the default case of
+the operating system for representing 8.3 filenames; otherwise, it
+will use the case specified by the <tt class="literal">default</tt>
+<tt class="literal">case</tt> option. Finally, Samba will always resolve
+filenames in its shares based on the value of the
+<tt class="literal">case</tt> <tt class="literal">sensitive</tt> option.</p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-8-SECT-4.2"/>
+
+<h3 class="head2">Mangling Options</h3>
+
+<p><a name="INDEX-108"/><a name="INDEX-109"/>Samba
+allows more refined instructions on how it should perform name
+mangling, including those controlling the case sensitivity, the
+character inserted to form a mangled name, and the ability to map
+filenames manually from one format to another. These options are
+shown in <a href="ch08.html#samba2-CHP-8-TABLE-5">Table 8-5</a>.</p>
+
+<a name="samba2-CHP-8-TABLE-5"/><h4 class="head4">Table 8-5. Name-mangling options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">case sensitive</tt></p>
+
+<p><tt class="literal">(casesignames)</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, treats filenames as case-sensitive
+(Windows doesn't).</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">default case</tt></p>
+</td>
+<td>
+<p>string (<tt class="literal">upper</tt> or <tt class="literal">lower</tt>)</p>
+</td>
+<td>
+<p>Case to assume as default (used only when preserve case is
+<tt class="literal">no</tt>).</p>
+</td>
+<td>
+<p>Lower</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">preserve case</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, keep the case the client supplied (i.e.,
+do not convert to <tt class="literal">default</tt>
+<tt class="literal">case</tt>).</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">short preserve case</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, preserve case of 8.3-format names that the
+client provides.</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">mangled names</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>Mangles long names into 8.3 DOS format.</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">mangle case</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>Mangle a name if it is mixed case.</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">mangling char</tt></p>
+</td>
+<td>
+<p>string (single character)</p>
+</td>
+<td>
+<p>Gives mangling character.</p>
+</td>
+<td>
+<p><tt class="literal">~</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">mangled stack</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Number of mangled names to keep on the local mangling stack.</p>
+</td>
+<td>
+<p><tt class="literal">50</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">mangled map</tt></p>
+</td>
+<td>
+<p>string (list of patterns)</p>
+</td>
+<td>
+<p>Allows mapping of filenames from one format into another.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-4.2.1"/>
+
+<a name="INDEX-110"/><h3 class="head3">case sensitive</h3>
+
+<p>This share-level option, which has the obtuse synonym
+<tt class="literal">casesignames</tt>, specifies whether Samba should
+preserve case when resolving filenames in a specific share. The
+default value for this option is <tt class="literal">no</tt>, which is how
+Windows handles file resolution. If clients are using an operating
+system that takes advantage of case-sensitive filenames, you can set
+this configuration option to <tt class="literal">yes</tt> as shown here:</p>
+
+<blockquote><pre class="code">[accounting]
+    case sensitive = yes</pre></blockquote>
+
+<p>Otherwise, we recommend that you leave this option set to its default.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-4.2.2"/>
+
+<h3 class="head3">default case</h3>
+
+<p>The <tt class="literal">default</tt><a name="INDEX-111"/> <tt class="literal">case</tt> option
+is used with <tt class="literal">preserve</tt> <tt class="literal">case</tt>.
+This specifies the default case (upper or lower) Samba uses to create
+a file on one of its shares on behalf of a client. The default case
+is <tt class="literal">lower</tt>, which means that newly created files
+will have lowercase names. If you need to, you can override this
+global option by specifying the following:</p>
+
+<blockquote><pre class="code">[global]
+    default case = upper</pre></blockquote>
+
+<p>If you specify this value, the names of newly created files are
+translated into uppercase and cannot be overridden in a program. We
+recommend that you use the default value unless you are dealing with
+a Windows for Workgroups or other 8.3 client, in which case it should
+be <tt class="literal">upper</tt>.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-4.2.3"/>
+
+<a name="INDEX-112"/><h3 class="head3">preserve case</h3>
+
+<p>This option specifies whether a file created by Samba on behalf of
+the client is created with the case provided by the client operating
+system or the case specified by the earlier
+<tt class="literal">default</tt> <tt class="literal">case</tt> configuration
+option. The default value is <tt class="literal">yes</tt>, which uses the
+case provided by the client operating system. If it is set to
+<tt class="literal">no</tt>, the value of the <tt class="literal">default</tt>
+<tt class="literal">case</tt> option (upper or lower) is used.</p>
+
+<p>Note that this option does not handle 8.3 file requests sent from the
+client&mdash;see the upcoming <tt class="literal">short</tt>
+<tt class="literal">preserve</tt> <tt class="literal">case</tt> option. You might
+want to set this option to <tt class="literal">yes</tt>, for example, if
+applications that create files on the Samba server demand the file be
+all uppercase. If instead you want Samba to mimic the behavior of a
+Windows NT filesystem, you can leave this option set to its default,
+<tt class="literal">yes</tt>.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-4.2.4"/>
+
+<a name="INDEX-113"/><h3 class="head3">short preserve case</h3>
+
+<p>This option specifies whether an 8.3 filename created by Samba on
+behalf of the client is created with the default case of the client
+operating system or the case specified by the
+<tt class="literal">default</tt> <tt class="literal">case</tt> configuration
+option. The default value is <tt class="literal">yes</tt>, which uses the
+case provided by the client operating system. You can let Samba
+choose the case through the <tt class="literal">default</tt>
+<tt class="literal">case</tt> option by setting it as follows:</p>
+
+<blockquote><pre class="code">[global]
+    short preserve case = no</pre></blockquote>
+
+<p>If you want to force Samba to mimic the behavior of a Windows NT
+filesystem, you can leave this option set to its default,
+<tt class="literal">yes</tt>.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-4.2.5"/>
+
+<a name="INDEX-114"/><h3 class="head3">mangled names</h3>
+
+<p>This share-level option specifies whether Samba will mangle filenames
+for 8.3 clients. If the option is set to <tt class="literal">no</tt>, Samba
+will not mangle the names, and (depending on the client) they will
+either be invisible or appear truncated to those using 8.3 operating
+systems. The default value is <tt class="literal">yes</tt>. You can
+override it per share as follows:</p>
+
+<blockquote><pre class="code">[data]
+    mangled names = no</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-4.2.6"/>
+
+<a name="INDEX-115"/><h3 class="head3">mangle case</h3>
+
+<p>This option tells Samba whether it should mangle filenames that are
+not composed entirely of the case specified using the
+<tt class="literal">default</tt> <tt class="literal">case</tt> configuration
+option. The default for this option is <tt class="literal">no</tt>. If you
+set it to <tt class="literal">yes</tt>, you should be sure that all clients
+can handle the mangled filenames that result. You can override it per
+share as follows:</p>
+
+<blockquote><pre class="code">[data]
+    mangle case = yes</pre></blockquote>
+
+<p>We recommend that you leave this option alone unless you have a
+well-justified need to change it.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-4.2.7"/>
+
+<a name="INDEX-116"/><h3 class="head3">mangling char</h3>
+
+<p>This share-level option specifies the mangling character used when
+Samba mangles filenames into the 8.3 format. The default character
+used is a tilde (~). You can reset it to whatever character you wish.
+For instance:</p>
+
+<blockquote><pre class="code">[data]
+    mangling char = #</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-4.2.8"/>
+
+<a name="INDEX-117"/><h3 class="head3">mangled stack</h3>
+
+<p>Samba maintains a local stack of recently mangled 8.3 filenames; this
+stack can be used to reverse-map mangled filenames back to their
+original state. This is often needed by applications that create and
+save a file, close it, and need to modify it later. The default
+number of long filename/mangled filename pairs stored on this stack
+is 50. However, if you want to cut down on the amount of processor
+time used to mangle filenames, you can increase the size of the stack
+to whatever you wish, at the expense of memory and slightly slower
+file access:</p>
+
+<blockquote><pre class="code">[global]
+    mangled stack = 100</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-4.2.9"/>
+
+<a name="INDEX-118"/><h3 class="head3">mangled map</h3>
+
+<p>If the default behavior of name mangling is not sufficient, you can
+give Samba further instructions on how to behave using the
+<tt class="literal">mangled</tt> <tt class="literal">map</tt> option. This option
+allows you to specify mapping patterns that can be used in place of
+name mangling performed by Samba. For example:</p>
+
+<blockquote><pre class="code">[data]
+    mangled map =(*.database *.db) (*.class *.cls)</pre></blockquote>
+
+<p>Here, Samba is instructed to search each encountered file for
+characters that match the first pattern specified in the parenthesis
+and convert them to the modified second pattern in the parenthesis
+for display on an 8.3 client. This is useful in the event that name
+mangling converts the filename incorrectly or converts it to a format
+that the client cannot understand readily. Patterns are separated by
+whitespaces. <a name="INDEX-119"/><a name="INDEX-120"/> <a name="INDEX-121"/><a name="INDEX-122"/></p>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-8-SECT-5"/>
+
+<h2 class="head1">Locks and Oplocks</h2>
+
+<p><a name="INDEX-123"/><a name="INDEX-124"/><a name="INDEX-125"/><a name="INDEX-126"/>Concurrent
+writes to a single file are not desirable in any operating system. To
+prevent this, most operating systems use <em class="firstterm">locks</em>
+to guarantee that only one process can write to a file at a time.
+Operating systems traditionally lock entire files, although newer
+ones allow a range of bytes within a file to be locked. If another
+process attempts to write to a file (or section of one) that is
+already locked, it receives an error from the operating system and
+will have to wait until the lock is released.</p>
+
+<p>Samba supports the standard DOS and NT filesystem (deny-mode) locking
+requests&mdash;which allow only one process to write to an entire
+file on a server at a given time&mdash;as well as byte-range locking.
+In addition, Samba supports a locking mechanism known in the Windows
+NT world as <em class="firstterm">opportunistic locking,
+</em><a name="INDEX-127"/>or<em class="firstterm">
+</em><em class="emphasis">oplock</em> for short.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-8-SECT-5.1"/>
+
+<h3 class="head2">Opportunistic Locking</h3>
+
+<p>Opportunistic locking allows a client to notify the Samba server that
+it will not only be the exclusive writer of a file, but will also
+cache its changes to that file locally to speed up access by reducing
+network activity. This can result in a large performance
+gain&mdash;typically 30%&mdash;while at the same time reserving
+network bandwidth for other purposes.</p>
+
+<p>Because exclusive access can be obtained using regular file locks,
+the value of opportunistic locks is not so much to lock the file as
+it is to cache it. In fact, a better name for opportunistic locking
+might be <em class="firstterm">opportunistic caching</em>.</p>
+
+<p>When Samba knows that a file in one of its shares has been oplocked
+by a client, it marks its version as having an opportunistic lock and
+waits for the client to complete work on the file, at which point it
+expects the client to send its changes back to the Samba server for
+synchronization with the copy on the server.</p>
+
+<p>If a second client requests access to that file before the first
+client has finished working on it, Samba sends an oplock break
+request to the first client. This tells the client to stop caching
+its changes and return the current state of the file to the server so
+that the interrupting client can use it as it sees fit. An
+opportunistic lock, however, is not a replacement for a standard
+deny-mode lock. It is not unheard of for the interrupting process to
+be granted an oplock break only to discover that the original process
+also has a deny-mode lock on a file as well. <a href="ch08.html#samba2-CHP-8-FIG-11">Figure 8-11</a> illustrates this <a name="INDEX-128"/>opportunistic locking process.</p>
+
+<div class="figure"><a name="samba2-CHP-8-FIG-11"/><img src="figs/sam2_0811.gif"/></div><h4 class="head4">Figure 8-11. Opportunistic locking</h4>
+
+<p>In most cases, the extra performance resulting from the use of
+oplocks is highly desirable. However, allowing the client to cache
+data can be a big risk if either the client or network hardware are
+unreliable. Suppose a client opens a file for writing, creating an
+oplock on it. When another client also tries to open the file, an
+oplock break request is sent to the first client. If this request
+goes unfulfilled for any reason and the second client starts writing
+to the file, the file can be easily corrupted as a result of the two
+processes writing to it concurrently. Unfortunately, this scenario is
+very real. Uncoordinated behavior such as this has been observed many
+times among Windows clients in SMB networks (with files served by
+Windows NT/2000 or Samba). Typically, the affected files are database
+files, which multiple clients open concurrently for writing.</p>
+
+<p>A more concrete example of <a name="INDEX-129"/>oplock failure occurs when database
+files are very large. If a client is allowed to oplock this kind of
+file, there can be a huge delay while the client copies the entire
+file from the server to cache it, even though it might need to update
+only one record. The situation goes from bad to worse when another
+client tries to open the oplocked file. The first client might need
+to write the entire file back to the server before the second
+client's file open request can succeed. This results
+in another huge delay (for both clients), which in practice often
+results in a failed open due to a timeout on the second client,
+perhaps along with a message warning of possible database corruption!</p>
+
+<p>If you are having problems of this variety, you can turn off oplocks
+for the affected files by using the
+<tt class="literal">veto</tt><a name="INDEX-130"/> <tt class="literal">oplock</tt>
+<tt class="literal">files</tt> parameter:</p>
+
+<blockquote><pre class="code">[dbdata]
+    veto oplock files = /*.dbm/</pre></blockquote>
+
+<p>Use the value of the parameter (a list of filename-matching patterns
+separated by slash characters) to match all the files in the share
+that might be a source of trouble. The syntax of this parameter is
+similar to that of the <tt class="literal">veto</tt>
+<tt class="literal">files</tt> parameter.</p>
+
+<p>If you want to be really careful and can live with reduced
+performance, you can turn off oplocks altogether, preventing the
+oplock break problem from ever occurring:</p>
+
+<blockquote><pre class="code">[global]
+    oplocks = no</pre></blockquote>
+
+<p>This disables oplocks for all files in all shares served by the Samba
+server. If you wish to disable oplocks in just a specific share, you
+can specify the <tt class="literal">oplocks</tt> <tt class="literal">=</tt>
+<tt class="literal">no</tt> parameter in just that share:</p>
+
+<blockquote><pre class="code">[database]
+    oplocks = no</pre></blockquote>
+
+<p>This example allows other shares, which might have less sensitive
+data, to attain better performance, while trading performance for
+better data integrity for files in the <tt class="literal">[database]</tt>
+share.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-8-SECT-5.2"/>
+
+<h3 class="head2">Unix and Oplocks</h3>
+
+<p><a name="INDEX-131"/>Most of the time, oplocks help Windows
+client systems cooperate to avoid overwriting each
+other's changes. Unix systems also have file-locking
+mechanisms to allow Unix processes to cooperate with each other. But
+if a file stored on a Samba system is accessed by both a Windows
+network client and a local Unix process&mdash;without an additional
+coordination between the two systems&mdash;the Unix process could
+easily ride roughshod over an oplock.</p>
+
+<p>Some Unix systems have enhanced kernels that understand the Windows
+oplocks maintained by Samba. Currently the support exists only in SGI
+Irix and Linux.</p>
+
+<p>If you leave oplocks enabled and your Unix system does not support
+kernel oplocks, you could end up with corrupted data when somebody
+runs a Unix process that reads or writes a file that Windows users
+also access. This is another case where the
+<tt class="literal">veto</tt><a name="INDEX-132"/> <tt class="literal">oplock</tt>
+<tt class="literal">files</tt> parameter can be used, assuming you can
+anticipate which Samba files are used by both Windows users and Unix
+users. For example, suppose the <tt class="literal">[usrfiles]</tt> share
+contains some ASCII text files with the <em class="filename">.txt</em>
+filename extension and OpenOffice word processor documents with the
+<em class="filename">.doc</em> filename extension, which Unix and Windows
+users both modify. We can use <tt class="literal">veto</tt>
+<tt class="literal">oplock</tt> <tt class="literal">files</tt> like this:</p>
+
+<blockquote><pre class="code">[usrfiles]
+    veto oplock files = /*.txt/*.doc/</pre></blockquote>
+
+<p>This will suppress the use of oplocks on <em class="filename">.txt</em>
+and <em class="filename">.doc</em> files, which will suppress client
+caching, while allowing the Windows and Unix programs to use regular
+file locking to prevent concurrent writes to the same file.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-8-SECT-5.3"/>
+
+<h3 class="head2">Locks and Oplocks Configuration Options</h3>
+
+<p><a name="INDEX-133"/><a name="INDEX-134"/>Samba's options for
+locks and oplocks are given in <a href="ch08.html#samba2-CHP-8-TABLE-6">Table 8-6</a>.</p>
+
+<a name="samba2-CHP-8-TABLE-6"/><h4 class="head4">Table 8-6. Locks and oplocks configuration options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">locking</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, turns on byte-range locks.</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">strict</tt> <tt class="literal">locking</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, denies access to an entire file if a
+byte-range lock exists in it.</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">posix locking</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, maps oplocks to POSIX locks on the local
+system.</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">oplocks</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, turns on local caching of files on the
+client for this share.</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">kernel</tt> <tt class="literal">oplocks</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, indicates that the kernel supports oplocks.</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">level2 oplocks</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, allows oplocks to downgrade to read-only.</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">fake oplocks</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, tells client the lock was obtained, but
+doesn't actually lock it.</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">blocking</tt> <tt class="literal">locks</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>Allows lock requestor to wait for the lock to be granted.</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">veto oplock</tt> <tt class="literal">files</tt></p>
+</td>
+<td>
+<p>string (list of filenames)</p>
+</td>
+<td>
+<p>Does not oplock specified files.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">lock</tt> <tt class="literal">directory</tt></p>
+</td>
+<td>
+<p>string (fully qualified pathname)</p>
+</td>
+<td>
+<p>Sets the location where various Samba files, including locks, are
+stored.</p>
+</td>
+<td>
+<p>As specified in Samba makefile</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-5.3.1"/>
+
+<h3 class="head3">locking</h3>
+
+<p>The <tt class="literal">locking</tt><a name="INDEX-135"/> option can be used to tell
+Samba to engage or disengage server-side byte-range locks on behalf
+of the client. Samba implements byte-range locks on the server side
+with normal Unix advisory locks and consequently prevents other
+properly behaved Unix processes from overwriting a locked byte range.</p>
+
+<p>This option can be specified per share as follows:</p>
+
+<blockquote><pre class="code">[accounting]
+    locking = yes</pre></blockquote>
+
+<p>If the <tt class="literal">locking</tt> option is set to
+<tt class="literal">yes</tt>, the requestor is delayed until the holder of
+either type of lock releases it (or crashes). If, however, the option
+is set to <tt class="literal">no</tt>, no byte-range locks are kept for the
+files, although requests to lock and unlock files will appear to
+succeed. The option is set to <tt class="literal">yes</tt> by default;
+however, you can turn this option off if you have read-only media.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-5.3.2"/>
+
+<a name="INDEX-136"/><h3 class="head3">strict locking</h3>
+
+<p>This option checks every file access for a byte-range lock on the
+range of bytes being accessed. This is typically not needed if a
+client adheres to all the locking mechanisms in place. This option is
+set to <tt class="literal">no</tt> by default; however, you can reset it
+per share as follows:</p>
+
+<blockquote><pre class="code">[accounting]
+    strict locking = yes</pre></blockquote>
+
+<p>If this option is set to <tt class="literal">yes</tt>, mandatory locks are
+enforced on any file with byte-range locks.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-5.3.3"/>
+
+<a name="INDEX-137"/><h3 class="head3">posix locking</h3>
+
+<p>On systems that support POSIX locking, Samba automatically maps
+oplocks to POSIX locks. This behavior can be disabled by setting
+<tt class="literal">posix</tt> <tt class="literal">locking</tt>
+<tt class="literal">=</tt> <tt class="literal">no</tt>. You should never need to
+change the default behavior, which is <tt class="literal">posix</tt>
+<tt class="literal">locking</tt> <tt class="literal">=</tt>
+<tt class="literal">yes</tt>.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-5.3.4"/>
+
+<a name="INDEX-138"/><h3 class="head3">oplocks</h3>
+
+<p>This option enables or disables support for oplocks on the client.
+The option is enabled by default. However, you can disable it with
+the following command:</p>
+
+<blockquote><pre class="code">[data]
+    oplocks = no</pre></blockquote>
+
+<p>If you are in an extremely unstable network environment or have many
+clients that cannot take advantage of opportunistic locking, it might
+be better to shut this Samba feature off. If the host operating
+system does not support kernel oplocks, oplocks should be disabled if
+users are accessing the same files from both Unix applications (such
+as <em class="emphasis">vi</em>) and SMB clients.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-5.3.5"/>
+
+<a name="INDEX-139"/><h3 class="head3">kernel oplocks</h3>
+
+<p>If a Unix application on the Samba host system (that is not part of
+the Samba suite) tries to open a file for writing that Samba has
+oplocked to a Windows client, it is likely to succeed (depending on
+the operating system), and both Samba and the client are never aware
+of it.</p>
+
+<p>Some versions of Unix have support for oplocks in the kernel that can
+work along with Samba's oplocks. In this case, the
+Unix process trying to open the file is suspended while Samba directs
+the client to write its copy back. After that has happened, the
+operating system allows the open to complete. At the time of this
+writing, this feature is supported only by SGI Irix and Linux.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-5.3.6"/>
+
+<a name="INDEX-140"/><h3 class="head3">level2 oplocks</h3>
+
+<p>Windows NT/2000/XP clients can downgrade their read-write oplocks to
+read-only oplocks when another client opens the same file. This can
+result in significant improvements in performance on files that are
+written infrequently or not at all&mdash;especially
+executables&mdash;because all clients can then maintain a read-ahead
+cache for the file. By default, <tt class="literal">level2</tt>
+<tt class="literal">oplocks</tt> is set to <tt class="literal">yes</tt>, and you
+probably won't need to change it.</p>
+
+<p>Currently, Samba cannot support level 2 oplocks along with kernel
+oplocks and automatically disables level 2 oplocks when kernel
+oplocks are in use. (This might change in future releases as improved
+support for oplocks is added by the Samba developers.) If you are
+running Samba on a host system that supports kernel oplocks, you must
+set <tt class="literal">kernel</tt> <tt class="literal">oplocks</tt>
+<tt class="literal">=</tt> <tt class="literal">no</tt> to enable support for
+level 2 oplocks.</p>
+
+<p>Disabling oplocks with <tt class="literal">oplocks</tt>
+<tt class="literal">=</tt> <tt class="literal">no</tt> also disables level 2
+oplocks.</p>
+
+<p>Samba can automatically detect its Unix host's
+support of kernel oplocks and will set the value of
+<tt class="literal">kernel</tt> <tt class="literal">oplocks</tt> automatically.
+You should never need to set this option in your Samba configuration
+file.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-5.3.7"/>
+
+<a name="INDEX-141"/><h3 class="head3">fake oplocks</h3>
+
+<p>When this option is set to <tt class="literal">yes</tt>, Samba pretends to
+allow oplocks rather than actually supporting them. If this option is
+enabled on a read-only share (such as a shared CD-ROM drive), all
+clients are told that the files are available for opportunistic
+locking and never warned of simultaneous access. As a result, Windows
+clients cache more of the file's data and obtain
+much better performance.</p>
+
+<p>This option was added to Samba before opportunistic-locking support
+was available, and it is now generally considered better to use real
+oplocks. Do not ever enable <tt class="literal">fake</tt>
+<tt class="literal">oplocks</tt> on a read/write share.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-5.3.8"/>
+
+<h3 class="head3">blocking locks</h3>
+
+<p>Samba also supports <em class="firstterm">blocking locks</em>, a minor
+variant of range locks. Here, if the range of bytes is not available,
+the client specifies an amount of time that it's
+willing to wait. The server then caches the lock request,
+periodically checking to see if the file is available. If it is, it
+notifies the client; however, if time expires, Samba will tell the
+client that the request has failed. This strategy prevents the client
+from continually polling to see if the lock is available.</p>
+
+<p>You can disable this option per share as follows:</p>
+
+<blockquote><pre class="code">[accounting]
+    blocking locks = no</pre></blockquote>
+
+<p>When set to <tt class="literal">yes</tt>, blocking locks are enforced on
+the file. If this option is set to <tt class="literal">no</tt>, Samba
+behaves as if normal locking mechanisms are in place on the file. The
+default is <tt class="literal">yes</tt>.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-5.3.9"/>
+
+<a name="INDEX-142"/><h3 class="head3">veto oplock files</h3>
+
+<p>You can provide a list of filenames that are never granted
+opportunistic locks with the <tt class="literal">veto</tt>
+<tt class="literal">oplock</tt> <tt class="literal">files</tt> option. This
+option can be set either globally or on a per-share basis. For
+example:</p>
+
+<blockquote><pre class="code">veto oplock files = /*.bat/*.htm/</pre></blockquote>
+
+<p>The value of this option is a series of patterns. Each pattern entry
+must begin, end, or be separated from another with a slash ( / )
+character, even if only one pattern is listed. Asterisks can be used
+as a wildcard to represent zero or more characters. Questions marks
+can be used to represent exactly one character.</p>
+
+<p>We recommend that you disable oplocks on any files that are meant to
+be updated by Unix or are intended for simultaneous sharing by
+several processes.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-5.3.10"/>
+
+<a name="INDEX-143"/><h3 class="head3">lock directory</h3>
+
+<p>This option (sometimes called <tt class="literal">lock</tt>
+<tt class="literal">dir</tt>) specifies the location of a directory where
+Samba will store SMB deny-mode lock files. Samba stores other files
+in this directory as well, such as browse lists and its shared memory
+file. If WINS is enabled, the WINS database is written to this
+directory as well. The default for this option is specified in the
+Samba makefile; it is typically
+<em class="filename">/usr/local/samba/var/locks</em>. You can override
+this location as follows:</p>
+
+<blockquote><pre class="code">[global]
+    lock directory = /usr/local/samba/locks</pre></blockquote>
+
+<p>You typically would not need to override this option, unless you want
+to move the lock files to a more standard location, such as
+<em class="filename">/var/spool/locks</em>. <a name="INDEX-144"/> <a name="INDEX-145"/><a name="INDEX-146"/></p>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-8-SECT-6"/>
+
+<h2 class="head1">Connection Scripts</h2>
+
+<p><a name="INDEX-147"/><a name="INDEX-148"/><a name="INDEX-149"/>Samba supports a mechanism called
+<em class="firstterm">connection scripts</em>, by which commands can be
+executed on the server as clients connect to a share or later
+disconnect from it. By using configuration file variables along with
+some custom programming, you can create connection scripts that
+perform a wide range of functions. As a simple example, here is a
+&quot;quick and dirty&quot; way to monitor
+connections to shares on the Samba server in real time. First, the
+value of the <tt class="literal">preexec</tt><a name="INDEX-150"/> parameter is set as
+follows:</p>
+
+<blockquote><pre class="code">[global]
+    preexec = /bin/echo %u at %m connected to //%L/%S on %T &gt;&gt;/tmp/smblog</pre></blockquote>
+
+<p>This causes information about the user and the connection to be
+written to the file <em class="filename">/tmp/smblog</em> whenever any
+client connects to any share. To watch clients connect, run the
+following command:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>tail -f /tmp/smblog</b></tt>
+jay at maya connected to //toltec/data on 2002/11/21 21:21:15
+david at apache connected to //toltec/techs on 2002/11/21 21:21:57
+sally at seminole connected to //toltec/payroll on 2002/11/21 21:22:16
+martha at dine connected to //toltec/profiles on 2002/11/21 21:23:38
+martha at dine connected to //toltec/netlogon on 2002/11/21 21:23:39
+martha at dine connected to //toltec/martha on 2002/11/21 21:23:40
+aaron at huastec connected to //toltec/netlogon on 2002/11/21 21:24:19
+aaron at huastec connected to //toltec/aaron on 2002/11/21 21:24:20</pre></blockquote>
+
+<p>With the <em class="emphasis">-f</em> option, the
+<em class="emphasis">tail</em> command monitors
+<em class="filename">/tmp/smblog</em> and prints additional output as new
+data is appended to the file. Every time a new connection is made, an
+additional line is printed, showing the output of the
+<tt class="literal">preexec</tt> command. Notice the lines resulting from
+connections by user <tt class="literal">martha</tt> and
+<tt class="literal">aaron</tt>. User <tt class="literal">martha</tt> logged on to
+the domain from a Windows NT client, which accessed the
+<tt class="literal">[profiles]</tt> share to download her profile, then the
+<tt class="literal">[netlogon]</tt> share to read the logon script, and
+then her home directory (because her logon script contains a
+<tt class="literal">net</tt> <tt class="literal">use</tt> <tt class="literal">H</tt>:
+<tt class="literal">/home</tt> command) to connect her home directory to
+drive letter H. The connections from <tt class="literal">aaron</tt> are
+similar, except that he connected from a Windows 98 system, which
+does not use the <tt class="literal">[profiles]</tt> share. (See <a href="ch04.html">Chapter 4</a> for more information about domain logons.)</p>
+
+<p>A more advanced use of
+<a name="INDEX-151"/><a name="INDEX-152"/>connection scripts is to monitor the
+contents of users' home directories and/or other
+shared directories and perform checks ensuring that local
+administrative policies are followed. Checked items might include the
+following:</p>
+
+<ul><li>
+<p>Disk usage, on a per-share, per-directory, or per-file basis</p>
+</li><li>
+<p>Types of files stored on the server</p>
+</li><li>
+<p>Whether filenames follow naming guidelines</p>
+</li><li>
+<p>Whether viruses have copied themselves to the Samba server</p>
+</li></ul>
+<p>To handle this kind of task, a shell script or other program would be
+written to perform the checks and take appropriate actions, such as
+removing offending files. The <tt class="literal">root</tt>
+<tt class="literal">preexec</tt> parameter would be used to run the command
+as the root user, using configuration file variables to pass
+arguments. For example:</p>
+
+<blockquote><pre class="code">[homes]
+    root preexec = admin_checks %S
+    root preexec close = yes</pre></blockquote>
+
+<p>In this example, a specially written administrative checking program
+(<em class="emphasis">admin_checks</em>) is used to monitor
+users' home directories on the Samba server. The
+<tt class="literal">%S</tt> variable is used to pass the name of the home
+directory to the script. The
+<tt class="literal">root</tt><a name="INDEX-153"/> <tt class="literal">preexec</tt>
+<tt class="literal">close</tt> parameter has been set to
+<tt class="literal">yes</tt> so that if <em class="emphasis">admin_checks</em>
+detects a serious violation of local policy, it can exit with a
+nonzero status, and the client is prevented from connecting.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-8-SECT-6.1"/>
+
+<h3 class="head2">Connection Script Options</h3>
+
+<p><a href="ch08.html#samba2-CHP-8-TABLE-7">Table 8-7</a> introduces some of the configuration
+options provided for setting up users.</p>
+
+<a name="samba2-CHP-8-TABLE-7"/><h4 class="head4">Table 8-7. Connection script options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">root preexec</tt></p>
+</td>
+<td>
+<p>string (Unix command)</p>
+</td>
+<td>
+<p>Sets a Unix command to run as <tt class="literal">root</tt>, before
+connecting to the share.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">root preexec close</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If set to <tt class="literal">yes</tt>, nonzero exit status of
+<tt class="literal">root preexec</tt> command will disconnect.</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">preexec</tt> <tt class="literal">(exec)</tt></p>
+</td>
+<td>
+<p>string (Unix command)</p>
+</td>
+<td>
+<p>Sets a Unix command to run as the user before connecting to the share.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">preexec close</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If set to <tt class="literal">yes</tt>, nonzero exit status of
+<tt class="literal">preexec</tt> command will disconnect.</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">postexec</tt></p>
+</td>
+<td>
+<p>string (Unix command)</p>
+</td>
+<td>
+<p>Sets a Unix command to run as the user after disconnecting from the
+share.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">root</tt> <tt class="literal">postexec</tt></p>
+</td>
+<td>
+<p>string (Unix command)</p>
+</td>
+<td>
+<p>Sets a Unix command to run as <tt class="literal">root</tt> after
+disconnecting from the share.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-6.1.1"/>
+
+<a name="INDEX-156"/><h3 class="head3">root preexec</h3>
+
+<p>This option specifies as its value a Unix command to be run
+<em class="emphasis">as the root user</em> before any connection to a
+share is completed. You should use this option specifically for
+performing actions that require root privilege.</p>
+
+<p>To ensure security, users should never be able to modify the target
+of the <tt class="literal">root</tt> <tt class="literal">preexec</tt> command. In
+addition, unless you explicitly redirect it, any information the
+command sends to standard output will be discarded. If you intend to
+use any <tt class="literal">preexec</tt> or <tt class="literal">postexec</tt>
+script, you should ensure that it will run correctly before having
+Samba invoke it.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-6.1.2"/>
+
+<a name="INDEX-157"/><h3 class="head3">root preexec close</h3>
+
+<p>Sometimes you might want the share to disconnect if the
+<tt class="literal">root</tt> <tt class="literal">preexec</tt> script fails,
+giving the client an error rather than allowing it to connect. For
+example, if you are using <tt class="literal">root</tt>
+<tt class="literal">preexec</tt> to mount a CD-ROM or filesystem, it would
+make no sense to connect the client to it in the event that the mount
+fails. If you specify <tt class="literal">root</tt>
+<tt class="literal">preexec</tt> <tt class="literal">close</tt>
+<tt class="literal">=</tt> <tt class="literal">yes</tt>, the share will fail to
+connect if the <tt class="literal">root</tt> <tt class="literal">preexec</tt>
+script returns a nonzero exit status.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-6.1.3"/>
+
+<a name="INDEX-158"/><h3 class="head3">preexec</h3>
+
+<p>Sometimes just called <tt class="literal">exec</tt>, this option defines an
+ordinary unprivileged command run by Samba as the user specified by
+the variable <tt class="literal">%u</tt>. For example, a common use of this
+option is to perform logging, such as the following:</p>
+
+<blockquote><pre class="code">[homes]
+    preexec = echo &quot;%u connected from %m (%I)\&quot; &gt;&gt;/tmp/.log</pre></blockquote>
+
+<p>You must redirect the standard output of the command if you want to
+use it. Otherwise, it is discarded. This warning also applies to the
+command's standard error output. If you intend to
+use a <tt class="literal">preexec</tt> script, you should ensure that it
+will run correctly before having Samba invoke it.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-6.1.4"/>
+
+<a name="INDEX-159"/><h3 class="head3">preexec close</h3>
+
+<p>This is similar to <tt class="literal">root</tt> <tt class="literal">preexec</tt>
+<tt class="literal">close</tt>, except that it goes with the
+<tt class="literal">preexec</tt> option. By setting
+<tt class="literal">preexec</tt> <tt class="literal">close</tt>
+<tt class="literal">=</tt> <tt class="literal">yes</tt>, a
+<tt class="literal">preexec</tt> script that returns nonzero will cause the
+share to disconnect immediately.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-6.1.5"/>
+
+<a name="INDEX-160"/><h3 class="head3">postexec</h3>
+
+<p>Once the user disconnects from the share, the command specified with
+<tt class="literal">postexec</tt> is run as the user on the Samba server to
+do any necessary cleanup. This option is essentially the same as the
+<tt class="literal">preexec</tt> option. Again, remember that the command
+is run as the user represented by <tt class="literal">%u</tt>, and any
+information sent to standard output will be ignored.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-6.1.6"/>
+
+<a name="INDEX-161"/><h3 class="head3">root postexec</h3>
+
+<p>Following the <tt class="literal">postexec</tt> option, the
+<tt class="literal">root</tt> <tt class="literal">postexec</tt> command is run,
+if one has been specified. Again, this option specifies as its value
+a Unix command to be run <em class="emphasis">as the root user</em> before
+disconnecting from a share. You should use this option specifically
+for performing actions that require root privilege. <a name="INDEX-162"/> <a name="INDEX-163"/><a name="INDEX-164"/></p>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-8-SECT-7"/>
+
+<h2 class="head1">Microsoft Distributed Filesystems</h2>
+
+<p><a name="INDEX-165"/>In a
+large network where many shared folders are spread out over a large
+number of servers, it can be difficult for users to locate the
+resources they are trying to find. Browsing through Network
+Neighborhood or My Network Places can become an ordeal rather than a
+time-saving convenience. To mitigate this problem, Microsoft added an
+extension to file sharing called <em class="firstterm">Distributed
+filesystem</em><a name="INDEX-166"/><a name="INDEX-167"/> (Dfs). Using Dfs, it
+is possible to organize file shares on the network so that they
+appear to users as organized in a single directory tree on a single
+server, regardless of which servers on the network actually contain
+the resources. Instead of having to browse the entire network, users
+can go to the Dfs share and locate their data much more easily.</p>
+
+<p>Dfs can also help administrators because it provides a level of
+indirection between the name of a shared folder and its actual
+location. The Dfs share contains references to resources on the
+network, and when a resource is accessed, the Dfs server hands the
+client off to the actual server of the resource. When moving
+resources to another computer, the reference to the resource in the
+Dfs share can be redirected to the new location in one step, with the
+change being entirely seamless for users.</p>
+
+<p>To a limited extent, Dfs also can help improve performance for
+read-only shares because it provides <a name="INDEX-168"/>load balancing. It is possible
+to set up a Dfs reference to point to identical shares on two or more
+servers. The Dfs server then divides requests between the servers,
+dividing the client load among them. However, this works well only
+for static, read-only data because no provision is included in Dfs
+for synchronization among the servers when changes are made on any of
+them.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-8-SECT-7.1"/>
+
+<h3 class="head2">Windows Dfs Clients</h3>
+
+<p><a name="INDEX-169"/>Modern versions of Windows come with
+client-side support for Dfs, and no extra configuration is required.
+Support is more limited for older versions, however. Windows for
+Workgroups cannot function as a Dfs client at all. Windows NT 4.0
+must be upgraded to at least Service Pack 3 to act as a Dfs client,
+and the Dfs Client must be installed. Later service packs (such as
+Service Pack 6) include the Dfs Client. Windows 95 must also have the
+Dfs Client software installed to act as a Dfs client. Without the Dfs
+Client software, double-clicking a remote folder in a Dfs share will
+show an empty folder, and no error message will appear.</p>
+
+<a name="samba2-CHP-8-NOTE-140"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>To use the Dfs Client for Windows 95 or Windows NT, you must first
+download and install it. See the web page <a href="http://microsoft.com/ntserver/nts/downloads/winfeatures/NTSDistrFile/default.asp">http://microsoft.com/ntserver/nts/downloads/winfeatures/NTSDistrFile/default.asp</a>
+for a link to download the installation program and instructions on
+how to install the Dfs Client.</p>
+</blockquote>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-8-SECT-7.2"/>
+
+<h3 class="head2">Configuring Samba for Dfs</h3>
+
+<p><a name="INDEX-170"/>To act as a Dfs server, Samba 2.2 must
+be compiled with the <tt class="literal">--with-msdfs</tt> configure
+option. (See <a href="ch02.html">Chapter 2</a> for instructions on
+configuring and compiling Samba.) Samba 3.0 includes Dfs support by
+default and does not need to be compiled with the
+<tt class="literal">--with-msdfs</tt> configure option.</p>
+
+<p>Once a Dfs-enabled Samba server is running, there are just two steps
+to serving a Dfs share. First we will set up a Dfs root directory on
+the server, and then we will modify the <em class="filename">smb.conf</em>
+configuration file to enable the share.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-7.2.1"/>
+
+<h3 class="head3">Setting up the Dfs root</h3>
+
+<p>First we need to create a directory to act as the Dfs root:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>mkdir /usr/local/samba/dfs</b></tt></pre></blockquote>
+
+<p>This can be any directory, but it is important that it be owned by
+root and given the proper permissions:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>chown root:root /usr/local/samba/dfs</b></tt>
+# <tt class="userinput"><b>chmod 755 /usr/local/samba/dfs</b></tt></pre></blockquote>
+
+<p>The Dfs directory tree can have subdirectories and files, just like
+any other shared directory. These will function just as they would in
+any other share, allowing clients to access the directories and files
+on the Samba server. The whole idea of Dfs, though, is to gather
+together shares on other servers by making references to them in the
+Dfs tree. The way this is implemented with Samba involves a clever
+use of symbolic links, which can be in the Dfs root directory or any
+subdirectory in the Dfs tree.</p>
+
+<p>You are probably familiar with using symbolic links to create
+references to files that exist on the same system, and perhaps
+crossing a local filesystem boundary (which ordinary Unix links
+cannot do). But maybe you didn't know that symbolic
+links have a more general functionality. Although we
+can't display its contents directly, as we could
+with a text or binary file, a symbolic link
+&quot;contains&quot; an ASCII text string
+naming what the link points to. For example, take a look at the
+listing for these symbolic links:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>ls -l wrdlnk alnk</b></tt>
+lrwxrwxrwx    1 jay      jay            15 Mar 14 06:50 wrdlnk -&gt; /usr/dict/words
+lrwxrwxrwx    1 jay      jay             9 Mar 14 06:53 alnk -&gt; dreamtime</pre></blockquote>
+
+<p>As you can infer from the size of the <em class="filename">wrdlnk</em>
+link (15 bytes), the string <tt class="literal">/usr/dict/words</tt> is
+encoded into it. The size of <em class="filename">alnk</em> (9 bytes) is
+smaller, corresponding to the shorter name of
+<em class="filename">dreamtime</em>.</p>
+
+<p>Now let's create a link in our Dfs root for an SMB
+share:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>cd /usr/local/samba/dfs</b></tt>
+# <tt class="userinput"><b>ln -s 'msdfs:maya\e' maya-e</b></tt>
+# <tt class="userinput"><b>ls -l maya-e</b></tt>
+lrwxrwxrwx    1 root     root           12 Mar 13 17:34 maya-e -&gt; msdfs:maya\e</pre></blockquote>
+
+<p>This link might appear as a
+&quot;broken&quot; link in a directory
+listing because it points to something that isn't a
+file on the local system. For example, the <em class="emphasis">file</em>
+command will report:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>file maya-e</b></tt>
+maya-e: broken symbolic link to msdfs:maya\e</pre></blockquote>
+
+<p>However, <em class="filename">maya-e</em> is a valid reference to the
+<em class="filename">\\maya\e</em> share when used with
+Samba's Dfs support. When Samba encounters this
+file, it sees the leading <tt class="literal">msdfs</tt>: and interprets
+the rest as the name of a remote share. The client is then redirected
+to the remote share.</p>
+
+<p>When creating links in the Dfs root directory, simply follow the same
+format, which in general is
+<tt class="literal">msdfs</tt>:<em class="replaceable">server</em>\<em class="replaceable">share</em>.
+Note that this is similar to a UNC appended onto the
+<tt class="literal">msdfs</tt>: string, except that in this case, the two
+backslashes preceding the server's name are omitted.</p>
+
+<a name="samba2-CHP-8-NOTE-141"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>The names for the symbolic links in Dfs shares must be in all
+lowercase.</p>
+</blockquote>
+
+<p>In addition to regular network shares, you can use symbolic links of
+this type to reference Dfs shares on other Dfs servers. However,
+referencing printer shares does not work. Dfs is for sharing files
+only. <a name="INDEX-171"/></p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-7.2.2"/>
+
+<h3 class="head3">Load balancing</h3>
+
+<p><a name="INDEX-172"/>To
+set up a load-balancing Dfs share, create the symbolic link like
+this:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>ln -s 'msdfs:toltec\data,msdfs:mixtec\data' lb-data</b></tt></pre></blockquote>
+
+<p>That is, simply use a list of shares separated by commas as the
+reference. Remember, it is up to you to make sure the shared folders
+remain identical. Set up permissions on the servers to make the
+shares read-only to users.</p>
+
+<p>The last thing we need to do is to modify the
+<em class="filename">smb.conf</em> file to define the Dfs root share and
+add Dfs support. The Dfs root is added as a share definition:</p>
+
+<a name="INDEX-173"/><blockquote><pre class="code">[dfs]
+    path = /usr/local/samba/dfs
+    msdfs root = yes</pre></blockquote>
+
+<p>You can use any name you like for the share. The path is set to the
+Dfs root directory we just set up, and the parameter
+<tt class="literal">msdfs</tt> <tt class="literal">root</tt> <tt class="literal">=</tt>
+<tt class="literal">yes</tt> tells Samba that this share is a Dfs root.</p>
+
+<p>To enable support for Dfs in the server, we need to add one line to
+the <tt class="literal">[global]</tt> section:</p>
+
+<a name="INDEX-174"/><blockquote><pre class="code">[global]
+    host msdfs = yes</pre></blockquote>
+
+<p>Restart the Samba daemons&mdash;or just wait a minute for them to
+reread the configuration file&mdash;and you will see the new share
+from Windows clients. If you have trouble accessing any of the remote
+shares in the Dfs share, recheck your symbolic links to make sure
+they were created correctly. <a name="INDEX-175"/></p>
+
+<a name="samba2-CHP-8-NOTE-142"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>If you previously had a share by the same name as your Dfs share, you
+might need to reboot Windows clients before they can access the share
+as a Dfs share.</p>
+</blockquote>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-8-SECT-8"/>
+
+<h2 class="head1">Working with NIS</h2>
+
+<p>In networks where NIS and NFS are in use, it is common for
+users' home directories to be mounted over the
+network by NFS. If a Samba server being used to authenticate user
+logons is running on a system with NFS-mounted home directories
+shared with a <tt class="literal">[homes]</tt> share, the additional
+overhead can result in poor performance&mdash;about 30% of normal
+Samba speed.</p>
+
+<p>Samba has the ability to work with <a name="INDEX-176"/>NIS and NIS+ to find the
+server on which the home directories actually reside so that they can
+be shared directly from that server. For this to work, the server
+that holds the home directories must also have Samba running, with a
+<tt class="literal">[homes]</tt> share of its own.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-8-SECT-8.1"/>
+
+<h3 class="head2">NIS Configuration Options</h3>
+
+<p><a href="ch08.html#samba2-CHP-8-TABLE-8">Table 8-8</a> introduces the
+<a name="INDEX-177"/><a name="INDEX-178"/>NIS configuration options specifically
+for setting up users.</p>
+
+<a name="samba2-CHP-8-TABLE-8"/><h4 class="head4">Table 8-8. NIS options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">nis homedir</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, uses NIS instead of
+<em class="filename">/etc/passwd</em> to look up the path of a
+user's home directory.</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">homedir map</tt></p>
+</td>
+<td>
+<p>string (NIS map name)</p>
+</td>
+<td>
+<p>Sets the NIS map to use to look up a user's home
+directory.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-8-SECT-8.1.1"/>
+
+<h3 class="head3">nis homedir, homedir map</h3>
+
+<p>The <tt class="literal">nis</tt><a name="INDEX-179"/> <tt class="literal">homedir</tt> and
+<tt class="literal">homedir</tt><a name="INDEX-180"/> <tt class="literal">map</tt> options
+are for Samba servers on network sites where Unix home directories
+are provided using NFS, the automounter, and NIS.</p>
+
+<p>The <tt class="literal">nis</tt> <tt class="literal">homedir</tt> option
+indicates that the home-directory server for the user needs to be
+looked up in NIS. The <tt class="literal">homedir</tt>
+<tt class="literal">map</tt> option tells Samba in which NIS map to look
+for the server that has the user's home directory.
+The server needs to be a Samba server so that the client can do an
+SMB connect to it, and the other Samba servers need to have NIS
+installed so that they can do the lookup.</p>
+
+<p>For example, if user <tt class="literal">joe</tt> asks for a share called
+<tt class="literal">[joe]</tt>, and the <tt class="literal">nis</tt>
+<tt class="literal">homedir</tt> option is set to <tt class="literal">yes</tt>,
+Samba will look in the file specified by <tt class="literal">homedir</tt>
+<tt class="literal">map</tt> for a home directory for
+<tt class="literal">joe</tt>. If it finds one, Samba will return the
+associated system name to the client. The client will then try to
+connect to that machine and get the share from there. Enabling NIS
+lookups looks like the following:</p>
+
+<blockquote><pre class="code">[globals]
+    nis homedir = yes
+    homedir map = amd.map</pre></blockquote>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+<hr/><h4 class="head4">Footnotes</h4><blockquote><a name="FOOTNOTE-1"/> <p><a href="#FNPTR-1">[1]</a> The system checkbox will
+probably be grayed for your file. Don't worry about
+that&mdash;you should still be able to see when the box is checked
+and when it isn't.</p> </blockquote><hr/><h4 class="head4"><a href="toc.html">TOC</a></h4></body></html>
diff --git a/docs/htmldocs/using_samba/ch09.html b/docs/htmldocs/using_samba/ch09.html
new file mode 100644
index 0000000000..bc2a5bb007
--- /dev/null
+++ b/docs/htmldocs/using_samba/ch09.html
@@ -0,0 +1,3448 @@
+<html>
+<body bgcolor="#ffffff">
+
+<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
+hspace="10" align="left" />
+
+<h1 class="head0">Chapter 9. Users and Security</h1>
+
+ 
+
+<p><a name="INDEX-1"/>In this chapter, we
+cover the basic concepts of managing security in Samba so that you
+can set up your Samba server with a security policy suited to your
+network.</p>
+
+<p>One of Samba's most complicated tasks lies in
+reconciling the security models of Unix and Windows systems. Samba
+must identify users by associating them with valid usernames and
+groups, authenticate them by checking their passwords, then control
+their access to resources by comparing their access rights to the
+permissions on files and directories. These are complex topics on
+their own, and it doesn't help that there are three
+different operating system types to deal with (Unix, Windows
+95/98/Me, and Windows NT/2000/XP) and that Samba supports multiple
+methods of handling user authentication.</p>
+
+
+
+<div class="sect1"><a name="samba2-CHP-9-SECT-1"/>
+
+<h2 class="head1">Users and Groups</h2>
+
+<p><a name="INDEX-2"/>Let's start
+out as simply as possible and add support for a single user. The
+easiest way to set up a client user is to create a Unix account (and
+home directory) for that individual on the server and notify Samba of
+the user's existence. You can do the latter by
+creating a disk share that maps to the user's home
+directory in the Samba configuration file and restricting access to
+that user with the <tt class="literal">valid</tt><a name="INDEX-3"/>
+<tt class="literal">users</tt> option. For example:</p>
+
+<blockquote><pre class="code">[dave]
+        path = /home/dave
+        comment = Dave's home directory
+        writable = yes
+        valid users = dave</pre></blockquote>
+
+<p>The <tt class="literal">valid</tt> <tt class="literal">users</tt> option lists
+the users allowed to access the share. In this case, only the user
+<tt class="literal">dave</tt> is allowed to access the share. In some
+situations it is possible to specify that any user can access a disk
+share by using the <tt class="literal">guest</tt> <tt class="literal">ok</tt>
+parameter. Because we don't wish to allow guest
+access, that option is absent here. If you allow both authenticated
+users and guest users access to the same share, you can make some
+files accessible to guest users by assigning world-readable
+permissions to those files while restricting access to other files to
+particular users or groups.</p>
+
+<p>When client users access a Samba share, they have to pass two levels
+of restriction. Unix permissions on files and directories apply as
+usual, and configuration parameters specified in the Samba
+configuration file apply as well. In other words, a client must first
+pass Samba's security mechanisms (e.g.,
+authenticating with a valid username and password, passing the check
+for the <tt class="literal">valid</tt> <tt class="literal">users</tt> parameter
+and the <tt class="literal">read</tt> <tt class="literal">only</tt> parameter,
+etc.), as well as the normal Unix file and directory permissions of
+its Unix-side user, before it can gain read/write access to a share.</p>
+
+<p>Remember that you can abbreviate the user's home
+directory by using the <tt class="literal">%H</tt><a name="INDEX-4"/> variable. In addition, you can use the
+Unix username variable <tt class="literal">%u</tt><a name="INDEX-5"/> and/or the client username variable
+<tt class="literal">%U</tt><a name="INDEX-6"/> in your options as well. For
+example :</p>
+
+<blockquote><pre class="code">[dave]
+    comment = %U home directory
+    writable = yes
+    valid users = dave
+    path = %H</pre></blockquote>
+
+<p>With a single user accessing a home directory, access permissions are
+taken care of when the user account is created. The home directory is
+owned by the user, and permissions on it are set appropriately.
+However, if you're creating a shared directory for
+group access, you need to perform a few more steps.
+Let's take a stab at a
+<a name="INDEX-7"/>group share for the
+accounting department in the <em class="emphasis">smb.conf</em> file:</p>
+
+<blockquote><pre class="code">[accounting]
+    comment = Accounting Department Directory
+    writable = yes
+    valid users = @account
+    path = /home/samba/accounting
+    create mode = 0660
+    directory mode = 0770</pre></blockquote>
+
+<p>The first thing we did differently is to specify
+<tt class="literal">@account</tt> as the valid user instead of one or more
+individual usernames. This is shorthand for saying that the valid
+users are represented by the Unix group <tt class="literal">account</tt>.
+These users will need to be added to the group entry
+<tt class="literal">account</tt> in the
+<a name="INDEX-8"/><a name="INDEX-9"/>system group file (
+<em class="filename">/etc/group</em><a name="INDEX-10"/>
+or equivalent) to be recognized as part of the group. Once they are,
+Samba will recognize those users as valid users for the share.</p>
+
+<p>In addition, you need to create a shared directory that the members
+of the group can access and point to it with the
+<tt class="literal">path</tt> configuration option. Here are the Unix
+commands that create the shared directory for the accounting
+department (assuming <em class="emphasis">/home/samba</em> already
+exists):</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>mkdir /home/samba/accounting</b></tt>
+# <tt class="userinput"><b>chgrp account /home/samba/accounting</b></tt>
+# <tt class="userinput"><b>chmod 770 /home/samba/accounting</b></tt></pre></blockquote>
+
+<p>There are two other options in this <em class="filename">smb.conf</em>
+example, both of which we saw in the previous chapter. These options
+are <tt class="literal">create</tt><a name="INDEX-11"/> <tt class="literal">mode</tt> and
+<tt class="literal">directory</tt><a name="INDEX-12"/> <tt class="literal">mode</tt>. These
+options set the maximum file and directory permissions that a new
+file or directory can have. In this case, we have denied all world
+access to the contents of this share. (This is reinforced by the
+<em class="emphasis">chmod</em> command, shown earlier.)<a name="INDEX-13"/></p>
+
+
+<div class="sect2"><a name="samba2-CHP-9-SECT-1.1"/>
+
+<h3 class="head2">Handling Multiple Individual Users</h3>
+
+<p><a name="INDEX-14"/>Let's return
+to user shares for a moment. If we have several users for whom to set
+up home directory shares, we probably want to use the special
+<tt class="literal">[homes]</tt> share that we introduced in <a href="ch08.html">Chapter 8</a>. With the
+<tt class="literal">[homes]</tt><a name="INDEX-15"/> share, all we need to say is:</p>
+
+<blockquote><pre class="code">[homes]
+    browsable = no
+    writable = yes</pre></blockquote>
+
+<p>The <tt class="literal">[homes]</tt> share is a special section of the
+Samba configuration file. If a user attempts to connect to an
+ordinary share that doesn't appear in the
+<em class="filename">smb.conf</em> file (such as specifying it with a UNC
+in Windows Explorer), Samba will search for a
+<tt class="literal">[homes]</tt> share. If one exists, the incoming share
+name is assumed to be a username and is queried as such in the
+password database ( <em class="filename">/etc/passwd</em> or equivalent)
+file of the Samba server. If it appears, Samba assumes the client is
+a Unix user trying to connect to his home directory.</p>
+
+<p>As an illustration, let's assume that
+<tt class="literal">sofia</tt> is attempting to connect to a share called
+<tt class="literal">[sofia]</tt> on the Samba server. There is no share by
+that name in the configuration file, but a <tt class="literal">[homes]</tt>
+share exists and user <tt class="literal">sofia</tt> is present in the
+password database, so Samba takes the following steps:</p>
+
+<ol><li>
+<p>Samba creates a new disk share called <tt class="literal">[sofia]</tt> with
+the <tt class="literal">path</tt> specified in the
+<tt class="literal">[homes]</tt> section. If no <tt class="literal">path</tt>
+option is specified in <tt class="literal">[homes]</tt>, Samba initializes
+it to her home directory.</p>
+</li><li>
+<p>Samba initializes the new share's options from the
+defaults in <tt class="literal">[globals]</tt>, as well as any overriding
+options in <tt class="literal">[homes]</tt> with the exception of
+<tt class="literal">browsable</tt>.</p>
+</li><li>
+<p>Samba connects <tt class="literal">sofia</tt>'s client to
+that share.</p>
+</li></ol>
+<p>The <tt class="literal">[homes]</tt> share is a fast, painless way to
+create shares for your user community without having to duplicate the
+information from the password database file in the
+<em class="filename">smb.conf</em> file. It does have some
+<a name="INDEX-16"/>peculiarities, however, that we need to
+point out:</p>
+
+<ul><li>
+<p>The <tt class="literal">[homes]</tt> section can represent any account on
+the machine, which isn't always desirable. For
+example, it can potentially create a share for
+<tt class="literal">root</tt>, <tt class="literal">bin</tt>,
+<tt class="literal">sys</tt>, <tt class="literal">uucp</tt>, and the like. You
+can set a global
+<tt class="literal">invalid</tt><a name="INDEX-17"/> <tt class="literal">users</tt> option
+to protect against this.</p>
+</li><li>
+<p>The meaning of the
+<tt class="literal">browsable</tt><a name="INDEX-18"/> configuration option is
+different from other shares; it indicates only that a
+<tt class="literal">[homes]</tt> section won't show up in
+the local browse list, not that the <tt class="literal">[alice]</tt> share
+won't. When the <tt class="literal">[alice]</tt> section
+is created (after the initial connection), it will use the
+<tt class="literal">browsable</tt> value from the
+<tt class="literal">[globals]</tt> section for that share, not the value
+from <tt class="literal">[homes]</tt>.</p>
+</li></ul>
+<p>As we mentioned, there is no need for a path statement in
+<tt class="literal">[homes]</tt> if the users have Unix home directories in
+the server's <em class="filename">/etc/passwd</em> file.
+You should ensure that a valid home directory does exist, however, as
+Samba will not automatically create a home directory for a user and
+will refuse a tree connect if the user's directory
+does not exist or is not accessible. <a name="INDEX-19"/></p>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-9-SECT-2"/>
+
+<h2 class="head1">Controlling Access to Shares</h2>
+
+<p><a name="INDEX-20"/><a name="INDEX-21"/>Often you will need to restrict the users who
+can access a specific share for security reasons. This is very easy
+to do with Samba because it contains a wealth of options for creating
+practically any security configuration. Let's
+introduce a few configurations that you might want to use in your own
+Samba setup.</p>
+
+<p>We've seen what happens when you specify valid
+users. However, you are also allowed to specify a list of
+<a name="INDEX-22"/>invalid users&mdash;users who should never be
+allowed access to Samba or its shares. This is done with the
+<tt class="literal">invalid</tt><a name="INDEX-23"/> <tt class="literal">users</tt>
+option. We hinted at one frequent use of this option earlier: a
+global default with the <tt class="literal">[homes]</tt> section to ensure
+that various system users and superusers cannot be forged for access.
+For example:</p>
+
+<blockquote><pre class="code">[global]
+    invalid users = root bin daemon adm sync shutdown \
+                        halt mail news uucp operator
+    auto services = dave peter bob
+
+[homes]
+    browsable = no
+    writable = yes</pre></blockquote>
+
+<p>The <tt class="literal">invalid</tt> <tt class="literal">users</tt> option, like
+<tt class="literal">valid</tt> <tt class="literal">users</tt>, can take group
+names, preceded by an at sign (<tt class="literal">@</tt>), as well as
+usernames. In the event that a user or group appears in both lists,
+the <tt class="literal">invalid</tt> <tt class="literal">users</tt> option takes
+precedence, and the user or group is denied access to the share.</p>
+
+<p>At the other end of the spectrum, you can explicitly specify users
+who will be allowed <a name="INDEX-24"/><a name="INDEX-25"/>superuser (root) access to a share with
+the <tt class="literal">admin</tt><a name="INDEX-26"/> <tt class="literal">users</tt>
+option. An example follows:</p>
+
+<blockquote><pre class="code">[sales]
+        path = /home/sales
+        comment = Sedona Real Estate Sales Data
+        writable = yes
+        valid users = sofie shelby adilia
+        admin users = mike</pre></blockquote>
+
+<p>This option takes both group names and usernames. In addition, you
+can specify NIS netgroups by preceding them with an
+<tt class="literal">@</tt> as well; if the netgroup is not found, Samba
+will assume that you are referring to a standard Unix group.</p>
+
+<p>Be careful if you assign administrative privileges to a share for an
+entire group. The Samba Team highly recommends you avoid using this
+option, as it essentially gives root access to the specified users or
+groups for that share.</p>
+
+<p>If you wish to force read-only or read/write access on users who
+access a share, you can do so with the
+<tt class="literal">read</tt><a name="INDEX-27"/> <tt class="literal">list</tt> and
+<tt class="literal">write</tt> <tt class="literal">list</tt> options,
+respectively. These options can be used on a per-share basis to
+restrict a writable share or to grant write access to specific users
+in a read-only share, respectively. For example:</p>
+
+<blockquote><pre class="code">[sales]
+        path = /home/sales
+        comment = Sedona Real Estate Sales Data
+        read only = yes
+        write list = sofie shelby</pre></blockquote>
+
+<p>The <tt class="literal">write</tt><a name="INDEX-28"/> <tt class="literal">list</tt> option
+cannot override Unix permissions. If you've created
+the share without giving the <tt class="literal">write-list</tt> user write
+permission on the Unix system, she will be denied write access
+regardless of the setting of <tt class="literal">write</tt>
+<tt class="literal">list</tt>.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-9-SECT-2.1"/>
+
+<h3 class="head2">Guest Access</h3>
+
+<p><a name="INDEX-29"/>As mentioned
+earlier, you can configure a share using
+<tt class="literal">guest</tt><a name="INDEX-30"/> <tt class="literal">ok</tt>
+<tt class="literal">=</tt> <tt class="literal">yes</tt> to allow access to guest
+users. This works only when using share-level security, which we will
+cover later in this chapter. When a user connects as a guest,
+authenticating with a username and password is unnecessary, but Samba
+still needs a way to map the connected client to a user on the local
+system. The <tt class="literal">guest</tt><a name="INDEX-31"/>
+<tt class="literal">account</tt> parameter can be used in the share to
+specify the Unix account that guest users should be assigned when
+connecting to the Samba server. The default value for this is set
+during compilation and is typically <tt class="literal">nobody</tt>, which
+works well with most Unix versions. However, on some systems the
+<tt class="literal">nobody</tt><a name="INDEX-32"/> account is not allowed to access some
+services (e.g., printing), and you might need to set the guest user
+to <tt class="literal">ftp</tt> or some other account instead.</p>
+
+<p>If you wish to restrict access in a share only to guests&mdash;in
+other words, all clients connect as the guest account when accessing
+the share&mdash;you can use the <tt class="literal">guest</tt>
+<tt class="literal">only</tt> option in conjunction with the
+<tt class="literal">guest</tt> <tt class="literal">ok</tt> option, as shown in
+the following example:</p>
+
+<blockquote><pre class="code">[sales]
+        path = /home/sales
+        comment = Sedona Real Estate Sales Data
+        writable = yes
+        guest ok = yes
+        guest account = ftp
+        guest only = yes</pre></blockquote>
+
+<p>Make sure you specify <tt class="literal">yes</tt> for both
+<tt class="literal">guest</tt> <tt class="literal">only</tt> and
+<tt class="literal">guest</tt> <tt class="literal">ok</tt>; otherwise, Samba will
+not use the guest account that you specify.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-9-SECT-2.2"/>
+
+<h3 class="head2">Access Control Options</h3>
+
+<p><a href="ch09.html#samba2-CHP-9-TABLE-1">Table 9-1</a> <a name="INDEX-33"/><a name="INDEX-34"/>summarizes the options that you can use
+to control access to shares.</p>
+
+<a name="samba2-CHP-9-TABLE-1"/><h4 class="head4">Table 9-1. Share-level access options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">admin users</tt></p>
+</td>
+<td>
+<p>string (list of usernames)</p>
+</td>
+<td>
+<p>Users who can perform operations as root</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">valid users</tt></p>
+</td>
+<td>
+<p>string (list of usernames)</p>
+</td>
+<td>
+<p>Users who can connect to a share</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">invalid users</tt></p>
+</td>
+<td>
+<p>string (list of usernames)</p>
+</td>
+<td>
+<p>Users who will be denied access to a share</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">read list</tt></p>
+</td>
+<td>
+<p>string (list of usernames)</p>
+</td>
+<td>
+<p>Users who have read-only access to a writable share</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">write list</tt></p>
+</td>
+<td>
+<p>string (list of usernames)</p>
+</td>
+<td>
+<p>Users who have read/write access to a read-only share</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">max connections</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Maximum number of connections for a share at a given time</p>
+</td>
+<td>
+<p><tt class="literal">0</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">guest only</tt> <tt class="literal">(only guest)</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, allows only guest access</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">guest account</tt></p>
+</td>
+<td>
+<p>string (name of account)</p>
+</td>
+<td>
+<p>Unix account that will be used for guest access</p>
+</td>
+<td>
+<p><tt class="literal">nobody</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-2.2.1"/>
+
+<a name="INDEX-35"/><h3 class="head3">admin users</h3>
+
+<p>This option specifies a list of users that perform file operations as
+if they were <tt class="literal">root</tt>. This means that they can modify
+or destroy any other user's files, regardless of the
+permissions. Any files that they create will have root ownership and
+will use the default group of the admin user. The
+<tt class="literal">admin</tt> <tt class="literal">users</tt> option allows PC
+users to act as administrators for particular shares. Be very careful
+when using this option, and make sure good password and other
+security policies are in place.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-2.2.2"/>
+
+<a name="INDEX-36"/><a name="INDEX-37"/><h3 class="head3">valid users, invalid users</h3>
+
+<p>These two options let you enumerate the users and groups who are
+granted or denied access to a particular share. You can enter a list
+of user and/or group names. If a name is prefixed by an at sign
+(<tt class="literal">@</tt>), it is interpreted as a group name&mdash;with
+NIS groups searched before Unix groups. If the name is prefixed by a
+plus sign (<tt class="literal">+</tt>), it is interpreted as the name of a
+Unix group, and NIS is not searched. If the name is prefixed by an
+ampersand (<tt class="literal">&amp;</tt>), it is interpreted as an NIS
+group name rather than as a Unix group name. The plus sign and
+ampersand can be used together to specify whether NIS or Unix groups
+are searched first. For example:</p>
+
+<blockquote><pre class="code">[database]
+    valid users = mary ellen sue &amp;sales +marketing @dbadmin
+    invalid users = gavin syd dana &amp;techies +&amp;helpdesk</pre></blockquote>
+
+<p>In the <tt class="literal">valid</tt> <tt class="literal">users</tt> parameter,
+users <tt class="literal">mary</tt>, <tt class="literal">ellen</tt>, and
+<tt class="literal">sue</tt> are allowed access to the
+<tt class="literal">[database]</tt> share, as are the members of the Unix
+group <tt class="literal">marketing</tt> and NIS/Unix group
+<tt class="literal">dbadmin</tt>. The <tt class="literal">invalid</tt>
+<tt class="literal">users</tt> parameter denies access to the share by
+users <tt class="literal">gavin</tt>, <tt class="literal">syd</tt>, and
+<tt class="literal">dana</tt>, as well as members of the NIS group
+<tt class="literal">techies</tt> and Unix/NIS group
+<tt class="literal">helpdesk</tt>. In this last case, the list of Unix
+groups is searched first for the <tt class="literal">helpdesk</tt> group,
+and if it is not found there, the list of NIS groups is searched.</p>
+
+<p>The important rule to remember with these options is that any name or
+group in the <tt class="literal">invalid</tt> <tt class="literal">users</tt> list
+will <em class="emphasis">always</em> be denied access, even if it is
+included (in any form) in the <tt class="literal">valid</tt>
+<tt class="literal">users</tt> list.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-2.2.3"/>
+
+<a name="INDEX-38"/><a name="INDEX-39"/><h3 class="head3">read list, write list</h3>
+
+<p>Like the <tt class="literal">valid</tt> <tt class="literal">users</tt>
+<tt class="literal">and</tt> <tt class="literal">invalid</tt>
+<tt class="literal">users</tt> options, this pair of options specifies
+which users have read-only access to a writable share and read/write
+access to a read-only share, respectively. The value of either
+options is a list of users. The <tt class="literal">read</tt>
+<tt class="literal">list</tt> parameter overrides any other Samba
+permissions granted&mdash;as well as Unix file permissions on the
+server system&mdash;to deny users write access.
+<tt class="literal">The</tt> <tt class="literal">write</tt>
+<tt class="literal">list</tt> parameter overrides other Samba permissions
+to grant write access, but cannot grant write access if the user
+lacks write permissions for the file on the Unix system. You can
+specify NIS or Unix group names by prefixing the name with an at sign
+(such as <tt class="literal">@users</tt>). Neither configuration option has
+a default value associated with it.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-2.2.4"/>
+
+<a name="INDEX-40"/><h3 class="head3">max connections</h3>
+
+<p>This option specifies the maximum number of client connections that a
+share can have at any given time. Any connections that are attempted
+after the maximum is reached will be rejected. The default value is
+<tt class="literal">0</tt>, which is a special case that allows an
+unlimited number of connections. You can override it per share as
+follows:</p>
+
+<blockquote><pre class="code">[accounting]
+    max connections = 30</pre></blockquote>
+
+<p>This option is useful in the event that you need to limit the number
+of users who are accessing a licensed program or piece of data
+concurrently.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-2.2.5"/>
+
+<a name="INDEX-41"/><h3 class="head3">guest only</h3>
+
+<p>This share-level option (also called <tt class="literal">only</tt>
+<tt class="literal">guest</tt>) forces a connection to a share to be
+performed with the user specified by the <tt class="literal">guest</tt>
+<tt class="literal">account</tt> option. The share to which this is applied
+must explicitly specify <tt class="literal">guest</tt>
+<tt class="literal">ok</tt> <tt class="literal">=</tt> <tt class="literal">yes</tt> for
+this option to be recognized by Samba. The default value for this
+option is <tt class="literal">no</tt>.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-2.2.6"/>
+
+<a name="INDEX-42"/><h3 class="head3">guest account</h3>
+
+<p>This option specifies the name of the account to be used for guest
+access to shares in Samba. The default for this option varies from
+system to system, but it is often set to <tt class="literal">nobody</tt>.
+Some default user accounts have trouble connecting as guest users. If
+that occurs on your system, the Samba Team recommends using the
+<tt class="literal">ftp</tt> account as the guest user. <a name="INDEX-43"/> <a name="INDEX-44"/><a name="INDEX-45"/></p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-9-SECT-2.3"/>
+
+<h3 class="head2">Username Options</h3>
+
+<p><a href="ch09.html#samba2-CHP-9-TABLE-2">Table 9-2</a> shows two additional options that Samba
+can use to correct for incompatibilities in usernames between Windows
+and Unix.</p>
+
+<a name="samba2-CHP-9-TABLE-2"/><h4 class="head4">Table 9-2. Username options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">username</tt> <tt class="literal">map</tt></p>
+</td>
+<td>
+<p>string (filename)</p>
+</td>
+<td>
+<p>Sets the name of the username mapping file</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">username</tt> <tt class="literal">level</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Indicates the number of capital letters to use when trying to match a
+username</p>
+</td>
+<td>
+<p><tt class="literal">0</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-2.3.1"/>
+
+<a name="INDEX-46"/><h3 class="head3">username map</h3>
+
+<p>Client usernames on an SMB network can be relatively long (up to 255
+characters), while usernames on a Unix network often cannot be longer
+than eight characters. This means that an individual user can have
+one username on a client and another (shorter) one on the Samba
+server. You can get past this issue by<em class="firstterm">
+</em><a name="INDEX-47"/>mapping a free-form client
+username to a Unix username of eight or fewer characters. It is
+placed in a standard text file, using a format that
+we'll describe shortly. You can then specify the
+pathname to Samba with the global <tt class="literal">username</tt>
+<tt class="literal">map</tt> option. Be sure to restrict access to this
+file; make the root user the file's owner and deny
+write access to others (with octal permissions of 744 or 644).
+Otherwise, an untrusted user with access to the file can easily map
+his client username to the root user of the Samba server.</p>
+
+<p>You can specify this option as follows:</p>
+
+<blockquote><pre class="code">[global]
+    username map = /usr/local/samba/private/usermap.txt</pre></blockquote>
+
+<p>Each entry in the username map file should be listed as follows: the
+Unix username, followed by an equal sign (<tt class="literal">=</tt>),
+followed by one or more whitespace-separated SMB client usernames.
+Note that unless instructed otherwise (i.e., a guest connection),
+Samba will expect both the client and the server user to have the
+same password. You can also map NT groups to one or more specific
+Unix groups using the <tt class="literal">@</tt> sign. Here are some
+examples:</p>
+
+<blockquote><pre class="code">jarwin = JosephArwin
+manderso = MarkAnderson
+users = @account</pre></blockquote>
+
+<p>You can also use the asterisk to specify a wildcard that matches any
+free-form client username as an entry in the username map file:</p>
+
+<blockquote><pre class="code">nobody = *</pre></blockquote>
+
+<p>Comments can be placed in the file by starting the line with a hash
+mark (<tt class="literal">#</tt>) or a semicolon (<tt class="literal">;</tt>).</p>
+
+<p>Note that you can also use this file to redirect one Unix user to
+another user. Be careful, though, as Samba and your client might not
+notify the user that the mapping has been made and Samba might be
+expecting a different password.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-2.3.2"/>
+
+<a name="INDEX-48"/><h3 class="head3">username level</h3>
+
+<p>SMB clients (such as Windows) will often send usernames in SMB
+connection requests entirely in capital letters; in other words,
+client usernames are not necessarily case-sensitive. On a Unix
+server, however, usernames <em class="emphasis">are</em> case-sensitive:
+the user <tt class="literal">ANDY</tt> is different from the user
+<tt class="literal">andy</tt>. By default, Samba attacks this problem by
+doing the following:</p>
+
+<ol><li>
+<p>Checking for a user account with the exact name sent by the client</p>
+</li><li>
+<p>Testing the username in all lowercase letters</p>
+</li><li>
+<p>Testing the username in lowercase letters with only the first letter
+capitalized</p>
+</li></ol>
+<p>If you wish to have Samba attempt more combinations of upper- and
+lowercase letters, you can use the <tt class="literal">username</tt>
+<tt class="literal">level</tt> global configuration option. This option
+takes an integer value that specifies how many letters in the
+username should be capitalized when attempting to connect to a share.
+You can specify this option as follows:</p>
+
+<blockquote><pre class="code">[global]
+    username level = 3</pre></blockquote>
+
+<p>In this case, Samba attempts all possible permutations of usernames
+having three capital letters. The larger the number, the more
+computations Samba has to perform to match the username, and the
+longer the authentication will take.</p>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-9-SECT-3"/>
+
+<h2 class="head1">Authentication of Clients</h2>
+
+<p><a name="INDEX-49"/>At
+this point, we should discuss how Samba authenticates users. Each
+user who attempts to connect to a share not allowing guest access
+must provide a password to
+<a name="INDEX-50"/>make a successful connection. What
+Samba does with that password&mdash;and consequently the strategy
+Samba will use to handle user authentication&mdash;is the arena of
+the <tt class="literal">security</tt> configuration option. Samba currently
+supports <a name="INDEX-51"/><a name="INDEX-52"/><a name="INDEX-53"/>four
+<a name="INDEX-54"/>security levels on its network:
+<em class="firstterm">share</em>, <em class="firstterm">user</em>,
+<em class="firstterm">server</em>, and <em class="firstterm">domain</em>.</p>
+
+<dl>
+<dt><b><a name="INDEX-55"/>Share-level security</b></dt>
+<dd>
+<p>Each share in the workgroup has one or more passwords associated with
+it. Anyone who knows a valid password for the share can access it.</p>
+</dd>
+
+
+
+<dt><b><a name="INDEX-56"/>User-level security</b></dt>
+<dd>
+<p>Each share in the workgroup is configured to allow access from
+certain users. With each initial tree connection, the Samba server
+verifies users and their passwords to allow them access to the share.</p>
+</dd>
+
+
+
+<dt><b><a name="INDEX-57"/>Server-level security</b></dt>
+<dd>
+<p>This is the same as user-level security, except that the Samba server
+uses another server to validate users and their passwords before
+granting access to the share.</p>
+</dd>
+
+
+
+<dt><b><a name="INDEX-58"/>Domain-level security</b></dt>
+<dd>
+<p>Samba becomes a member of a Windows NT domain and uses one of the
+domain's domain controllers&mdash;either the PDC or
+a BDC&mdash;to perform authentication. Once authenticated, the user
+is given a special token that allows her access to any share with
+appropriate access rights. With this token, the domain controller
+will not have to revalidate the user's password each
+time she attempts to access another share within the domain. The
+domain controller can be a Windows NT/2000 PDC or BDC, or Samba
+acting as a Windows NT PDC.</p>
+</dd>
+
+</dl>
+
+<p>Each security policy can be implemented with the global
+<tt class="literal">security</tt> option, as shown in <a href="ch09.html#samba2-CHP-9-TABLE-3">Table 9-3</a>.</p>
+
+<a name="samba2-CHP-9-TABLE-3"/><h4 class="head4">Table 9-3. Security option</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">security</tt><a name="INDEX-59"/></p>
+</td>
+<td>
+<p><tt class="literal">domain</tt>, <tt class="literal">server</tt>,
+<tt class="literal">share</tt>, or <tt class="literal">user</tt></p>
+</td>
+<td>
+<p>Indicates the type of security that the Samba server will use</p>
+</td>
+<td>
+<p><tt class="literal">user</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect2"><a name="samba2-CHP-9-SECT-3.1"/>
+
+<h3 class="head2">Share-Level Security</h3>
+
+<p>With share-level security, each share has one or more passwords
+associated with it, with the client being authenticated when first
+connecting to the share. This differs from the other modes of
+security in that there are no restrictions as to whom can access a
+share, as long as that individual knows the correct password. Shares
+often have multiple passwords. For example, one password might grant
+read-only access, while another might grant read/write access.
+Security is maintained as long as unauthorized users do not discover
+the password for a share to which they shouldn't
+have access.</p>
+
+<p>OS/2 and Windows 95/98/Me both support share-level security on their
+resources. You can set up share-level security with Windows 95/98/Me
+by first enabling share-level security using the Access Control tab
+of the Network Control Panel dialog. Then select the
+&quot;Share-level access control&quot; radio
+button (which deselects the &quot;User-level access
+control&quot; radio button), as shown in <a href="ch09.html#samba2-CHP-9-FIG-1">Figure 9-1</a>, and click the OK button. Reboot as requested.</p>
+
+<div class="figure"><a name="samba2-CHP-9-FIG-1"/><img src="figs/sam2_0901.gif"/></div><h4 class="head4">Figure 9-1. Selecting share-level security on a Windows 95/98/Me system</h4>
+
+<p>Next, right-click a resource&mdash;such as a hard drive or a
+CD-ROM&mdash;and select the Properties menu item. This will bring up
+the Resource Properties dialog box. Select the Sharing tab at the top
+of the dialog box, and enable the resource as Shared As. From here,
+you can configure how the shared resource will appear to individual
+users, as well as assign whether the resource will appear as
+read-only, read/write, or a mix, depending on the password that is
+supplied.</p>
+
+<p>You might be thinking that this security model is not a good fit for
+Samba&mdash;and you would be right. In fact, if you set the
+<tt class="literal">security</tt> <tt class="literal">=</tt>
+<tt class="literal">share</tt> option in the Samba configuration file,
+Samba will still reuse the username/password combinations in the
+system password files to authenticate access. More precisely, Samba
+will take the following steps when a client requests a connection
+using share-level security:</p>
+
+<ol><li>
+<p>When a connection is requested, Samba will accept the password and
+(if sent) the username of the client.</p>
+</li><li>
+<p>If the share is <tt class="literal">guest</tt> <tt class="literal">only</tt> ,
+the user is immediately granted access to the share with the rights
+of the user specified by the <tt class="literal">guest</tt>
+<tt class="literal">account</tt> parameter; no password checking is
+performed.</p>
+</li><li>
+<p>For other shares, Samba appends the username to a list of users who
+are allowed access to the share. It then attempts to validate the
+password given in association with that username. If successful,
+Samba grants the user access to the share with the rights assigned to
+that user. The user will not need to authenticate again unless a
+<tt class="literal">revalidate</tt> <tt class="literal">=</tt>
+<tt class="literal">yes</tt> option has been set inside the share.</p>
+</li><li>
+<p>If the authentication is unsuccessful, Samba attempts to validate the
+password against the list of users previously compiled during
+attempted connections, as well as those specified under the share in
+the configuration file. If the password matches that of any username
+(as specified in the system password file, typically
+<em class="filename">/etc/passwd </em>), the user is granted access to the
+share under that username.</p>
+</li><li>
+<p>However, if the share has a <tt class="literal">guest</tt>
+<tt class="literal">ok</tt> or <tt class="literal">public</tt> option set, the
+user will default to access with the rights of the user specified by
+the <tt class="literal">guest</tt> <tt class="literal">account</tt> option.</p>
+</li></ol>
+<p>You can indicate in the configuration file which users should be
+initially placed on the share-level security user list by using the
+<tt class="literal">username</tt> configuration option, as shown here:</p>
+
+<blockquote><pre class="code">[global]
+    security = share
+
+[accounting1]
+    path = /home/samba/accounting1
+    guest ok = no
+    writable = yes
+    username = davecb, pkelly, andyo</pre></blockquote>
+
+<p>Here, when a user attempts to connect to a share, Samba verifies the
+sent password against each user in its own list, in addition to the
+passwords of users <tt class="literal">davecb</tt>,
+<tt class="literal">pkelly</tt>, and <tt class="literal">andyo</tt>. If any of
+the passwords match, the connection is verified, and the user is
+allowed. Otherwise, connection to the specific share will fail.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-9-SECT-3.2"/>
+
+<h3 class="head2">Share-Level Security Options</h3>
+
+<p><a href="ch09.html#samba2-CHP-9-TABLE-4">Table 9-4</a> shows the options typically associated
+with <em class="firstterm">share-level
+security</em><a name="INDEX-60"/>.</p>
+
+<a name="samba2-CHP-9-TABLE-4"/><h4 class="head4">Table 9-4. Share-level access options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">only user</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, usernames specified by
+<tt class="literal">username</tt> are the only ones allowed</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">username</tt> (<tt class="literal">user</tt> or
+<tt class="literal">users</tt>)</p>
+</td>
+<td>
+<p>string (list of usernames)</p>
+</td>
+<td>
+<p>Users against which a client's password is tested</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-3.2.1"/>
+
+<a name="INDEX-61"/><h3 class="head3">only user</h3>
+
+<p>This Boolean option indicates whether Samba will allow connections to
+a share using share-level security based solely on the individuals
+specified in the <tt class="literal">username</tt> option, instead of those
+users compiled on Samba's internal list. The default
+value for this option is <tt class="literal">no</tt>. You can override it
+per share as follows:</p>
+
+<blockquote><pre class="code">[global]
+    security = share
+[data]
+    username = andy, peter, valerie
+    only user = yes</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-3.2.2"/>
+
+<a name="INDEX-62"/><h3 class="head3">username</h3>
+
+<p>This option presents a list of usernames and/or group names against
+which Samba tests a connection password to allow access. It is
+typically used with clients that have share-level security to allow
+connections to a particular service based solely on a qualifying
+password&mdash;in this case, one that matches a password set up for a
+specific user:</p>
+
+<blockquote><pre class="code">[global]
+    security = share
+[data]
+    username = andy, peter, terry</pre></blockquote>
+
+<p>You can enter a list of usernames and/or group names. If a name is
+prefixed by an at sign (<tt class="literal">@</tt>), it is interpreted as a
+group name, with NIS groups searched before Unix groups. If the name
+is prefixed by a plus sign (<tt class="literal">+</tt>), it is interpreted
+as the name of a Unix group, and NIS is not searched. If the name is
+prefixed by an ampersand (<tt class="literal">&amp;</tt>), it is
+interpreted as an NIS group name rather than a Unix group name. The
+plus sign and ampersand can be used together to specify whether NIS
+or Unix groups are searched first. When Samba encounters a group name
+in this option, it attempts to authenticate each user in the group
+until if finds one that succeeds. Beware that this can be very
+inefficient.</p>
+
+<p>We recommend against using this option unless you are implementing a
+Samba server with share-level security.</p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-9-SECT-3.3"/>
+
+<h3 class="head2">User-Level Security</h3>
+
+<p>The default mode of security with Samba is <em class="firstterm">user-level
+security</em><a name="INDEX-63"/>. With this method, each share is
+assigned specific users that can access it. When a user requests a
+connection to a share, Samba authenticates by validating the given
+username and password with the authorized users in the configuration
+file and the passwords in the password database of the Samba server.
+As mentioned earlier in the chapter, one way to isolate which users
+are allowed access to a specific share is by using the
+<tt class="literal">valid</tt> <tt class="literal">users</tt> option for each
+share:</p>
+
+<blockquote><pre class="code">[global]
+    security = user
+
+[accounting1]
+    writable = yes
+    valid users = bob, joe, sandy</pre></blockquote>
+
+<p>Each user listed can connect to the share if the password provided
+matches the password stored in the system password database on the
+server. Once the initial authentication succeeds, the client will not
+need to supply a password again to access that share unless the
+<tt class="literal">revalidate</tt> <tt class="literal">=</tt>
+<tt class="literal">yes</tt> option has been set.</p>
+
+<p>Passwords can be sent to the Samba server in either an encrypted or a
+nonencrypted format. If you have both types of systems on your
+network, you should ensure that the passwords represented by each
+user are stored both in a traditional account database and
+Samba's encrypted password database. This way,
+authorized users can gain access to their shares from any type of
+client.<a name="FNPTR-1"/><a href="#FOOTNOTE-1">[1]</a> However, we recommend that you
+move your system to encrypted passwords and abandon nonencrypted
+passwords if security is an issue. <a href="ch09.html#samba2-CHP-9-SECT-4">Section 9.4</a> of this chapter
+explains how to use encrypted as well as nonencrypted passwords.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-9-SECT-3.4"/>
+
+<h3 class="head2">Server-Level Security</h3>
+
+<p><em class="firstterm">Server-level
+security</em><a name="INDEX-64"/> is similar to user-level security.
+However, with server-level security, Samba delegates password
+authentication to another SMB password server&mdash;typically another
+Samba server or a Windows NT/2000 server acting as a PDC on the
+network. Note that Samba still maintains its list of shares and their
+configuration in its <em class="filename">smb.conf</em> file. When a
+client attempts to make a connection to a particular share, Samba
+validates that the user is indeed authorized to connect to the share.
+Samba then attempts to validate the password by passing the username
+and password to the SMB password server. If the password is accepted,
+a session is established with the client. See <a href="ch09.html#samba2-CHP-9-FIG-2">Figure 9-2</a> for an illustration of this setup.</p>
+
+<div class="figure"><a name="samba2-CHP-9-FIG-2"/><img src="figs/sam2_0902.gif"/></div><h4 class="head4">Figure 9-2. A typical system setup using server-level security</h4>
+
+<p>You can configure Samba to use a separate password server under
+server-level security with the use of the
+<tt class="literal">password</tt><a name="INDEX-65"/> <tt class="literal">server</tt>
+global configuration option, as follows:</p>
+
+<blockquote><pre class="code">[global]
+    security = server
+    password server = mixtec toltec</pre></blockquote>
+
+<p>Note that you can specify more than one machine as the target of the
+<tt class="literal">password</tt> <tt class="literal">server</tt>; Samba moves
+down the list of servers in the event that its first choice is
+unreachable. The servers identified by the
+<tt class="literal">password</tt> <tt class="literal">server</tt> option are
+given as NetBIOS names, not their DNS names or equivalent IP
+addresses. Also, if any of the servers reject the given password, the
+connection automatically fails&mdash;Samba will not attempt another
+server.</p>
+
+<p>One caveat: when using this option, you still need an account
+representing that user on the regular Samba server. This is because
+the Unix operating system needs a username to perform various I/O
+operations. The preferable method of handling this is to give the
+user an account on the Samba server but disable the
+account's password by replacing it in the system
+password file (e.g., <em class="filename">/etc/passwd </em>) with an
+asterisk (*).</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-9-SECT-3.5"/>
+
+<h3 class="head2">Domain-Level Security</h3>
+
+<p>With <em class="firstterm">domain-level
+security</em><a name="INDEX-66"/>, the Samba server acts as a member of
+a Windows domain. Recall from <a href="ch01.html">Chapter 1</a> that each
+domain has a primary domain controller, which can be a Windows
+NT/2000 or Samba server offering password authentication. The domain
+controller keeps track of users and passwords in its own database and
+authenticates each user when she first logs on and wishes to access
+another machine's shares.</p>
+
+<p>As mentioned earlier in this chapter, Samba has a similar ability to
+offer user-level security, but that option is Unix-centric and
+assumes that the authentication occurs via Unix password files. If
+the Unix machine is part of an NIS or NIS+ domain, Samba
+authenticates users transparently against a shared password file in
+typical Unix fashion. Samba then provides access to the NIS or NIS+
+domain from Windows. There is, of course, no relationship between the
+NIS concept of a domain and a Windows NT domain.</p>
+
+<p>Configuring Samba for domain-level security is covered in <a href="ch04.html">Chapter 4</a> in <a href="ch04.html#samba2-CHP-4-SECT-7">Section 4.7</a>. <a name="INDEX-67"/></p>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-9-SECT-4"/>
+
+<h2 class="head1">Passwords</h2>
+
+<p><a name="INDEX-68"/>Passwords
+are a thorny issue with Samba. So much so, in fact, that they are
+often the first major problem that users encounter when they install
+Samba. At this point, we need to delve deeper into Samba to discover
+what is happening on the network.</p>
+
+<p>Passwords sent from individual clients can be either encrypted or
+nonencrypted. Encrypted passwords are, of course, more secure. A
+nonencrypted, plain-text password can be easily read with a
+packet-sniffing program, such as the modified
+<em class="emphasis">tcpdump</em> program for Samba that we used in <a href="ch01.html">Chapter 1</a>. Whether passwords are encrypted by default
+depends on the operating system that the client is using to connect
+to the Samba server. <a href="ch09.html#samba2-CHP-9-TABLE-5">Table 9-5</a> lists which
+<a name="INDEX-69"/>Windows operating
+systems encrypt their passwords and which send plain-text passwords
+by default.</p>
+
+<a name="samba2-CHP-9-TABLE-5"/><h4 class="head4">Table 9-5. Windows operating systems with encrypted passwords</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Operating system</p>
+</th>
+<th>
+<p>Encrypted or plain text</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p>Windows for Workgroups</p>
+</td>
+<td>
+<p>Plain text</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Windows 95</p>
+</td>
+<td>
+<p>Plain text</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Windows 95 with SMB Update</p>
+</td>
+<td>
+<p>Encrypted</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Windows 98</p>
+</td>
+<td>
+<p>Encrypted</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Windows Me</p>
+</td>
+<td>
+<p>Encrypted</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Windows NT 3.x</p>
+</td>
+<td>
+<p>Plain text</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Windows NT 4.0 before SP <tt class="literal">3</tt></p>
+</td>
+<td>
+<p>Plain text</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Windows NT 4.0 after SP 3</p>
+</td>
+<td>
+<p>Encrypted</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Windows 2000</p>
+</td>
+<td>
+<p>Encrypted</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Windows XP</p>
+</td>
+<td>
+<p>Encrypted</p>
+</td>
+</tr>
+
+</table>
+
+<p>Three different encryption methods are used. Windows 95/98/Me clients
+use a method inherited from Microsoft's LAN Manager
+network software. Windows NT/2000/XP systems use a newer system,
+called NT LAN Manager, or NTLM. A newer version of this (called NT
+LAN Manager Version 2, or NTLMv2) uses a different method for
+password hashing.</p>
+
+<p>If encrypted passwords are supported, Samba stores the encrypted
+passwords in a file called <em class="filename">smbpasswd</em>. By
+default, this file is located in the <em class="filename">private</em>
+directory of the Samba distribution (typically
+<em class="filename">/usr/local/samba/private</em>). At the same time, the
+client stores an encrypted version of a user's
+password on its own system. The plain-text password is never stored
+on either system. Each system encrypts the password automatically
+using a standard algorithm when the password is set or changed.</p>
+
+<p>When a client requests a connection to an SMB server that supports
+encrypted passwords (such as Samba or Windows NT/2000/XP), the two
+computers undergo the following negotiations:</p>
+
+<ol><li>
+<p>The client attempts to negotiate a protocol with the server.</p>
+</li><li>
+<p>The server responds with a protocol and indicates that it supports
+encrypted passwords. At this time, it sends back a randomly generated
+8-byte challenge string.</p>
+</li><li>
+<p>The client uses the challenge string as a key to encrypt its already
+encrypted password using an algorithm predefined by the negotiated
+protocol. It then sends the result to the server.</p>
+</li><li>
+<p>The server does the same thing with the encrypted password stored in
+its database. If the results match, the passwords are equivalent, and
+the user is authenticated.</p>
+</li></ol>
+<p>Note that even though the original passwords are not involved in the
+authentication process, you need to be very careful that the
+encrypted passwords located inside the <em class="filename">smbpasswd</em>
+file are guarded from unauthorized users. If they are compromised, an
+unauthorized user can break into the system by replaying the steps of
+the previous algorithm. The encrypted passwords are just as sensitive
+as the plain-text passwords&mdash;this is known as
+<em class="firstterm">plain-text-equivalent</em> data in the cryptography
+world. Of course, your local security policy should require that the
+clients safeguard their plain-text-equivalent passwords as well.</p>
+
+<p>You can configure Samba to accept encrypted passwords with the
+following global additions to <em class="filename">smb.conf</em>. Note
+that we explicitly name the location of the Samba password file:</p>
+
+<blockquote><pre class="code">[global]
+    security = user
+    encrypt passwords = yes
+    smb passwd file = /usr/local/samba/private/smbpasswd</pre></blockquote>
+
+<p>Samba, however, will not accept any users until the
+<em class="filename">smbpasswd</em> file has been created and the users
+have been added to it with the <em class="emphasis">smbpasswd</em>
+command, as we showed you in <a href="ch02.html">Chapter 2</a>.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-9-SECT-4.1"/>
+
+<h3 class="head2">Disabling Encrypted Passwords on the Client</h3>
+
+<p><a name="INDEX-70"/><a name="INDEX-71"/>While Unix authentication has been
+in use for decades&mdash;including the use of
+<em class="emphasis">telnet</em> and <em class="emphasis">rlogin</em> access
+across the Internet&mdash;it embodies well-known security risks.
+Plaintext passwords are sent over the Internet and can be retrieved
+from TCP packets by malicious snoopers. However, if you feel that
+your network is secure and you wish to use standard Unix
+<em class="filename">/etc/passwd</em> authentication for all clients, you
+can do so, but you must disable encrypted passwords on those Windows
+clients that default to using them.</p>
+
+<p>To do this, you must modify the Windows registry on each client
+system. The Samba distribution includes the <em class="filename">.reg</em>
+files you need for this, located in the source
+distribution's <em class="filename">/docs/Registry</em>
+directory. Depending on the platform, you use one of the following
+files:</p>
+
+<blockquote class="simplelist">
+
+<p><em class="filename">Win95_PlainPassword.reg</em></p>
+
+<p><em class="filename">Win98_PlainPassword.reg</em></p>
+
+<p><em class="filename">WinME_PlainPassword.reg</em></p>
+
+<p><em class="filename">NT_PlainPassword.reg</em></p>
+
+<p><em class="filename">Win2000_PlainPassword.reg</em></p>
+
+</blockquote>
+
+<p>(For Windows XP, use the <em class="filename">.reg</em> file for Windows
+2000.) You can perform the installation by copying the appropriate
+<em class="filename">.reg</em> file to a DOS floppy, inserting the floppy
+in the client's floppy drive, and running the
+<em class="filename">.reg</em> file from the Run menu item in the
+client's Start menu. (Or you can just double-click
+the file's icon.)</p>
+
+<p>After you reboot the machine, the client will not encrypt its hashed
+passwords before sending them to the server. This means that the
+plain-text passwords can been seen in the TCP packets that are
+broadcast across the network. Again, we encourage you not to do this
+unless you are absolutely sure that your network is secure.</p>
+
+<p>If passwords are not encrypted, use these two lines in your Samba
+configuration file:</p>
+
+<blockquote><pre class="code">[global]
+    security = user
+    encrypt passwords = no</pre></blockquote>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-9-SECT-4.2"/>
+
+<h3 class="head2">The smbpasswd File</h3>
+
+<p>Samba stores its encrypted passwords in a file called
+<em class="filename">smbpasswd</em><a name="INDEX-72"/>,
+which by default resides in the
+<em class="filename">/usr/local/samba/private</em> directory. The
+<em class="filename">smbpasswd</em> file should be guarded as closely as
+the Unix system's password file (either
+<em class="filename">/etc/passwd</em> or
+<em class="filename">/etc/shadow</em>). Only the root user should have
+read/write access to the <em class="filename">private</em> directory, and
+no other users should have access to it at all. In addition, the
+<em class="filename">smbpasswd</em> file should have all access denied to
+all users except for root. When things are set up for good security,
+long listings of the <em class="filename">private</em> directory and
+<em class="filename">smbpasswd</em> file look like the following:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>ls -ld /usr/local/samba/private</b></tt>
+drwx- - - - - -   2 root   root   4096 Nov 26 01:11 /usr/local/samba/private
+# <tt class="userinput"><b>ls -l /usr/local/samba/private/smbpasswd</b></tt>
+-rw- - - - - - -   1 root   root    204 Nov 26 01:11 /usr/local/samba/private/smbpasswd</pre></blockquote>
+
+<p>Before you can use encrypted passwords, you need to create an entry
+for each Unix user in the <em class="filename">smbpasswd</em> file. The
+structure of the file is somewhat similar to a Unix
+<em class="filename">passwd</em> file, but has different fields. <a href="ch09.html#samba2-CHP-9-FIG-3">Figure 9-3</a> illustrates the layout of the
+<em class="filename">smbpasswd</em> file; the entry shown is actually one
+line in the file.</p>
+
+<div class="figure"><a name="samba2-CHP-9-FIG-3"/><img src="figs/sam2_0903.gif"/></div><h4 class="head4">Figure 9-3. Structure of the smbpasswd file entry (actually one line)</h4>
+
+<p>Normally, entries in the <em class="filename">smbpasswd</em> file are
+created automatically by the <em class="emphasis">smbpasswd</em> command.
+Still, you might like to know how to interpret data within the
+<em class="filename">smbpasswd</em> file, in case you'd
+like to see what accounts are stored in it or even modify it
+manually. Here is a breakdown of the individual fields:</p>
+
+<dl>
+<dt><b>Username</b></dt>
+<dd>
+<p>This is the username of the account. It is taken directly from the
+system password file.</p>
+</dd>
+
+
+
+<dt><b>UID</b></dt>
+<dd>
+<p>This is the user ID (UID) of the account. Like the username, it is
+taken directly from the system password file and must match the UID
+there.</p>
+</dd>
+
+
+
+<dt><b>LAN Manager Password Hash</b></dt>
+<dd>
+<p>This is a 32-bit hexadecimal sequence that represents the password
+Windows 95/98/Me clients will use. It is derived by splitting the
+password into two 7-character strings, with all lowercase letters
+forced into uppercase. If fewer than 14 characters are in the
+password, the strings are padded with nulls. Then each 7-character
+string is converted to a 56-bit DES key and used to encrypt the
+constant string <tt class="literal">KGS!@#$%</tt>. The two 64-bit results
+are concatenated and stored as the password hash.</p>
+
+
+<p>If there is currently no password for the user, the first 11
+characters of the hash will consist of the sequence
+<tt class="literal">NO</tt> <tt class="literal">PASSWORD</tt> followed by
+<tt class="literal">X</tt> characters for the remainder. If the password
+has been disabled, it will consist of 32 <tt class="literal">X</tt>
+characters.</p>
+</dd>
+
+
+<dt><b>NT LAN Manager (NTLM) Password Hash</b></dt>
+<dd>
+<p>This is a 32-bit hexadecimal sequence that represents the password
+Windows NT/2000/XP clients will use. It is derived by hashing the
+user's password (represented as a 16-bit
+little-endian Unicode sequence) with an MD4 hash. The password is not
+converted to uppercase letters first.</p>
+</dd>
+
+
+
+<dt><b>Account Flags</b></dt>
+<dd>
+<p>This field consists of 11 characters between two braces ( [ ] ). Any
+of the following characters can appear in any order; the remaining
+characters should be spaces:</p>
+
+
+<dl>
+<dt><b>U</b></dt>
+<dd>
+<p>This account is a standard user account.</p>
+</dd>
+
+
+
+<dt><b>D</b></dt>
+<dd>
+<p>This account is currently disabled, and Samba should not allow any
+logins.</p>
+</dd>
+
+
+
+<dt><b>N</b></dt>
+<dd>
+<p>This account has no password associated with it.</p>
+</dd>
+
+
+
+<dt><b>W</b></dt>
+<dd>
+<p>This is a workstation trust account that can be used to configure
+Samba as a PDC when allowing Windows NT machines to join its domain.</p>
+</dd>
+
+</dl>
+</dd>
+
+
+<dt><b>Last Change Time</b></dt>
+<dd>
+<p>This code consists of the characters <tt class="literal">LCT-</tt> followed
+by a hexadecimal representation of the number of seconds since the
+epoch (midnight on January 1, 1970) that the entry was last changed.
+<a name="INDEX-73"/></p>
+</dd>
+
+</dl>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-9-SECT-4.3"/>
+
+<h3 class="head2">Password Synchronization</h3>
+
+<p><a name="INDEX-74"/><a name="INDEX-75"/>Having a regular password (either in
+<em class="filename">/etc/passwd</em> or <em class="filename">/etc/shadow</em>)
+and an encrypted version of the same password (in the
+<em class="filename">smbpasswd</em> file) can be troublesome when you need
+to change both of them. Luckily, Samba affords you a limited ability
+to keep your passwords synchronized. Samba has a pair of
+configuration options to update a user's regular
+Unix password automatically when the encrypted password is changed on
+the system. The feature can be activated by specifying the
+<tt class="literal">unix</tt><a name="INDEX-76"/> <tt class="literal">password</tt>
+<tt class="literal">sync</tt> global configuration option:</p>
+
+<blockquote><pre class="code">[global]
+    unix password sync = yes</pre></blockquote>
+
+<p>With this option enabled, Samba attempts to change the
+user's regular password (as <tt class="literal">root</tt>)
+when the encrypted version is changed with
+<em class="filename">smbpasswd</em>. However, two other options have to be
+set correctly for this to work.</p>
+
+<p>The easier of the two is <tt class="literal">passwd</tt>
+<tt class="literal">program</tt>. This option simply specifies the Unix
+command used to change a user's standard system
+password. It is set to <tt class="literal">/bin/passwd</tt>
+<tt class="literal">%u</tt> by default. With some Unix systems, this is
+sufficient, and you do not need to change anything. Others, such as
+Red Hat Linux, use <em class="emphasis">/usr/bin/passwd</em> instead. In
+addition, you might want to change this to another program or script
+at some point in the future. For example, let's
+assume that you want to use a script called
+<em class="emphasis">changepass</em> to change a user's
+password. Recall that you can use the variable <tt class="literal">%u</tt>
+to represent the current Unix username. So the example becomes:</p>
+
+<blockquote><pre class="code">[global]
+    unix password sync = yes
+    passwd program = changepass %u</pre></blockquote>
+
+<p>Note that this program is called as the <tt class="literal">root</tt> user
+when the <tt class="literal">unix</tt> <tt class="literal">password</tt>
+<tt class="literal">sync</tt> option is set to <tt class="literal">yes</tt>. This
+is because Samba does not necessarily have the old plain-text
+password of the user.</p>
+
+<p>The harder option to configure is
+<tt class="literal">passwd</tt><a name="INDEX-77"/> <tt class="literal">chat</tt>. The
+<tt class="literal">passwd</tt> <tt class="literal">chat</tt> option works like a
+Unix chat script. It specifies a series of strings to send, as well
+as responses to expect from the program specified by the
+<tt class="literal">passwd</tt> <tt class="literal">program</tt> option. For
+example, this is what the default <tt class="literal">passwd</tt>
+<tt class="literal">chat</tt> looks like. The delimiters are the spaces
+between each grouping of characters:</p>
+
+<blockquote><pre class="code">passwd chat = *old*password* %o\n *new*password* %n\n *new*password* %n\n *changed*</pre></blockquote>
+
+<p>The first grouping represents a response expected from the
+password-changing program. Note that it can contain wildcards
+(<tt class="literal">*</tt>), which help to generalize the chat programs to
+handle a variety of similar outputs. Here,
+<tt class="literal">*old*password*</tt> indicates that Samba is expecting
+any line from the password program containing the letters
+<tt class="literal">old</tt> followed by the letters
+<tt class="literal">password</tt>, without regard for what comes before,
+after, or between them. If Samba does not receive the expected
+response, the password change will fail.</p>
+
+<p>The second grouping indicates what Samba should send back once the
+data in the first grouping has been matched. In this case, you see
+<tt class="literal">%o\n</tt>. This response is actually two items: the
+variable <tt class="literal">%o</tt> represents the old password, while the
+<tt class="literal">\n</tt> is a newline character. So, in effect, this
+will &quot;type&quot; the old password into
+the standard input of the password-changing program, and then
+&quot;press&quot; Enter.</p>
+
+<p>Following that is another response grouping, followed by data that
+will be sent back to the password-changing program. (In fact, this
+response/send pattern continues indefinitely in any standard Unix
+<em class="emphasis">chat</em> script.) The script continues until the
+final pattern is matched.</p>
+
+<p>You can help match the response strings sent from the password
+program with the characters listed in <a href="ch09.html#samba2-CHP-9-TABLE-6">Table 9-6</a>.
+In addition, you can use the characters listed in <a href="ch09.html#samba2-CHP-9-TABLE-7">Table 9-7</a> to help formulate your response.</p>
+
+<a name="samba2-CHP-9-TABLE-6"/><h4 class="head4">Table 9-6. Password chat response characters</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Character</p>
+</th>
+<th>
+<p>Definition</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">*</tt></p>
+</td>
+<td>
+<p>Zero or more occurrences of any character.</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>&quot;<tt class="literal"> </tt>&quot;</p>
+</td>
+<td>
+<p>Allows you to include matching strings that contain spaces. Asterisks
+are still considered wildcards even inside of quotes, and you can
+represent a null response with empty quotes.</p>
+</td>
+</tr>
+
+</table>
+
+<a name="samba2-CHP-9-TABLE-7"/><h4 class="head4">Table 9-7. Password chat send characters</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Character</p>
+</th>
+<th>
+<p>Definition</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">%o</tt></p>
+</td>
+<td>
+<p>The user's old password</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%n</tt></p>
+</td>
+<td>
+<p>The user's new password</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">\n</tt></p>
+</td>
+<td>
+<p>The linefeed character</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">\r</tt></p>
+</td>
+<td>
+<p>The carriage-return character</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">\t</tt></p>
+</td>
+<td>
+<p>The tab character</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">\s</tt></p>
+</td>
+<td>
+<p>A space</p>
+</td>
+</tr>
+
+</table>
+
+<p>For example, you might want to change your password chat to the
+following entry. This handles scenarios in which you do not have to
+enter the old password. In addition, this also handles the new
+<tt class="literal">all</tt> <tt class="literal">tokens</tt>
+<tt class="literal">updated</tt> <tt class="literal">successfully</tt> string
+that Red Hat Linux sends:</p>
+
+<blockquote><pre class="code">passwd chat = *New password* %n\n *new password* %n\n *success*</pre></blockquote>
+
+<p>Again, the default chat should be sufficient for many Unix systems.
+If it isn't, you can use the
+<tt class="literal">passwd</tt> <tt class="literal">chat</tt>
+<tt class="literal">debug</tt> global option to set up a new chat script
+for the password change program. The <tt class="literal">passwd</tt>
+<tt class="literal">chat</tt> <tt class="literal">debug</tt> option logs
+everything during a password chat. This option is a simple Boolean,
+as shown here:</p>
+
+<blockquote><pre class="code">[global]
+    unix password sync = yes
+    passwd chat debug = yes
+    log level = 100</pre></blockquote>
+
+<p>After you activate the password chat debug feature, all I/O received
+by Samba through the password chat can be sent to the
+<em class="filename">log.smbd</em> Samba log file with a debug level of
+100, which is why we entered a new <tt class="literal">log</tt>
+<tt class="literal">level</tt> option as well. As this can often generate
+multitudes of error logs, it can be more efficient to use your own
+script&mdash;by setting the <tt class="literal">passwd</tt>
+<tt class="literal">program</tt> option&mdash;in place of
+<em class="filename">/bin/passwd</em> to record what happens during the
+exchange. Be careful because the log file contains the passwords in
+plain text. Keeping files containing plain-text passwords can (or
+<em class="emphasis">should</em>) be against local security policy in your
+organization, and it also might raise serious legal issues. Make sure
+to protect your log files with strict file permissions and to delete
+them as soon as you've grabbed the information you
+need. If possible, use the <tt class="literal">passwd</tt>
+<tt class="literal">chat</tt> <tt class="literal">debug</tt> option only while
+your own password is being changed.</p>
+
+<p>The operating system on which Samba is running might have strict
+requirements for valid passwords to make them more impervious to
+dictionary attacks and the like. Users should be made aware of these
+restrictions when changing their passwords.</p>
+
+<p>Earlier we said that password synchronization is limited. This is
+because there is no reverse synchronization of the encrypted
+<em class="filename">smbpasswd</em> file when a standard Unix password is
+updated by a user. There are various strategies to get around this,
+including NIS and freely available implementations of the Pluggable
+Authentication Modules (PAM) standard, but none of them really solves
+all the problems.</p>
+
+<p>More information regarding passwords can be found in the in the Samba
+source distribution file
+<em class="filename">docs/htmldocs/ENCRYPTION.html</em>.<a name="INDEX-80"/></p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-9-SECT-4.4"/>
+
+<h3 class="head2">Password Configuration Options</h3>
+
+<p><a name="INDEX-81"/><a name="INDEX-82"/>The options in <a href="ch09.html#samba2-CHP-9-TABLE-8">Table 9-8</a> will help you work with passwords in Samba.</p>
+
+<a name="samba2-CHP-9-TABLE-8"/><h4 class="head4">Table 9-8. Password configuration options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">encrypt</tt> <tt class="literal">passwords</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, enables encrypted passwords.</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">unix password</tt> <tt class="literal">sync</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, updates the standard Unix password
+database when a user changes his encrypted password.</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">passwd chat</tt></p>
+</td>
+<td>
+<p>string (chat commands)</p>
+</td>
+<td>
+<p>Sequence of commands sent to the password program.</p>
+</td>
+<td>
+<p>See earlier section on this option</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">passwd chat</tt> <tt class="literal">debug</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, sends debug logs of the password-change
+process to the log files with a level of 100.</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">passwd program</tt></p>
+</td>
+<td>
+<p>string (Unix command)</p>
+</td>
+<td>
+<p>Program to be used to change passwords.</p>
+</td>
+<td>
+<p><tt class="literal">/bin/passwd</tt> <tt class="literal">%u</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">password level</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Number of capital-letter permutations to attempt when matching a
+client's password.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">update</tt> <tt class="literal">encrypted</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, updates the encrypted password file when a
+client connects to a share with a plain-text password.</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">null passwords</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, allows access for users with null
+passwords.</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">smb passwd file</tt></p>
+</td>
+<td>
+<p>string (filename)</p>
+</td>
+<td>
+<p>Name of the encrypted password file.</p>
+</td>
+<td>
+<p><tt class="literal">/usr/local/samba/private/smbpasswd</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">hosts equiv</tt></p>
+</td>
+<td>
+<p>string (filename)</p>
+</td>
+<td>
+<p>Name of a file that contains hosts and users that can connect without
+using a password.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">use rhosts</tt></p>
+</td>
+<td>
+<p>string (filename)</p>
+</td>
+<td>
+<p>Name of a .<em class="emphasis">rhosts</em> file that allows users to
+connect without using a password.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.1"/>
+
+<h3 class="head3">encrypt passwords</h3>
+
+<p>The <tt class="literal">encrypt</tt><a name="INDEX-83"/>
+<tt class="literal">passwords</tt> global option switches Samba from using
+plain-text passwords to encrypted passwords for authentication.
+Encrypted passwords will be expected from clients if the option is
+set to <tt class="literal">yes</tt>:</p>
+
+<blockquote><pre class="code">encrypt passwords = yes</pre></blockquote>
+
+<p>In Samba 2.2.x versions and with previous versions, encrypted
+passwords are disabled by default. This was changed in Samba 3.0 to
+make encrypted passwords enabled by default.</p>
+
+<p>If you use encrypted passwords, you must have a valid
+<em class="filename">smbpasswd</em> file in place and populated with
+usernames that authenticate with encrypted passwords. (See <a href="ch09.html#samba2-CHP-9-SECT-4.2">Section 9.4.2</a> earlier in
+this chapter.) In addition, Samba must know the location of the
+<em class="filename">smbpasswd</em> file; if it is not in the default
+location (typically
+<em class="filename">/usr/local/samba/private/smbpasswd</em> ), you can
+explicitly name it using the <tt class="literal">smb</tt>
+<tt class="literal">passwd</tt> <tt class="literal">file</tt> option.</p>
+
+<p>If you wish, you can use <tt class="literal">update</tt>
+<tt class="literal">encrypted</tt> to force Samba to update the
+<em class="filename">smbpasswd</em> file with encrypted passwords each
+time a client connects using a nonencrypted password.</p>
+
+<p>If you have a mixture of clients on your network, with some of them
+using encrypted passwords and others using plain-text passwords, you
+can use the <tt class="literal">include</tt> option to make Samba treat
+each client appropriately. To do this, create individual
+configuration files based on the client name (<tt class="literal">%m</tt>).
+These host-specific configuration files can contain an
+<tt class="literal">encrypted</tt> <tt class="literal">passwords</tt>
+<tt class="literal">=</tt> <tt class="literal">yes</tt> option that activates
+only when those clients are connecting to the server.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.2"/>
+
+<a name="INDEX-84"/><h3 class="head3">unix password sync</h3>
+
+<p>The <tt class="literal">unix</tt> <tt class="literal">password</tt>
+<tt class="literal">sync</tt> global option allows Samba to update the
+standard Unix password file when a user changes her encrypted
+password. The encrypted password is stored on a Samba server in the
+<em class="filename">smbpasswd</em> file, which is located by default in
+<em class="filename">/usr/local/samba/private</em>. You can activate this
+feature as follows:</p>
+
+<blockquote><pre class="code">[global]
+    unix password sync = yes</pre></blockquote>
+
+<p>If this option is enabled, Samba changes the encrypted password and,
+in addition, attempts to change the standard Unix password by passing
+the username and new password to the program specified by the
+<tt class="literal">passwd</tt> <tt class="literal">program</tt> option
+(described earlier). Note that Samba does not necessarily have access
+to the plain-text password for this user, so the password changing
+program must be invoked as <tt class="literal">root</tt>.<a name="FNPTR-2"/><a href="#FOOTNOTE-2">[2]</a> If the Unix password change does not
+succeed, for whatever reason, the SMB password is not changed either.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.3"/>
+
+<a name="INDEX-85"/><h3 class="head3">passwd chat</h3>
+
+<p>This option specifies a series of send/response strings similar to a
+Unix chat script, which interface with the password-changing program
+on the Samba server. <a href="ch09.html#samba2-CHP-9-SECT-4.3">Section 9.4.3</a> earlier in this
+chapter covers this option in detail.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.4"/>
+
+<h3 class="head3">passwd chat debug</h3>
+
+<p>If set to <tt class="literal">yes</tt>, the
+<tt class="literal">passwd</tt><a name="INDEX-86"/> <tt class="literal">chat</tt>
+<tt class="literal">debug</tt> global option logs everything sent or
+received by Samba during a password chat. All the I/O received by
+Samba through the password chat is sent to the Samba logs with a
+debug level of 100; you must specify <tt class="literal">log</tt>
+<tt class="literal">level</tt> <tt class="literal">=</tt> <tt class="literal">100</tt>
+for the information to be recorded. <a href="ch09.html#samba2-CHP-9-SECT-4.3">Section 9.4.3</a> earlier in this
+chapter describes this option in more detail. Be aware that if you do
+set this option, the plain-text passwords will be visible in the
+debugging logs, which could be a security hazard if they are not
+properly secured. It is against the security policy of some
+organizations for system administrators to have access to
+users' passwords.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.5"/>
+
+<h3 class="head3">passwd program</h3>
+
+<p>The <tt class="literal">passwd</tt><a name="INDEX-87"/>
+<tt class="literal">program</tt> option specifies a program on the Unix
+Samba server that Samba can use to update the standard system
+password file when the encrypted password file is updated. This
+option defaults to the standard <em class="emphasis">passwd</em> program,
+usually located in the <em class="filename">/bin</em> directory. The
+<tt class="literal">%u</tt> variable is typically used as the requesting
+user when the command is executed. The actual handling of input and
+output to this program during execution is handled through the
+<tt class="literal">passwd</tt> <tt class="literal">chat</tt> option. <a href="ch09.html#samba2-CHP-9-SECT-4.3">Section 9.4.3</a> earlier in this
+chapter covers this option in detail.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.6"/>
+
+<a name="INDEX-88"/><h3 class="head3">password level</h3>
+
+<p>With SMB, nonencrypted (or plain-text) passwords are sent with
+capital letters, just like the usernames mentioned previously. Many
+Unix users, however, choose passwords with both upper- and lowercase
+letters. Samba, by default, only attempts to match the password
+entirely in lowercase letters and not capitalizing the first letter.</p>
+
+<p>Like <tt class="literal">username</tt> <tt class="literal">level</tt>, a
+<tt class="literal">password</tt> <tt class="literal">level</tt> option can be
+used to attempt various permutations of the password with capital
+letters. This option takes an integer value that specifies how many
+letters in the password should be capitalized when attempting to
+connect to a share. You can specify this option as follows:</p>
+
+<blockquote><pre class="code">[global]
+    password level = 3</pre></blockquote>
+
+<p>In this case, Samba then attempts all permutations of the password it
+can compute having three capital letters. The larger the number, the
+more computations Samba has to perform to match the password, and the
+longer a connection to a specific share might take.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.7"/>
+
+<a name="INDEX-89"/><h3 class="head3">update encrypted</h3>
+
+<p>For sites switching over to the encrypted password format, Samba
+provides an option that should help with the transition. The
+<tt class="literal">update</tt> <tt class="literal">encrypted</tt> option allows
+a site to ease into using encrypted passwords from plain-text
+passwords. You can activate this option as follows:</p>
+
+<blockquote><pre class="code">[global]
+    update encrypted = yes</pre></blockquote>
+
+<p>This instructs Samba to create an encrypted version of each
+user's Unix password in the
+<em class="filename">smbpasswd</em> file each time she connects to a
+share. When this option is enabled, you must have the
+<tt class="literal">encrypt</tt> <tt class="literal">passwords</tt> option set to
+<tt class="literal">no</tt> so that the client passes plain-text passwords
+to Samba to update the files. Once each user has connected at least
+once, you can set <tt class="literal">encrypted</tt>
+<tt class="literal">passwords</tt> <tt class="literal">=</tt>
+<tt class="literal">yes</tt>, allowing you to use only the encrypted
+passwords. The user must already have a valid entry in the
+<em class="filename">smbpasswd</em> file for this option to work.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.8"/>
+
+<a name="INDEX-90"/><h3 class="head3">null passwords</h3>
+
+<p>This global option tells Samba whether to allow access from users
+that have null passwords (encrypted or nonencrypted) set in their
+accounts. The default value is <tt class="literal">no</tt>. You can
+override it as follows:</p>
+
+<blockquote><pre class="code">null passwords = yes</pre></blockquote>
+
+<p>We highly recommend against doing so because of the security risks
+this option can present to your system, including inadvertent access
+to system users (such as <tt class="literal">bin</tt>) in the system
+password file who have null passwords set.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.9"/>
+
+<a name="INDEX-91"/><h3 class="head3">smb passwd file</h3>
+
+<p>This global option identifies the location of the encrypted password
+database. By default, it is set to
+<em class="filename">/usr/local/samba/private/smbpasswd</em>. You can
+override it as follows:</p>
+
+<blockquote><pre class="code">[global]
+    smb passwd file = /etc/samba/smbpasswd</pre></blockquote>
+
+<p>This location, for example, is common on many Red Hat distributions
+on which Samba has been installed using an RPM package.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.10"/>
+
+<a name="INDEX-92"/><h3 class="head3">hosts equiv</h3>
+
+<p>This global option specifies the name of a standard Unix
+<em class="filename">hosts.equiv</em> file that allows hosts or users to
+access shares without specifying a password. You can specify the
+location of such a file as follows:</p>
+
+<blockquote><pre class="code">[global]
+    hosts equiv = /etc/hosts.equiv</pre></blockquote>
+
+<p>The default value for this option does not specify any
+<em class="filename">hosts.equiv</em> file. Because using a
+<em class="filename">hosts.equiv</em> file is a huge security risk, we
+strongly recommend against using this option.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.11"/>
+
+<a name="INDEX-93"/><h3 class="head3">use rhosts</h3>
+
+<p>This global option specifies the name of a standard Unix
+user's <em class="filename">.rhosts</em> file that allows
+foreign hosts to access shares without specifying a password. You can
+specify the location of such a file as follows:</p>
+
+<blockquote><pre class="code">[global]
+    use rhosts = /home/dave/.rhosts</pre></blockquote>
+
+<p>The default value for this option does not specify any
+<em class="filename">.rhosts</em> file. Like the <tt class="literal">hosts</tt>
+<tt class="literal">equiv</tt> option discussed earlier, using such a file
+is a security risk. We highly recommend that you do not use this
+option unless you are confident in the security of your network.
+<a name="INDEX-94"/>
+<a name="INDEX-95"/><a name="INDEX-96"/></p>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-9-SECT-5"/>
+
+<h2 class="head1">Authentication with winbind</h2>
+
+<p><a name="INDEX-97"/><a name="INDEX-98"/>In <a href="ch03.html">Chapter 3</a>, we
+showed you how to add Windows clients to a network in which user
+accounts were maintained on the Samba server. We added a user account
+to the Windows client using the same username and password as an
+account on the Unix system. This method works well in many computing
+environments. However, if a Samba server is added to a Windows
+network that already has a Windows NT/2000 primary domain controller,
+the PDC has a preexisting database of user accounts and group
+information that is used for authentication. It can be a big chore to
+transfer that database manually to the Unix server, and later
+maintain and synchronize the Unix and Windows databases.</p>
+
+<p>In <a href="ch04.html">Chapter 4</a>, we showed you how to add a Samba
+server as a domain member server to a network having a Windows
+NT/2000 primary domain controller. We set <tt class="literal">security</tt>
+<tt class="literal">=</tt> <tt class="literal">domain</tt> in the Samba
+configuration file to have the Samba server hand off authentication
+to the Windows PDC. Using that method, passwords are kept only on the
+PDC, but it is still necessary to set up user accounts on the Unix
+side to make sure each client has a valid Unix UID and group ID
+(GID). This is necessary for maintaining the file ownerships and
+permissions of the Unix security model. Whenever Samba performs an
+operation on the Unix filesystem on behalf of the Windows client, the
+user must have a valid UID and GID on the local Unix system.</p>
+
+<p>A facility that has recently been added to Samba, winbind, allows the
+Windows <a name="INDEX-99"/>PDC to handle
+not only authentication, but the user and group information as well.
+Winbind works by extending the Unix user and group databases beyond
+the standard <em class="filename">/etc/passwd</em> and
+<em class="filename">/etc/group</em> files such that users and groups on
+the Windows PDC also exist as valid users and groups on the Unix
+system. The extension applies to the entire Unix system and allows
+users who are members of a Windows domain to perform any action on
+the Unix system that a local user would, including logging in to the
+Unix system by <em class="emphasis">telnet</em> or even on the local
+system, using their domain usernames and passwords.</p>
+
+<p>When winbind is in use, administration of user accounts can be done
+on the Windows PDC, without having to repeat the tasks on the Unix
+side. This includes password expiration and allowing users to change
+their passwords, which would otherwise not be practical. Aside from
+simplifying domain administration and being a great time saver,
+winbind lets Samba be used in computing environments where it
+otherwise might not be allowed.</p>
+<a name="samba2-CHP-9-NOTE-143"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>Because this is a chapter on security, we want to point out that some
+issues might relate to allowing a Windows system to authenticate
+users accessing a Unix system! Whatever you might think of the
+relative merits of Unix and Windows security models (and even more
+importantly, their <em class="emphasis">implementations</em>), one thing
+is certain: adding winbind support to your Samba server greatly
+complicates the authentication system overall&mdash;and quite
+possibly allows more opportunities for crackers.</p>
+
+<p>We present winbind in this chapter not as a means of improving
+security, but rather as a further example of Samba's
+ability to integrate itself into a modern Windows environment.</p>
+</blockquote>
+
+
+<div class="sect2"><a name="samba2-CHP-9-SECT-5.1"/>
+
+<h3 class="head2">Installing winbind</h3>
+
+<p><a name="INDEX-100"/>Installing
+and configuring winbind is fairly complicated and involves the
+following steps:</p>
+
+<ol><li>
+<p>Reconfigure, recompile, and reinstall Samba&mdash;to add support for
+winbind.</p>
+</li><li>
+<p>Configure the Unix name server switch.</p>
+</li><li>
+<p>Modify the Samba configuration file.</p>
+</li><li>
+<p>Start and test the <em class="emphasis">winbindd</em> daemon.</p>
+</li><li>
+<p>Configure the system to start and stop the
+<em class="emphasis">winbindd</em> daemon automatically.</p>
+</li><li>
+<p>Optionally, configure PAM for use with winbind.</p>
+</li></ol>
+<p>At the time this book was written, winbind was supported only on
+Linux, so all of the following directions are specific to it. Other
+Unix flavors might be supported at a later time. In addition, we
+assume you have a Windows NT/2000 primary domain controller running
+on your network.</p>
+
+<p>First, you will need to configure and compile Samba using the
+<tt class="literal">--with-winbind</tt> configure option. Directions for
+doing this are included in <a href="ch02.html">Chapter 2</a> in <a href="ch02.html#samba2-CHP-2-SECT-3">Section 2.3</a>. As usual, run
+<em class="emphasis">make install</em> to reinstall the Samba binaries.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-9-SECT-5.2"/>
+
+<h3 class="head2">Configuring nsswitch</h3>
+
+<p><a name="INDEX-101"/>When
+Samba is compiled after being configured with the
+<tt class="literal">--with-winbind</tt> option, the compilation process
+produces a library called
+<em class="filename">libnss_winbind.so</em><a name="INDEX-102"/> in the
+<em class="filename">source/nsswitch</em> directory. This library needs to
+be copied to the <em class="filename">/lib</em> directory:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>cp nsswitch/libnss_winbind.so /lib</b></tt></pre></blockquote>
+
+<p>Also, a symbolic link must be created for winbind to be fully
+functional:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</b></tt></pre></blockquote>
+
+<a name="samba2-CHP-9-NOTE-144"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>The name of this symbolic link is correct for Samba 2.2.3 and Red Hat
+7.1. The name might change&mdash;with a higher version number in the
+extension&mdash;in future releases. See the
+<em class="emphasis">winbindd</em> manual page for details.</p>
+</blockquote>
+
+<p>Next, we need to modify <em class="filename">/etc/nsswitch.conf</em> to
+make the lines for <tt class="literal">passwd</tt> and
+<tt class="literal">group</tt> look like this:</p>
+
+<blockquote><pre class="code">passwd:     files winbind
+group:      files winbind</pre></blockquote>
+
+<p>Then activate these changes by issuing the following command:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>/sbin/ldconfig</b></tt></pre></blockquote>
+
+<p>What we've just done is reconfigure the Linux name
+service switch, which allows name service and other tasks to be
+configured to use the traditional method (files in the
+<em class="filename">/etc</em> directory) or an extension coded in a
+library, such as the <em class="filename">libnss_winbind.so</em> library
+we've just installed. We've
+specified in our configuration that Samba will search for user and
+group information first in the <em class="filename">/etc/passwd</em> and
+<em class="filename">/etc/group files</em>, and if they are not found
+there, in the winbind service.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-9-SECT-5.3"/>
+
+<h3 class="head2">Modifying smb.conf</h3>
+
+<p><a name="INDEX-103"/><a name="INDEX-104"/>To use winbind, we must have our Samba
+server added to the Windows NT domain as a domain member server (as
+we described in <a href="ch04.html">Chapter 4</a>) and also add some
+parameters to the Samba configuration file to configure winbind. In
+addition to the options required to configure Samba as a domain
+member server, we need:</p>
+
+<blockquote><pre class="code">[global]
+    winbind uid = 10000-20000
+    winbind gid = 10000-20000</pre></blockquote>
+
+<p>The <tt class="literal">winbind</tt> <tt class="literal">uid</tt> and
+<tt class="literal">winbind</tt> <tt class="literal">gid</tt> options tell
+winbind how to map between Windows relative identifiers (RIDs) and
+Unix UIDs and GIDs. Windows uses RIDs to identify users and groups
+within the domain, and to function, the Unix system must have a UID
+and GID associated with every user and group RID that is received
+from the Windows primary domain controller. The
+<tt class="literal">winbind</tt> <tt class="literal">uid</tt> and
+<tt class="literal">winbind</tt> <tt class="literal">gid</tt> parameters simply
+provide winbind with a range of UIDs and GIDs, respectively, that are
+allocated by the system administrator for Windows NT domain users and
+groups. You can use whatever range you want for each; just make sure
+the lowest number in the range does not conflict with any entries in
+your <em class="filename">/etc/passwd</em> or
+<em class="filename">/etc/group</em> files at any time, either now or in
+the future. It is important to be conservative about this. Once
+winbind adds an RID to UID/GID mapping to its database, it is very
+difficult to modify the mapping.</p>
+<a name="samba2-CHP-9-NOTE-145"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p><a name="INDEX-105"/>The file
+<em class="filename">/usr/local/samba/locks/winbindd_idmap.tdb</em>
+contains winbind's RID mapping file by default. We
+suggest you regard this file as extremely sensitive and make sure to
+guard it carefully against any kind of harm or loss. If you lose it,
+you will have to re-create it manually, which can be a very
+labor-intensive task.</p>
+</blockquote>
+
+<a name="samba2-CHP-9-NOTE-145a"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>Be careful when adding local users after domain users have started
+accessing the Samba server. The domain users will have entries
+created for them by winbind in <em class="filename">/etc/passwd,</em> with
+UIDs in the range you specify. If you are using a method of creating
+new accounts that automatically assigns UIDs, it might choose UIDs by
+adding 1 to the highest UID assigned thus far, which will be the most
+recent UID added by winbind. (This is the case on Red Hat Linux, with
+the <em class="emphasis">useradd</em> script, for example.) The UID for
+the new local user will be within the range allocated for winbind,
+which will have undesired effects. Make sure to add new local users
+using a method that assigns them UIDs in the proper range. For
+example, you can use the <em class="emphasis">-u</em> option of
+<em class="emphasis">useradd</em> to specify the UID to assign to the new
+user.</p>
+</blockquote>
+
+<p>Restart the Samba daemons to put your changes to the configuration
+file into effect. If you have not already done so while adding your
+Samba server as a domain member server, you must issue the command:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>smbpasswd -j </b></tt><em class="replaceable">domain</em><tt class="userinput"><b> -r </b></tt><em class="replaceable">pdc</em><tt class="userinput"><b> -U Administrator</b></tt></pre></blockquote>
+
+<p>as we described in <a href="ch04.html">Chapter 4</a>. At this point, you
+can start the <em class="emphasis">winbindd</em> daemon:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>winbindd</b></tt></pre></blockquote>
+
+<p><a name="INDEX-106"/>You might want to
+run a <em class="emphasis">ps ax</em> command to see that the
+<em class="emphasis">winbindd</em> daemon is running. Now, to make sure
+everything we've done up to this point works, we can
+use Samba's <em class="emphasis">wbinfo</em> command:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>wbinfo -u</b></tt>
+METRAN\Administrator
+METRAN\bebe
+METRAN\Guest
+METRAN\jay
+METRAN\linda
+$ <tt class="userinput"><b>wbinfo -g</b></tt>
+METRAN\Domain Admins
+METRAN\Domain Guests
+METRAN\Domain Users</pre></blockquote>
+
+<p>The <em class="emphasis">-u</em> option queries the domain controller for
+a list of domain users, and the <em class="emphasis">-g</em> option asks
+for the list of groups. The output shows that the Samba host system
+can query the Windows PDC through winbind.</p>
+
+<p>Another thing to check is the list of users and groups, using the
+<em class="emphasis">getent</em> command:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>getent passwd</b></tt>
+root:x:0:0:root:/root:/bin/bash
+bin:x:1:1:bin:/bin:
+daemon:x:2:2:daemon:/sbin:
+    <i class="lineannotation">... deleted ...</i>
+jay:x:500:500:Jay Ts:/home/jay:/bin/bash
+rik:x:501:501::/home/rik:/bin/bash
+METRAN\Administrator:x:10000:10000::/home/METRAN/administrator:/bin/bash
+METRAN\bebe:x:10001:10000:Bebe Larta:/home/METRAN/bebe:/bin/bash
+METRAN\Guest:x:10002:10000::/home/METRAN/guest:/bin/bash
+METRAN\jay:x:10003:10000:Jay Ts:/home/METRAN/jay:/bin/bash
+METRAN\linda:x:10004:10000:Linda Lewis:/home/METRAN/linda:/bin/bash
+
+# getent group
+root:x:0:root
+bin:x:1:root,bin,daemon
+daemon:x:2:root,bin,daemon
+    <i class="lineannotation">... deleted ...</i>
+jay:x:500:
+rik:x:501:
+METRAN\Domain Admins:x:10001:METRAN\Administrator
+METRAN\Domain Guests:x:10002:METRAN\Guest
+METRAN\Domain Users:x:10000:METRAN\Administrator,METRAN\jay,METRAN\linda,METRAN\bebe</pre></blockquote>
+
+<p>This shows that the Linux system is finding the domain users and
+groups through winbind, in addition to those in the
+<em class="filename">/etc/passwd</em> and <em class="filename">/etc/group</em>
+files. If this part doesn't work as shown earlier,
+with the domain users and groups listed after the local ones, check
+to make sure you made the symbolic link to
+<em class="filename">libnss_winbind.so</em> in <em class="filename">/lib</em>
+correctly.</p>
+
+<p>Now you can try connecting to a Samba share from a Windows system
+using a domain account. You can either log on to the domain from a
+Windows NT/2000/XP workstation or use <em class="emphasis">smbclient</em>
+with the <em class="emphasis">-U</em> option to specify a username.</p>
+
+<a name="samba2-CHP-9-NOTE-147"/><blockquote class="note"><h4 class="objtitle">NOTE</h4>
+<p>If you get errors while attempting to log on to the domain, it is
+probably because you had previously configured the client system with
+a computer account on another domain controller. Commonly, you get a
+dialog box that says, &quot;The domain
+<em class="replaceable">NAME</em> is not available.&quot;
+On a Windows 2000 system, the fix is to log in to the system as an
+administrative user and open the Control Panel, double-click the
+System icon, click the Network Identification tab, then click the
+Properties button. In the dialog that comes up, click the
+&quot;Workgroup:&quot; radio button and fill
+in the name of the workgroup (you can use the same name as the
+domain). Click the OK buttons in the dialogs, and reboot if
+requested.</p>
+
+<p>This removes the computer account from the primary domain controller.
+Now log in again as the administrative user and repeat the previous
+directions, but change from the workgroup back to the domain. This
+creates a new computer account that
+&quot;fits&quot; the workstation to the new
+primary domain controller. If your network has backup domain
+controllers, it will take up to 15 minutes for the new computer
+account to propagate to the BDCs.</p>
+
+<p>If you are using Windows NT/XP, the method is slightly different. For
+the exact procedure, see the section in <a href="ch04.html">Chapter 4</a>
+that is specific to your Windows version.</p>
+</blockquote>
+
+<p>After logging in as a domain user, try creating a file or two in a
+Samba share. (You might need to change the permissions on the shared
+directory&mdash;say, to 777&mdash;to allow this access. This is very
+permissive, but after you finish reading this section, you will
+understand how to change ownership and permissions on the directory
+to restrict access to selected domain users.) After
+you've created files by one or more domain users,
+take a look at the directory's contents from a Linux
+shell. You will see something like this:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>ls -l /u</b></tt>
+-rwxrw-rw-    1 METRAN\b METRAN\D        0 Apr 13 00:00 bebes-file.doc
+-rwxrw-rw-    1 METRAN\l METRAN\D        0 Apr 12 23:58 lindas-file.doc
+drwxrwxr-x    6 jay      jay          4096 Jan 15 05:12 snd
+<b class="emphasis-bold">$ ls -ln /u</b>
+total 4
+-rwxrw-rw-    1 10001    10000           0 Apr 13 00:00 bebes-file.doc
+-rwxrw-rw-    1 10004    10000           0 Apr 12 23:58 lindas-file.doc
+drwxrwxr-x    6 500      500          4096 Jan 15 05:12 snd</pre></blockquote>
+
+<p>We can even use the domain usernames and groups from the Linux shell:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>chown 'METRAN\linda:METRAN\Domain Users' /u</b></tt>
+# <tt class="userinput"><b>ls -ldu /u</b></tt>
+drwxrwxrwx    3 METRAN\l METRAN\D     4096 Apr 13 00:44 /u
+# <tt class="userinput"><b>ls -ldn /u</b></tt>
+drwxrwxrwx    3 10004    10000        4096 Apr 13 00:00 /u</pre></blockquote>
+
+<p>Notice how the owner and group are listed as being those of the
+domain user and group. Unfortunately, the GNU <em class="emphasis">ls</em>
+command won't show the full names of the domain
+users and groups, but we can use the <em class="emphasis">-ln</em> listing
+to show the UIDs and GIDs and then translate with the
+<em class="emphasis">wbinfo</em> command:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>wbinfo -s `wbinfo -U 10004`</b></tt>
+METRAN\LINDA 1
+$ <tt class="userinput"><b>wbinfo -s `wbinfo -G 10000`</b></tt>
+METRAN\Domain Users 2</pre></blockquote>
+
+<p>(It's a bit messy, but it works, and it shows that
+the winbind system is working!) At this point, you might want to
+modify your <em class="filename">/etc/rc.d/init.d/smb</em> script to start
+and stop the <em class="emphasis">winbindd</em> daemon automatically along
+with the <em class="emphasis">smbd</em> and <em class="emphasis">nmbd</em>
+daemons. Starting with the script we presented in <a href="ch02.html">Chapter 2</a>, we first add this code to the
+<em class="emphasis">start( )</em> function:</p>
+
+<blockquote><pre class="code">echo -n $&quot;Starting WINBIND services: &quot;
+/usr/local/samba/bin/winbindd
+ERROR2=$?
+if [ $ERROR2 -ne 0 ]
+then
+    ERROR=1
+fi
+echo</pre></blockquote>
+
+<p>The previous code should be located after the code that starts
+<em class="emphasis">nmbd</em> and before the <em class="emphasis">return</em>
+statement.</p>
+
+<a name="samba2-CHP-9-NOTE-148"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>We start <em class="emphasis">winbindd</em> after
+<em class="emphasis">nmbd</em> because <em class="emphasis">winbindd</em> needs
+<em class="emphasis">nmbd</em> to be running to work properly.</p>
+</blockquote>
+
+<p>In the <tt class="function">stop( )</tt> function, we add the following:</p>
+
+<blockquote><pre class="code">echo -n $&quot;Shutting down WINBIND services: &quot;
+/bin/kill -TERM -a winbindd
+ERROR2=$?
+if [ $ERROR2 -ne 0 ]
+then
+    ERROR=1
+fi
+echo</pre></blockquote>
+
+<p>Again, this code should be located after the code that stops
+<em class="emphasis">nmbd</em> and before the <em class="emphasis">return</em>
+statement. <a name="INDEX-107"/></p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-9-SECT-5.4"/>
+
+<h3 class="head2">Configuring PAM</h3>
+
+<p><a name="INDEX-108"/>Most
+popular Linux distributions use <a name="INDEX-109"/>Pluggable
+Authentication Modules (PAM), a suite of shared libraries that
+provide a centralized source of authentication for applications
+running on the Unix system. PAM can be configured differently for
+each application (or service) that uses it, without needing to
+recompile the application. As a hypothetical example, if an
+organization's security policy mandated the use of
+passwords exactly 10 characters in length, a PAM module could be
+written to check the length of passwords submitted by users and
+reject any attempts to use a longer or shorter password. PAM would
+then be reconfigured to include the new module for services such as
+<em class="emphasis">ftp</em>, console login, and GUI login that call upon
+PAM to authenticate users.</p>
+
+<p>If you are not already familiar with PAM, we suggest you read the
+documentation provided with the Linux PAM package before continuing.
+On most Linux systems, it is located in the
+<em class="filename">/usr/share/doc</em> directory hierarchy. Another
+resource is the <em class="citetitle">Linux-PAM System
+Administrator's
+Guide</em><a name="INDEX-110"/>, which you can find
+on the Internet at <a href="http://www.kernel.org/pub/linux/libs/pam">http://www.kernel.org/pub/linux/libs/pam</a>.</p>
+
+<p>The rest of this section is about using the PAM module provided in
+the Samba distribution to enable Windows domain users to authenticate
+on the Linux system hosting Samba. Depending on which services you
+choose to configure, this allows Windows domain users to log in on a
+local console (or through <em class="emphasis">telnet</em>), log in to a
+GUI desktop on the Linux system, authenticate with an FTP server
+running on the Linux system, or use other services normally limited
+to users who have an account on the Linux system. The PAM module
+authenticates Windows domain users by querying winbind, which passes
+the authentication off to a Windows NT domain controller.</p>
+
+<p>As an example, we will show how to allow Windows domain users to log
+in to a text console on the Linux system and get a command shell and
+home directory. The method used in our example can be applied (with
+variations) to other services.</p>
+
+<p>All users who can log in to the Linux system need a shell and a home
+directory. Unix and Linux keep this user information in the password
+file (<em class="filename">/etc/passwd</em> ), but information about
+Windows users isn't located there. Instead, in the
+Samba configuration file, we add the following to notify winbind what
+the shell and home directory for Windows domain users will be:</p>
+
+<blockquote><pre class="code">[global]
+    template shell = /bin/bash
+    template homedir = /home/%D/%U</pre></blockquote>
+
+<p>The first line sets the
+<tt class="literal">template</tt><a name="INDEX-111"/> <tt class="literal">shell</tt>
+parameter, which tells winbind what shell to use for domain users
+that are logging in to the Unix host. The
+<tt class="literal">template</tt><a name="INDEX-112"/>
+<tt class="literal">homedir</tt> parameter specifies the location of
+users' home directories. The <tt class="literal">%D</tt>
+variable is replaced by the name of the domain in which the
+user's account resides, and <tt class="literal">%U</tt> is
+replaced by the user's username in that domain.</p>
+
+<p>Before the domain users can successfully log in, their home
+directories must be created manually. To add a single account for
+<tt class="literal">linda</tt> in the METRAN domain, we would use these
+commands:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>mkdir /home/METRAN</b></tt>
+# <tt class="userinput"><b>chmod 755 /home/METRAN</b></tt>
+
+# <tt class="userinput"><b>mkdir /home/METRAN/linda</b></tt>
+# <tt class="userinput"><b>chown 'METRAN\linda:METRAN\Domain Users' /home/METRAN/linda</b></tt>
+# <tt class="userinput"><b>chmod 700 /home/METRAN/linda</b></tt></pre></blockquote>
+<a name="samba2-CHP-9-NOTE-149"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>One side effect of creating the home directories is that if the Samba
+server is configured with a <tt class="literal">[homes]</tt> share, the
+domain users can see and access their home directories through
+Samba's file sharing.</p>
+</blockquote>
+
+<p>Next, we need to compile and install the PAM module in the Samba
+distribution. From the source directory in the Samba distribution,
+issue the following commands:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>make nsswitch/pam_winbind.so</b></tt>
+# <tt class="userinput"><b>cp nsswitch/pam_winbind.so /lib/security</b></tt></pre></blockquote>
+
+<p>and check that it was copied over correctly:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>ls /lib/security/pam_winbind.so</b></tt>
+/lib/security/pam_winbind.so</pre></blockquote>
+
+<p>On Red Hat Linux, the PAM configuration files reside in
+<em class="filename">/etc/pam.d</em>. Before making any modifications, we
+strongly advise making a backup of this directory:</p>
+
+<blockquote><pre class="code"># cp -pR /etc/pam.d /etc/pam.d.backup</pre></blockquote>
+
+<p>The reason for this is that we will be modifying the Linux
+system's means of authenticating logins, and if our
+configuration goes awry, all users (including
+<tt class="literal">root</tt>) will be locked out of the system. In case
+the worst happens, we would reboot into single-user mode (by typing
+<tt class="literal">linux</tt> <tt class="literal">single</tt> at the LILO:
+prompt) or boot a rescue disk, and then we would issue these two
+commands:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>mv /etc/pam.d /etc/pam.d.bad</b></tt>
+# <tt class="userinput"><b>mv /etc/pam.d.backup /etc/pam.d</b></tt></pre></blockquote>
+
+<p>Be very careful to make sure you can recover from any errors you make
+because when PAM encounters any configuration information it
+doesn't understand, its action is not to allow
+access. This means you must be sure to enter everything correctly!
+You might want to leave yourself logged in as root on a spare virtual
+terminal while you are modifying your PAM configuration to ensure
+yourself a means of easy recovery.</p>
+
+<p>In the <em class="filename">/etc/pam.d</em> directory, you will encounter
+a file for each service that uses PAM. We are interested only in the
+file corresponding to the login service, which is called
+<em class="filename">login</em>. It contains the following lines:</p>
+
+<blockquote><pre class="code">auth       required     /lib/security/pam_securetty.so
+auth       required     /lib/security/pam_stack.so service=system-auth
+auth       required     /lib/security/pam_nologin.so
+account    required     /lib/security/pam_stack.so service=system-auth
+password   required     /lib/security/pam_stack.so service=system-auth
+session    required     /lib/security/pam_stack.so service=system-auth
+session    optional     /lib/security/pam_console.so</pre></blockquote>
+
+<p>The lines starting with <tt class="literal">auth</tt> are related to the
+function of authentication&mdash;that is, printing a password prompt,
+accepting the password, verifying that it is correct, and matching
+the user to a valid user and group ID. The line starting with
+<tt class="literal">account</tt> is for account management, which allows
+access to be controlled by other factors, such as what times during
+the day a user is allowed access. We are not concerned with the lines
+starting with <tt class="literal">password</tt> or
+<tt class="literal">session</tt> because winbind does not add to either of
+those functions.</p>
+
+<p>The third column lists the PAM module, possibly with arguments, that
+is called in for the task. The
+<em class="filename">pam_stack.so</em><a name="INDEX-113"/> module has been added by Red Hat to act
+somewhat like a macro or a subroutine. It calls the file in the
+<em class="filename">pam.d</em> directory named by the service argument.
+In this case, the file <em class="filename">/etc/pam.d/system-auth</em>
+contains a common set of lines that are used as a default for many
+services. Because we want to customize the login service for winbind,
+we first replace the <em class="filename">pam_stack.so</em> lines for
+<tt class="literal">auth</tt> and <tt class="literal">account</tt> with the
+<tt class="literal">auth</tt> and <tt class="literal">account</tt> lines from
+<em class="filename">/etc/pam.d/system-auth</em>. This yields:</p>
+
+<blockquote><pre class="code">auth       required     /lib/security/pam_securetty.so
+<b class="emphasis-bold">auth       required     /lib/security/pam_env.so</b>
+<b class="emphasis-bold">auth       sufficient   /lib/security/pam_unix.so likeauth nullok</b>
+<b class="emphasis-bold">auth       required     /lib/security/pam_deny.so</b>
+auth       required     /lib/security/pam_nologin.so
+<b class="emphasis-bold">account    required     /lib/security/pam_unix.so</b>
+password   required     /lib/security/pam_stack.so service=system-auth
+session    required     /lib/security/pam_stack.so service=system-auth
+session    optional     /lib/security/pam_console.so</pre></blockquote>
+
+<p>To add winbind support, we need to add a line in both the
+<tt class="literal">auth</tt> and <tt class="literal">account</tt> sections to
+call the
+<em class="filename">pam_winbind.so</em><a name="INDEX-114"/> module:</p>
+
+<blockquote><pre class="code">auth       required     /lib/security/pam_securetty.so
+auth       required     /lib/security/pam_env.so
+<b class="emphasis-bold">auth       sufficient   /lib/security/pam_winbind.so</b>
+auth       sufficient   /lib/security/pam_unix.so <b class="emphasis-bold">use_first_pass</b> likeauth nullok
+auth       required     /lib/security/pam_deny.so
+auth       required     /lib/security/pam_nologin.so
+<b class="emphasis-bold">account    sufficient   /lib/security/pam_winbind.so</b>
+account    required     /lib/security/pam_unix.so
+password   required     /lib/security/pam_stack.so service=system-auth
+session    required     /lib/security/pam_stack.so service=system-auth
+session    optional     /lib/security/pam_console.so</pre></blockquote>
+
+<p>The keywords <tt class="literal">required</tt> and
+<tt class="literal">sufficient</tt> in the second column are significant.
+The keyword <tt class="literal">required</tt> specifies that the result
+returned by the module (either to pass or fail the authentication)
+must be taken into account, whereas the keyword
+<tt class="literal">sufficient</tt> specifies that if the module
+successfully authenticates the user, no further lines need to be
+processed. By specifying <tt class="literal">sufficient</tt> for the
+<em class="filename">pam_winbind.so</em> module, we let winbind attempt to
+authenticate users, and if it succeeds, the PAM system returns to the
+application. If the <em class="filename">pam_winbind.so</em> module
+doesn't find the user or the password does not
+match, the PAM system continues with the next line, which performs
+authentication according to the usual Linux user authentication. This
+way, both domain users and local users can log in.</p>
+
+<p>Notice that we also added the <tt class="literal">use_first_pass</tt>
+argument to the <em class="filename">pam_unix.so</em> module in the
+<tt class="literal">auth</tt> section. By default, both the
+<em class="filename">pam_winbind.so</em> and
+<em class="filename">pam_unix.so</em> modules print a password prompt and
+accept a password. In cases where users are logging in to the Linux
+system using their local accounts, this would require them to enter
+their password twice. The <tt class="literal">user_first_pass</tt> argument
+tells the <em class="filename">pam_unix.so</em> module to reuse the
+password that was given to the <em class="filename">pam_winbind.so</em>
+module, which results in users having to enter the password only
+once.</p>
+
+<p>After modifying the <em class="filename">login</em> configuration file,
+switch to a spare virtual console and make sure you can still log in
+using a regular Linux account. If not, check your modifications
+carefully and try again until you get it right. Then log in using a
+domain user account from the Windows PDC database to check that the
+winbind authentication works. You will need to specify the username
+in <em class="replaceable">DOMAIN</em>\<em class="replaceable">user</em>
+format, like this:</p>
+
+<blockquote><pre class="code">login: METRAN\linda
+Password:</pre></blockquote>
+
+<p>More information on configuring winbind can be found in the Samba
+source distribution file
+<em class="filename">docs/htmldocs/winbind.html</em>, and in the
+<em class="emphasis">winbindd</em> manual page. If you would like to learn
+more about configuring PAM, we recommend the web page <a href="http://www.kernel.org/pub/linux/libs/pam/">http://www.kernel.org/pub/linux/libs/pam/</a> as
+a starting place. Some of the documentation for Linux PAM, including
+Red Hat's extensions, can also be found on Red Hat
+Linux in
+<em class="filename">/usr/share/doc/pam-</em><em class="replaceable">version</em>.
+<a name="INDEX-115"/></p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-9-SECT-5.5"/>
+
+<h3 class="head2">winbind Configuration Options</h3>
+
+<p><a href="ch09.html#samba2-CHP-9-TABLE-9">Table 9-9</a> <a name="INDEX-116"/><a name="INDEX-117"/>summarizes some commonly used options
+that you can use to configure winbind.</p>
+
+<a name="samba2-CHP-9-TABLE-9"/><h4 class="head4">Table 9-9. winbind options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">winbind</tt> <tt class="literal">separator</tt></p>
+</td>
+<td>
+<p>string (single character)</p>
+</td>
+<td>
+<p>Character to use as a separator in domain usernames and group names</p>
+</td>
+<td>
+<p>Backslash (<tt class="literal">\</tt>)</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">winbind uid</tt></p>
+</td>
+<td>
+<p>string (numeric range)</p>
+</td>
+<td>
+<p>Range of UIDs for RID-to-UID mapping</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">winbind gid</tt></p>
+</td>
+<td>
+<p>string (numeric range)</p>
+</td>
+<td>
+<p>Range of GIDs for RID-to-GID mapping</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">winbind cache time</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Number of seconds the <em class="emphasis">winbindd</em> daemon caches
+user and group data</p>
+</td>
+<td>
+<p><tt class="literal">15</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">template</tt> <tt class="literal">homedir</tt></p>
+</td>
+<td>
+<p>string (directory name)</p>
+</td>
+<td>
+<p>Directory to be used as the home directory of the logged-in domain
+user</p>
+</td>
+<td>
+<p><tt class="literal">/home/%D/%U</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">template</tt> <tt class="literal">shell</tt></p>
+</td>
+<td>
+<p>string (command name)</p>
+</td>
+<td>
+<p>The program to use as the logged-in domain user's
+shell</p>
+</td>
+<td>
+<p><tt class="literal">/bin/false</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-5.5.1"/>
+
+<a name="INDEX-118"/><h3 class="head3">winbind separator</h3>
+
+<p>On Windows systems, the backslash (<tt class="literal">\</tt>) is commonly
+used as a separator in file names, UNCs, and the names of domain
+users and groups. For example, an account in the METRAN domain with a
+username of <tt class="literal">linda</tt> would be written as
+<tt class="literal">METRAN\linda</tt>. On Unix systems, the backslash is
+commonly used as a metacharacter for quoting, so the account would
+have to be specified as <tt class="literal">METRAN\\linda</tt> or
+'<tt class="literal">METRAN\linda</tt>'. The winbind separator parameter
+allows another character to be used instead of the backslash
+character, making it much easier to type in domain user and group
+names. For example, with:</p>
+
+<blockquote><pre class="code">[global]
+    winbind separator = +</pre></blockquote>
+
+<p>the aforementioned account could be written simply as
+<tt class="literal">METRAN+linda</tt> on the Unix host, making it
+unnecessary to use additional backslashes or single quotes. Winbind
+then uses the same format for reporting domain user and group names.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-5.5.2"/>
+
+<a name="INDEX-119"/><h3 class="head3">winbind uid</h3>
+
+<p>As part of <em class="emphasis">winbindd</em> 's task of
+letting Windows NT domain users function as local users on the Unix
+host, <em class="emphasis">winbindd</em> supplies a Unix UID that is
+linked to the Windows RID of the domain user. The
+<tt class="literal">winbind</tt> <tt class="literal">uid</tt> parameter allows
+the Unix system administrator to allocate a range of UIDs for this
+purpose. It is very important that this range not overlap any UIDs
+used for other purposes on the Unix system, so we recommend you begin
+your range at a very high number, one much larger than the number of
+local users and NIS users that will ever exist. For example,
+<tt class="literal">winbind</tt> <tt class="literal">uid</tt> might be defined
+as:</p>
+
+<blockquote><pre class="code">[global]
+    winbind uid = 10000-15000</pre></blockquote>
+
+<p>on a system that would never have more than 9,999 local and NIS
+users, or for that matter, any other entries in
+<em class="filename">/etc/passwd</em> that would use up another UID.
+Because the example allocates 5,000 UIDs to
+<em class="emphasis">winbindd</em>, the assumption is that there will
+never be more than 5,000 domain users accessing the Samba host.</p>
+
+<p>If your method for adding new local users to the system assigns UIDs
+automatically, make sure it does not assign them within the range of
+UIDs allocated to winbind. This might happen if the algorithm used
+adds 1 to the highest UID assigned thus far.</p>
+
+<p>There is no default for <tt class="literal">winbind</tt>
+<tt class="literal">uid</tt>, so you must specify it in your Samba
+configuration file for winbind to work.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-5.5.3"/>
+
+<a name="INDEX-120"/><h3 class="head3">winbind gid</h3>
+
+<p>This option works like <tt class="literal">winbind</tt>
+<tt class="literal">uid</tt>, except that it is for allocating a range of
+GIDs for use with <em class="emphasis">winbindd</em>. You might not need
+to allocate as many GIDs as UIDs because you probably have relatively
+few domain groups that need corresponding GIDs. (In many cases, users
+are all members of the Domain Users group, requiring only one GID.)
+However, it is best to play it safe, so make sure to allocate many
+more GIDs than you think you will need.</p>
+
+<p>As with <tt class="literal">winbind</tt> <tt class="literal">uid</tt>, if you are
+using a method of adding new local users to your Unix host that
+automatically assigns GIDs, either make sure the method used
+doesn't conflict with winbind or set the GIDs
+manually.</p>
+
+<p>There is no default for <tt class="literal">winbind</tt>
+<tt class="literal">gid</tt>, so you must specify it in your Samba
+configuration file for winbind to work.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-5.5.4"/>
+
+<a name="INDEX-121"/><h3 class="head3">winbind cache time</h3>
+
+<p>The <em class="emphasis">winbindd</em> daemon maintains a cache of user
+and group data that has been retrieved from the Windows PDC to reduce
+network queries and increase performance. The
+<tt class="literal">winbind</tt> <tt class="literal">cache</tt>
+<tt class="literal">time</tt> parameter allows the amount of time (in
+seconds) <em class="emphasis">winbindd</em> can use the cached data before
+querying the PDC to check for an update. By default, this interval is
+set to 15 seconds. This means that when any part of a user or group
+account on the PDC is modified, it can take up to 15 seconds for
+<em class="emphasis">winbindd</em> to update its own database.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-5.5.5"/>
+
+<a name="INDEX-122"/><h3 class="head3">template homedir</h3>
+
+<p>When the local Unix system is configured to allow domain users to log
+in, the user must be provided with a home directory for many
+programs, including command shells, to function properly. The
+<tt class="literal">template</tt> <tt class="literal">homedir</tt> option is used
+to set the name of the home directory. In the name of the directory,
+<tt class="literal">%D</tt> is replaced by the name of the Windows NT
+domain the user is in, and <tt class="literal">%U</tt> is replaced by his
+username. By default, <tt class="literal">template</tt>
+<tt class="literal">homedir</tt> is set to <tt class="literal">/home/%D/%U</tt>,
+which works fine for a network in which there might be more than one
+Windows NT domain, and it is possible for different people in
+different domains to have the same username. If you are sure you will
+never have more than one Windows NT domain on your network, or you
+have more than one domain but know for sure that unique users have
+identical usernames in each multiple domain, you might prefer to set
+<tt class="literal">template</tt> <tt class="literal">homedir</tt> like this:</p>
+
+<blockquote><pre class="code">[global]
+    template homedir = /home/%U</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-9-SECT-5.5.6"/>
+
+<a name="INDEX-123"/><h3 class="head3">template shell</h3>
+
+<p>This option specifies the program to use as the shell for domain
+users who are logged in to the Unix host. By default, it is set to
+<em class="emphasis">/bin/false</em>, which effectively denies domain
+users to log in. If you wish to allow logins for domain users, set
+<tt class="literal">template</tt> <tt class="literal">shell</tt> to a valid
+command shell (or other program) that you want to act as the textual
+interface the domain users will receive when logged in. A common
+setting on Linux would be:</p>
+
+<blockquote><pre class="code">[global]
+    template shell = /bin/bash</pre></blockquote>
+
+<p>which would give users the Bash shell for their interactive login
+sessions. <a name="INDEX-124"/><a name="INDEX-125"/> <a name="INDEX-126"/><a name="INDEX-127"/></p>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+<hr/><h4 class="head4">Footnotes</h4><blockquote><a name="FOOTNOTE-1"/> <p><a href="#FNPTR-1">[1]</a> Having both encrypted and nonencrypted
+password clients on your network is one of the reasons why Samba
+allows you to include (or not include) various options in the Samba
+configuration file based on the client operating system or machine
+name variables.</p> <a name="FOOTNOTE-2"/>
+<p><a href="#FNPTR-2">[2]</a> This is because the Unix <em class="emphasis">passwd</em> program,
+which is the usual target for this operation, allows
+<tt class="literal">root</tt> to change a user's password
+without the security restriction that requests the old password of
+that user.</p> </blockquote><hr/><h4 class="head4"><a href="toc.html">TOC</a></h4></body></html>
diff --git a/docs/htmldocs/using_samba/ch10.html b/docs/htmldocs/using_samba/ch10.html
new file mode 100644
index 0000000000..7ba29b1e95
--- /dev/null
+++ b/docs/htmldocs/using_samba/ch10.html
@@ -0,0 +1,1695 @@
+<html>
+<body bgcolor="#ffffff">
+
+<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
+hspace="10" align="left" />
+
+<h1 class="head0">Chapter 10. Printing</h1>
+
+
+
+<p><a name="INDEX-1"/>This
+chapter tackles the topic of setting up printers for use with Samba.
+Aside from the &quot;coolness factor&quot; of
+seeing documents from Windows word processing and graphics
+applications appearing in the output tray of the Unix printer, this
+facility can greatly increase the usefulness of your Samba server. In
+many organizations, using a Unix system as the print server has led
+to happier system administrators and users alike, due to the reduced
+frequency of problems.</p>
+
+<p>Samba allows client machines to share printers connected to the Samba
+host system, and Samba can also send Unix documents to printers
+shared by Windows systems. In this chapter, we discuss how to get
+printers configured to work in either direction.</p>
+
+<p>We focus in this chapter on getting Samba to serve up printers that
+are already functioning on the Unix host. We include just a few
+basics about setting up printers on Unix. Good references for this
+topic include <em class="citetitle">Network Printing</em>,
+<em class="citetitle">Essential System Administration</em>, and
+<em class="citetitle">Running Linux</em>, all by
+O'Reilly and Associates.</p>
+
+
+
+<div class="sect1"><a name="samba2-CHP-10-SECT-1"/>
+
+<h2 class="head1">Sending Print Jobs to Samba</h2>
+
+<p><a name="INDEX-2"/>A
+printer shared by the Samba server shows up in the list of shares
+offered in the Network Neighborhood. If the printer is registered on
+the client machine and the client has the correct printer driver
+installed, the client can effortlessly send print jobs to a printer
+attached to a Samba server. <a href="ch10.html#samba2-CHP-10-FIG-1">Figure 10-1</a> shows a
+Samba printer as it appears in the Network Neighborhood of a Windows
+client.</p>
+
+<div class="figure"><a name="samba2-CHP-10-FIG-1"/><img src="figs/sam2_1001.gif"/></div><h4 class="head4">Figure 10-1. A Samba printer in the Network Neighborhood</h4>
+
+<p>To administer printers with Samba, you should understand the basic
+process by which
+<a name="INDEX-3"/>printing
+takes place on a network. On the client system, the application
+software prints by utilizing the system's printer
+driver for the printer that will be creating the actual output. It is
+the printer driver software running on the client system that
+translates the application's high-level calls into a
+stream of binary data specific to the model of printer in use. In the
+case of a serial, parallel, or USB printer, the data is stored in a
+temporary file in the local system's printer queue
+and then sent through the respective port directly to the printer.
+For a network printer, the file is sent over the network.</p>
+
+<a name="samba2-CHP-10-NOTE-150"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>Because the data has already been processed through a printer driver
+by the time it reaches the Samba host, make sure the printer on the
+Unix system is configured without any printer driver and that it will
+print whatever data it receives in raw form. If you already have the
+printer configured for use by Unix applications, you might need to
+set up another queue for it to print documents received from Windows
+clients correctly.</p>
+</blockquote>
+
+<p>Sending a <a name="INDEX-4"/>print job to a printer on a
+<a name="INDEX-5"/>Samba server involves four steps:</p>
+
+<ol><li>
+<p>Opening and authenticating a connection to the printer share</p>
+</li><li>
+<p>Copying the file over the network</p>
+</li><li>
+<p>Closing the connection</p>
+</li><li>
+<p>Printing and deleting the copy of the file</p>
+</li></ol>
+<p>When a print job arrives at a Samba server, the print data is
+temporarily written to disk in the directory specified by the
+<tt class="literal">path</tt> option of the printer share. Samba then
+executes a Unix print command to send that datafile to the printer.
+The job is then printed as the authenticated user of the share. Note
+that this can be the guest user, depending on how the share is
+configured.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-10-SECT-1.1"/>
+
+<h3 class="head2">Print Commands</h3>
+
+<p><a name="INDEX-6"/>To print the
+document, you'll need to inform Samba of the command
+used to print and delete a file. On Linux, which uses a BSD-style
+printing system, a command that does this is:</p>
+
+<blockquote><pre class="code">lpr -r -P<em class="replaceable">printer</em> <em class="replaceable">file</em></pre></blockquote>
+
+<p>This command tells <a name="INDEX-7"/><em class="emphasis">lpr</em> to retrieve the
+name of the printer in the system configuration file
+(<em class="filename">/etc/printcap</em>) and interpret the rules it finds
+there to decide how to process the data and which physical device to
+send it to. Note that because the <em class="emphasis">-r</em> option has
+been specified, the file will be deleted after it has been printed.
+Of course, the file removed is just a copy stored on the Samba
+server; the original document on the client is unaffected.</p>
+
+<p>The process is similar on System V Unix. Here, printing and deleting
+become a compound command:</p>
+
+<blockquote><pre class="code">lp -d<em class="replaceable">printer</em> -s <em class="replaceable">file</em>; rm <em class="replaceable">file</em></pre></blockquote>
+
+<p>In this case, the <em class="filename">/etc/printcap</em> file is replaced
+with a different set of configuration files residing in
+<em class="filename">/usr/spool/lp</em>. Because the
+<em class="emphasis">lp</em> command has no option to delete the file
+after it is printed, we have added the <em class="emphasis">rm</em>
+command.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-10-SECT-1.2"/>
+
+<h3 class="head2">A Minimal Printing Setup</h3>
+
+<p>Let's start with a simple yet illustrative
+<a name="INDEX-8"/>printing
+share. Assuming that you're on a Linux system and
+you have a printer called <tt class="literal">netprinter</tt> listed in the
+printer capabilities file, the following addition to your
+<em class="filename">smb.conf</em> file makes the printer accessible
+through the network:</p>
+
+<blockquote><pre class="code">[printer1]
+    printable = yes
+    print command = /usr/bin/lpr -P%p -r %s
+    printer = netprinter
+    printing = BSD
+    path = /var/tmp</pre></blockquote>
+
+<p>The variable <tt class="literal">%s</tt> in the
+<tt class="literal">print</tt><a name="INDEX-9"/> <tt class="literal">command</tt>
+option is replaced with the name of the file to be printed when Samba
+executes the command. There are four Samba configuration-file
+variables specifically for use with
+<a name="INDEX-10"/>printing
+options. They are shown in <a href="ch10.html#samba2-CHP-10-TABLE-1">Table 10-1</a>.</p>
+
+<a name="samba2-CHP-10-TABLE-1"/><h4 class="head4">Table 10-1. Printing variables</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Variable</p>
+</th>
+<th>
+<p>Definition</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">%s</tt></p>
+</td>
+<td>
+<p>The full pathname of the file on the Samba server to be printed</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%f</tt></p>
+</td>
+<td>
+<p>The name of the file itself (without the preceding path) on the Samba
+server to be printed</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%p</tt></p>
+</td>
+<td>
+<p>The name of the Unix printer to use</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%j</tt></p>
+</td>
+<td>
+<p>The number of the print job (for use with <tt class="literal">lprm</tt>,
+<tt class="literal">lppause</tt>, and <tt class="literal">lpresume</tt>)</p>
+</td>
+</tr>
+
+</table>
+
+<p>For other flavors of Unix, it is necessary to modify both the
+<tt class="literal">printing</tt> and <tt class="literal">print</tt>
+<tt class="literal">command</tt> options. For System V Unix, we would
+specify:</p>
+
+<blockquote><pre class="code">[printer1]
+    printing = SYSV
+    print command = lp -d%p -s %s; rm %s</pre></blockquote>
+
+<p>With the <tt class="literal">printing</tt> <tt class="literal">=</tt>
+<tt class="literal">SYSV</tt> parameter, we notify Samba that the local
+printing system uses the System V Unix method. As mentioned earlier,
+the <tt class="literal">%p</tt> variable resolves to the name of the
+printer, while the <tt class="literal">%s</tt> variable resolves to the
+name of the file.</p>
+
+<p>Clients might need to request the status of a print job sent to the
+Samba server. Because Samba sends print jobs to the Unix printing
+system for spooling, there might be a number of jobs in the queue at
+any given time. Consequently, Samba needs to communicate to the
+client not only the status of the current printing job, but also
+which documents are waiting to be printed on that printer. Samba also
+has to provide the client the ability to pause print jobs, resume
+print jobs, and remove print jobs from the printing queue. Samba
+provides options for each of these tasks. As you might expect, they
+borrow functionality from the following existing Unix commands:</p>
+
+<ul><li>
+<p><tt class="literal">lpq</tt><a name="INDEX-11"/></p>
+</li><li>
+<p><tt class="literal">lprm</tt><a name="INDEX-12"/></p>
+</li><li>
+<p><tt class="literal">lppause</tt><a name="INDEX-13"/></p>
+</li><li>
+<p><tt class="literal">lpresume</tt><a name="INDEX-14"/></p>
+</li></ul>
+<p>We cover these options in more detail later in this chapter. For the
+most part, Samba provides reasonable default values for them based on
+the value of the <tt class="literal">printing</tt> configuration option, so
+you can probably get by without having to formulate your own commands
+for them.</p>
+
+<p>Here are a few important items to remember about
+<a name="INDEX-15"/>printing shares:</p>
+
+<ul><li>
+<p>You must put
+<tt class="literal">printable</tt><a name="INDEX-16"/> <tt class="literal">=</tt>
+<tt class="literal">yes</tt> in all printer shares (even
+<tt class="literal">[printers]</tt>) so that Samba knows they are printer
+shares. If you forget, the shares will be unusable for printing and
+will instead be treated as disk shares.</p>
+</li><li>
+<p>If you set the <tt class="literal">path</tt> configuration option in the
+printer section, any files sent to the printer(s) will be copied to
+the directory you specify instead of to the default location of
+<em class="filename">/tmp</em>. Because the amount of disk space allocated
+to <em class="filename">/tmp</em> can be relatively small in some Unix
+operating systems, many administrators prefer to use
+<em class="filename">/var/tmp, /var/spool/tmp</em>, or some other
+directory instead.</p>
+</li><li>
+<p>If you set <tt class="literal">guest</tt> <tt class="literal">ok</tt>
+<tt class="literal">=</tt> <tt class="literal">yes</tt> in a printer share and
+Samba is configured for share-level security, anyone can send data to
+the printer as the <tt class="literal">guest</tt>
+<tt class="literal">account</tt> user.</p>
+</li></ul>
+<p>Using one or more Samba machines as a print server gives you a great
+deal of flexibility on your LAN. You can easily partition your
+available printers, restricting some to members of one department, or
+you can maintain a bank of printers available to all. In addition,
+you can restrict a printer to a select few by adding the
+<tt class="literal">valid</tt> <tt class="literal">users</tt> option to its share
+definition:</p>
+
+<blockquote><pre class="code">[deskjet]
+    printable = yes
+    path = /var/spool/samba/print
+    valid users = elizabeth cozy jack heather alexander lina emerald</pre></blockquote>
+
+<p>All the other share accessibility options work for printing shares as
+well.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-10-SECT-1.3"/>
+
+<h3 class="head2">The [printers] Share</h3>
+
+<p>If a share named
+<tt class="literal">[printers]</tt><a name="INDEX-17"/> is in the configuration file,
+Samba will automatically read in your printer capabilities file and
+create a printing share for each printer that appears in the file.
+For example, if the Samba server had <tt class="literal">lp</tt>,
+<tt class="literal">pcl</tt>, and <tt class="literal">ps</tt> printers in its
+printer capabilities file, Samba would provide three printer shares
+with those names, each configured with the options in the
+<tt class="literal">[printers]</tt> share.</p>
+
+<p>Recall that Samba obeys the following rules when a client requests a
+share that has not been created with an explicit share definition in
+the <em class="filename">smb.conf</em> file:</p>
+
+<ul><li>
+<p>If the share name matches a username in the system password file and
+a <tt class="literal">[homes]</tt> share exists, a new share is created
+with the name of the user and is initialized using the values given
+in the <tt class="literal">[homes]</tt> and <tt class="literal">[global]</tt>
+sections.</p>
+</li><li>
+<p>Otherwise, if the name matches a printer in the system printer
+capabilities file and a <tt class="literal">[printers]</tt> share exists, a
+new share is created with the name of the printer and initialized
+using the values given in the <tt class="literal">[printers]</tt> section.
+(Variables in the <tt class="literal">[global]</tt> section do not apply
+here.)</p>
+</li><li>
+<p>If neither of those succeeds, Samba looks for a
+<tt class="literal">default</tt> <tt class="literal">service</tt> share. If none
+is found, it returns an error.</p>
+</li></ul>
+<p>This brings to light an important point: be careful that you do not
+give a printer the same name as a user. Otherwise, users end up
+connecting to a disk share when they might have wanted a printer
+share instead.</p>
+
+<p>Here is an example
+<tt class="literal">[printers]</tt><a name="INDEX-18"/> share for a Linux system. Some of
+these options are already defaults; however, we have listed them
+anyway for illustrative purposes:</p>
+
+<blockquote><pre class="code">[printers]
+    printable = yes
+    printing = BSD
+    printcap name = /etc/printcap
+    print command = /usr/bin/lpr -P%p -r %s
+    path = /var/spool/lpd/tmp
+    min print space = 2000</pre></blockquote>
+
+<p>Here, we've given Samba global options that specify
+the printing type (BSD), a print command to send data to the printer
+and later remove the temporary file, the location of our printer
+capabilities file, and a minimum disk space for printing of 2MB.</p>
+
+<p>In addition, we've created a
+<tt class="literal">[printers]</tt> share for each system printer. Our
+temporary spooling directory is specified by the
+<tt class="literal">path</tt> option:
+<em class="filename">/var/spool/lpd/tmp</em>. Each share is marked as
+printable&mdash;this is a necessary option, even in the
+<tt class="literal">[printers]</tt> section.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-10-SECT-1.4"/>
+
+<h3 class="head2">Testing the Configuration</h3>
+
+<p><a name="INDEX-19"/>After running
+<em class="emphasis">testparm</em> and restarting the Samba daemons, you
+can check to make sure everything is set up correctly by using
+<em class="emphasis">smbclient</em><a name="INDEX-20"/><a name="INDEX-21"/> to send a file to the printer.
+Connect to the printer using the command:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>smbclient /</b></tt><em class="replaceable">server</em><tt class="userinput"><b>/</b></tt><em class="replaceable">printshare</em></pre></blockquote>
+
+<p>and then use the <em class="emphasis">print</em> command to print a file:</p>
+
+<blockquote><pre class="code">smb: /&gt; <tt class="userinput"><b>print </b></tt><em class="replaceable">textfile</em></pre></blockquote>
+
+<a name="samba2-CHP-10-NOTE-151"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>If you connect to a print share served by a Windows 95/98/Me system
+configured to use user-mode security and cannot authenticate using
+what you know to be a correct username and password, try
+reconfiguring the Windows system to use share-mode security.</p>
+</blockquote>
+
+<p>When you print something through the Samba server via
+<em class="emphasis">smbclient</em>, the following actions should occur:</p>
+
+<ul><li>
+<p>The job appears (briefly) in the Samba spool directory specified by
+the path.</p>
+</li><li>
+<p>The job shows up in your print system's spool
+directory.</p>
+</li><li>
+<p>The job disappears from the spool directory that Samba used.</p>
+</li></ul>
+<p>If <em class="emphasis">smbclient</em> cannot print, you can reset the
+<tt class="literal">print</tt> <tt class="literal">command</tt> option to collect
+debugging information:</p>
+
+<blockquote><pre class="code">print command = echo &quot;printed %s on %p&quot; &gt;&gt;/tmp/printlog</pre></blockquote>
+
+<p>A <a name="INDEX-22"/>common
+problem with Samba printer configuration is forgetting to use the
+full pathnames for commands. Another frequent problem is not having
+the correct permissions on the spooling directory.<a name="FNPTR-1"/><a href="#FOOTNOTE-1">[1]</a> As usual,
+check your Samba log files and system log files for error messages.
+If you use BSD printing, you can change the <tt class="literal">lp</tt>
+keyword in the printer's printcap entry to something
+other than <em class="filename">/dev/null</em>, allowing you to collect
+error messages from the printing system.</p>
+
+<a name="samba2-CHP-10-NOTE-152"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>More information on
+<a name="INDEX-23"/>debugging printers is in the file
+<em class="filename">docs/textdocs/Printing.txt</em> in the Samba source
+distribution. The Unix print systems are covered in detail in
+<a name="INDEX-24"/>&AElig;leen
+Frisch's <em class="emphasis">Essential Systems
+Administration</em> (published by O'Reilly).</p>
+</blockquote>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-10-SECT-1.5"/>
+
+<h3 class="head2">Enabling SMB Printer Sharing in Mac OS X</h3>
+
+<p>With Samba preinstalled with
+<a name="INDEX-25"/><a name="INDEX-26"/>Mac OS X, sharing access to a printer
+among Windows clients is easy. First, of course, you should set up
+local access using the Print Center application (located in
+<em class="filename">/Applications/Utilities</em>). Under the Printers
+menu, select Add Printer..., and make the appropriate selection from
+the pop-up menu. For example, if the printer is directly attached,
+select USB; if the printer is powered on, it should appear in the
+list. Choose the printer, and press the Add button.</p>
+
+<p>Edit <em class="filename">/etc/smb.conf</em>, uncommenting the
+<tt class="literal">[printers]</tt> share and making any additional
+configuration changes you feel are necessary. Finally, enable the
+Samba startup item as described in <a href="ch02.html">Chapter 2</a>,
+either by checking Windows File Sharing in Sharing Preferences or by
+manually editing <em class="filename">/etc/hostconfig</em>. Now your
+printer can be used by remote Windows clients.</p>
+
+<p>On Mac OS X and some other BSD-based systems, you can test your
+configuration using
+<em class="emphasis">smbutil</em><a name="INDEX-27"/>. The following will send the
+file named <em class="filename">print_test_file</em> to the printer named
+<em class="filename">printshare</em> on the server
+<em class="emphasis">bsdserver</em> :</p>
+
+<blockquote><pre class="code">% <tt class="userinput"><b>smbutil print //bsdserver/printshare print_test_file</b></tt></pre></blockquote>
+
+<p>See <a href="ch05.html">Chapter 5</a> for more information on using
+<em class="emphasis">smbutil</em>.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-10-SECT-1.6"/>
+
+<h3 class="head2">Setting Up and Testing a Windows Client</h3>
+
+<p><a name="INDEX-28"/>Now that Samba is
+offering a workable printer, you can set up your access to it on a
+Windows client. Browse through the Samba server in the Network
+Neighborhood. It should now show each printer that is available. For
+example, in <a href="ch10.html#samba2-CHP-10-FIG-1">Figure 10-1</a>, we saw a printer called
+<tt class="literal">lp</tt>.</p>
+
+<p>Next, you need to have the Windows client recognize the printer.
+Double-click the printer icon to get started. If you try to select an
+uninstalled printer (as you just did), Windows will ask you if it
+should help configure it for the Windows system. Click the Yes or OK
+button, and the Printer Wizard will open.</p>
+
+<p>If you are installing a printer on Windows 95/98/Me, the first thing
+the wizard will ask is whether you need to print from DOS.
+Let's assume you don't, so choose
+the &quot;No&quot; radio button and press the
+Next &gt; button to get to the manufacturer/model window, as shown in
+<a href="ch10.html#samba2-CHP-10-FIG-2">Figure 10-2</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-10-FIG-2"/><img src="figs/sam2_1002.gif"/></div><h4 class="head4">Figure 10-2. Setting the manufacturer and model of the printer</h4>
+
+<p>In this dialog box, you should see a large list of manufacturers and
+models for a huge number of printers. Select the manufacturer of your
+printer in the left side of the dialog box, and then the exact model
+of the printer in the list on the right side.</p>
+
+<p>In some cases, you might not find your printer in the list, or the
+version of the printer driver included with Windows might be out of
+date. In cases such as these, consult the printer
+manufacturer's documentation on how to install the
+driver. Typically, you will click the Have Disk... button to install
+the driver from a CD-ROM or disk file.</p>
+
+<p>If you don't see your printer on the list, but you
+know it's a PostScript printer, select Apple as the
+manufacturer and Apple LaserWriter as the model. This will give you
+the most basic PostScript printer setup&mdash;and arguably one of the
+most reliable. If you already have PostScript printers attached, you
+will be asked about replacing or reusing the existing driver. Be
+aware that if you replace it with a new one, you might make your
+other printers fail. Therefore, we recommend you keep using your
+existing printer drivers as long as they're working
+properly.</p>
+
+<p>Click the Next &gt; or OK button. On Windows 95/98/Me, the Printer
+Wizard asks you to name the printer. On Windows NT/2000/XP, you need
+to right-click the printer's icon and select
+Properties to assign the printer a name. <a href="ch10.html#samba2-CHP-10-FIG-3">Figure 10-3</a>
+shows how we've named our printer to show that
+it's shared by the <tt class="literal">mixtec</tt> Samba
+server.</p>
+
+<div class="figure"><a name="samba2-CHP-10-FIG-3"/><img src="figs/sam2_1003.gif"/></div><h4 class="head4">Figure 10-3. Setting the printer name</h4>
+
+<p>Finally, on Windows 95/98/Me the Printing Wizard asks if it should
+print a test page. Click the &quot;Yes&quot;
+radio button, then the Finish button, and you should be presented
+with the dialog box shown in <a href="ch10.html#samba2-CHP-10-FIG-4">Figure 10-4</a>. On Windows
+NT/2000/XP, the printer test function is also accessed through the
+printer's Properties dialog box.</p>
+
+<div class="figure"><a name="samba2-CHP-10-FIG-4"/><img src="figs/sam2_1004.gif"/></div><h4 class="head4">Figure 10-4. Sending a test page to the printer</h4>
+
+<p>If the test printing was unsuccessful, click the No button and the
+Printing Wizard will walk you through some debugging steps for the
+client side of the process. If the test printing does work, the
+remote printer will now be available to all Windows applications
+through the File and Print menu items.</p>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-10-SECT-2"/>
+
+<h2 class="head1">Printing to Windows Printers</h2>
+
+<p><a name="INDEX-29"/>If you have printers
+connected to systems running Windows 95/98/Me or Windows NT/2000/XP,
+the printers can also be accessed from your Unix system using tools
+that are part of the Samba distribution. First, it is necessary to
+create a printer share on the Windows system. Then set up the printer
+on the Unix side by configuring a new printer and using a Samba
+printing program as the printer's filter.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-10-SECT-2.1"/>
+
+<h3 class="head2">Sharing Windows Printers</h3>
+
+<p>Sharing printers on Windows is not unlike sharing files. In fact, it
+is a little simpler. Open the Control Panel, then double-click the
+Printers icon to open the Printers window. Right-click the icon for
+the printer you want to share, and select Sharing.... This opens the
+dialog box shown in <a href="ch10.html#samba2-CHP-10-FIG-5">Figure 10-5</a> for a Windows 98
+system, or <a href="ch10.html#samba2-CHP-10-FIG-6">Figure 10-6</a> on a Windows 2000 system.
+(The dialog box appears slightly different on other Windows versions,
+but functions almost identically.)</p>
+
+<a name="samba2-CHP-10-NOTE-153"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>On Windows 95/98/Me systems, you may need to run file sharing in
+share-level (rather than user-level) access control mode to access a
+shared printer from Samba. To check or set this mode, go to Control
+Panel, then double-click on Network, then click on the Access Control
+tab. More detailed information on this can be found in <a href="ch05.html">Chapter 5</a>.</p>
+</blockquote>
+
+<div class="figure"><a name="samba2-CHP-10-FIG-5"/><img src="figs/sam2_1005.gif"/></div><h4 class="head4">Figure 10-5. Sharing printers on Windows 98</h4>
+
+<div class="figure"><a name="samba2-CHP-10-FIG-6"/><img src="figs/sam2_1006.gif"/></div><h4 class="head4">Figure 10-6. Sharing printers on Windows 2000</h4>
+
+<p>Click the &quot;Shared as&quot; radio button,
+then click the OK button. The printer is now accessible by other
+systems on the network.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-10-SECT-2.2"/>
+
+<h3 class="head2">Adding a Unix Printer</h3>
+
+<p><a name="INDEX-30"/>The Samba distribution comes with
+three programs that assist with printing on shared printers. The
+<em class="emphasis">smbprint</em><a name="INDEX-31"/> program works with systems that use the
+BSD printing system,
+<em class="emphasis">smbprint.sysv</em><a name="INDEX-32"/>
+works with systems that use System V printing, and
+<em class="emphasis">smbspool</em><a name="INDEX-33"/>
+works with systems that use the Common Unix Printing System (CUPS).
+In the following sections we show you how to install printers for
+each system.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-10-SECT-2.2.1"/>
+
+<h3 class="head3">BSD printers</h3>
+
+<p><a name="INDEX-34"/><a name="INDEX-35"/>The
+BSD printing system is used by many Unix variants, including Red Hat
+Linux. With BSD printing, all the printers on the system have an
+entry in the <em class="filename">/etc/printcap</em> file, which is the
+database of printer capabilities used by the <em class="emphasis">lpd</em>
+line printer daemon and other programs that assist with printing. The
+Red Hat Linux implementation is a bit different in that
+<em class="filename">/etc/printcap</em> is a machine-generated file, which
+is re-created every time the <em class="emphasis">lpd</em> daemon is
+restarted by the <em class="emphasis">/etc/rc.d/init.d/lpd</em> script.
+Instead of editing <em class="filename">/etc/printcap</em>, we will add an
+entry for our printer in <em class="filename">/etc/printcap.local</em>,
+which the system automatically includes verbatim when creating
+<em class="filename">/etc/printcap</em>.</p>
+
+<a name="samba2-CHP-10-NOTE-154"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>If you are using the version of Samba installed from an RPM file as
+on Red Hat Linux, you might be able to skip these directions and use
+the <em class="emphasis">printconf</em> tool, which has support for SMB
+printers. Unfortunately, this tool might not work correctly if you
+have installed Samba from the Samba source distribution.</p>
+</blockquote>
+
+<p>Here is the entry we added to our
+<em class="filename">/etc/printcap.local</em><a name="INDEX-36"/><a name="INDEX-37"/> file to support our Hewlett-Packard
+DeskJet 932C printer, which is shared by <tt class="literal">maya</tt>, a
+Windows 98 system:</p>
+
+<blockquote><pre class="code">lp|maya-hp932c:\
+    :cm=HP 932C on maya:\
+    :sd=/var/spool/lpd/maya:\
+    :af=/var/spool/lpd/maya/acct:\
+    :if=/usr/local/samba/bin/smbprint:\
+    :mx=0:\
+    :lp=/dev/null:</pre></blockquote>
+
+<p>The first line creates names for the printer. We are calling it both
+<tt class="literal">maya-hp932c</tt>, to describe its location on the
+network and the type of printer, and <tt class="literal">lp</tt> so that
+programs will use it as the default printer. The rest of the lines
+specify keywords and values. The <tt class="literal">cm</tt> keyword allows
+us to assign a comment string to the printer. The
+<tt class="literal">sd</tt> and <tt class="literal">af</tt> keywords assign the
+printer's spool directory and accounting files,
+respectively. The <tt class="literal">if</tt> keyword assigns the print
+filter. We are using the <em class="emphasis">smbprint</em> command to
+send the output to the shared SMB printer. The <tt class="literal">mx</tt>
+keyword is set to zero to allow any size file to be printed, and
+<tt class="literal">lp</tt> is set to <em class="filename">/dev/null</em> to
+discard error messages.</p>
+
+<p>You can follow our model to create an entry for your own printer. If
+you want to go beyond the capabilities we used, refer to your
+system's <em class="emphasis">printcap(5)</em> manual
+page for a complete listing of keywords.</p>
+
+<p>Go to your Samba source distribution's root
+directory, and install the <em class="emphasis">smbprint</em> program like
+this:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>cp examples/printing/smbprint /usr/local/samba/bin</b></tt></pre></blockquote>
+
+<p>We next create the printer's spool directory:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>cd /var/spool/lpd</b></tt>
+# <tt class="userinput"><b>mkdir maya</b></tt>
+# <tt class="userinput"><b>chown lp:lp maya</b></tt>
+# <tt class="userinput"><b>chmod 700 maya</b></tt></pre></blockquote>
+
+<p>The <em class="emphasis">smbprint</em> program looks for a file named
+<em class="filename">.config</em> in the printer's spool
+directory, which contains information on how to connect to the
+printer share. We create this file and then fill in the required
+information:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>cd maya</b></tt>
+# <tt class="userinput"><b>&gt;.config</b></tt>
+# <tt class="userinput"><b>chown lp:lp .config</b></tt>
+# <tt class="userinput"><b>chmod 600 .config</b></tt></pre></blockquote>
+
+<p>Use your preferred text editor to edit the
+<em class="filename">.config</em> file, and enter three lines, like this:</p>
+
+<blockquote><pre class="code">server=maya
+service=hp
+password=&quot;&quot;</pre></blockquote>
+
+<p>This is for our shared printer having a UNC of
+<em class="filename">\\maya\hp</em>. When we created the printer share, we
+did not give it a password, so we use a null password here. If your
+printer share is on a Windows NT/2000/XP system, use your domain
+password.</p>
+
+<p>Finally, restart the printer daemon:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>/etc/rc.d/init.d/lpd restart</b></tt></pre></blockquote>
+
+<p>You can now try printing something. Run the following command:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>lpr textfile</b></tt></pre></blockquote>
+
+<p>If you have everything set up correctly, the file prints on the
+shared printer. If you get &quot;stair
+stepping&quot; of text, caused by the printer not
+returning to the left margin at the beginning of every line, modify
+the <tt class="literal">if</tt> keyword in your printcap entry to run
+<em class="emphasis">smbprint</em> with the <em class="emphasis">-t</em>
+option. <a name="INDEX-38"/><a name="INDEX-39"/></p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-10-SECT-2.2.2"/>
+
+<h3 class="head3">System V printers</h3>
+
+<p><a name="INDEX-40"/><a name="INDEX-41"/>Sending print jobs from a System V Unix
+system is a little easier than with the BSD system. Here, you need to
+edit the <em class="filename">smbprint.sysv</em> script in the
+<em class="filename">examples/printing</em> directory of the Samba
+distribution and do the following:</p>
+
+<ol><li>
+<p>Change the <tt class="literal">server</tt>, <tt class="literal">service</tt>, and
+<tt class="literal">password</tt> parameters in the script to match the
+NetBIOS computer name, its shared printer service, and its password,
+respectively. For example, the following entries would be correct for
+the service in the previous example:</p>
+
+<blockquote><pre class="code">server = maya
+service = hp
+password = &quot;&quot;</pre></blockquote>
+</li>
+<li>
+<p>Run the following commands, which create a reference for the new
+printer (which we are naming <tt class="literal">hp_printer</tt>) in the
+printer capabilities file:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>lpadmin -p hp_printer -v /dev/null -i./smbprint.sysv</b></tt>
+# <tt class="userinput"><b>enable hp_printer</b></tt>
+# <tt class="userinput"><b>accept hp_printer</b></tt></pre></blockquote>
+</li></ol>
+<p>After you've done that, restart the Samba daemons
+and try printing to <tt class="literal">hp_printer</tt> using any standard
+Unix program.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-10-SECT-2.2.3"/>
+
+<h3 class="head3">CUPS printers</h3>
+
+<p><a name="INDEX-42"/><a name="INDEX-43"/><a name="INDEX-44"/>CUPS<a name="FNPTR-2"/><a href="#FOOTNOTE-2">[2]</a> uses
+a set of modules, called
+<em class="firstterm">backends</em><a name="INDEX-45"/>, to send print jobs to various
+destinations, such as local printers attached to parallel, serial, or
+Universal Serial Bus (USB) ports, or over the network using Unix line
+printer daemon (LPD) protocol, Internet Printing Protocol (IPP),
+AppleTalk Printer Access Protocol (PAP), and so on. The software
+package does not come with a backend for SMB; the Samba suite
+includes the <em class="emphasis">smbspool</em>
+<a name="INDEX-46"/>utility for this purpose.</p>
+
+<p>To enable printing to remote SMB printers using CUPS, create a
+symbolic link named <em class="filename">smb</em> in the CUPS backend
+directory pointing to <em class="emphasis">smbspool</em>. Depending on
+installation options, these could be in a number of places in the
+directory hierarchy, so be sure to check your system. Using a common
+default installation, the command would look like this:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>ln -s /usr/local/samba/bin/smbspool /usr/lib/cups/backend/smb</b></tt></pre></blockquote>
+
+<p>Issue a HUP signal to the CUPS daemon, <em class="emphasis">cupsd</em>,
+and check for the existence of SMB support with the <em class="emphasis">lpinfo
+-v</em> command. Its output should now include a line that says
+<tt class="literal">network</tt> <tt class="literal">smb</tt>.</p>
+
+<p>To add a printer, use the CUPS web interface, accessible on the local
+system at <em class="emphasis">http://localhost:631/</em>,
+or use the <em class="emphasis">lpadmin</em> command:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>lpadmin -p hp932c -E -v smb://maya/hp932c -D &quot;HP 932C on maya&quot;</b></tt></pre></blockquote>
+
+<p>This creates and enables the new print spool called
+<tt class="literal">hp932c</tt>. The <em class="emphasis">-v</em> argument
+specifies the printer device, which in this case is accessed over the
+network using an SMB URI. If the printer is not guest-accessible,
+you'll need to provide a username and password in
+the URI. The full format is as follows:</p>
+
+<blockquote><pre class="code">smb://[<em class="replaceable">username</em>[:<em class="replaceable">password</em>]@][<em class="replaceable">workgroup</em>/]<em class="replaceable">server</em>/<em class="replaceable">printshare</em></pre></blockquote>
+
+<p>The <em class="emphasis">lpadmin</em><a name="INDEX-47"/> command makes changes to
+<em class="filename">/etc/cups/printers.conf</em> and sends a HUP signal
+to the <em class="emphasis">cupsd</em> daemon, resulting in the creation
+of a local raw printer spool. In this example, print data is passed
+in raw format to the Windows system, which has the necessary printer
+drivers and printer description files to format the data
+appropriately. The <em class="emphasis">-D</em> option is used to give the
+printer a comment string.</p>
+
+<p>Once you have the printer set up, it's time to test
+it out. CUPS understands both BSD-style and System V-style printing
+commands, so you can use whichever is more comfortable. Using the BSD
+<em class="emphasis">lpr</em> command, try something like:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>lpr -P hp932c textfile</b></tt></pre></blockquote>
+
+<p>You should now be set up to use the printer from any application on
+the Unix system. <a name="INDEX-48"/></p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-10-SECT-2.3"/>
+
+<h3 class="head2">Samba Printing Options</h3>
+
+<p><a href="ch10.html#samba2-CHP-10-TABLE-2">Table 10-2</a> summarizes the Samba <a name="INDEX-49"/><a name="INDEX-50"/>printing
+options.</p>
+
+<a name="samba2-CHP-10-TABLE-2"/><h4 class="head4">Table 10-2. Printing configuration options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">printing</tt></p>
+</td>
+<td>
+<p><tt class="literal">bsd</tt>, <tt class="literal">sysv</tt>,
+<tt class="literal">cups</tt>, <tt class="literal">hpux</tt>,
+<tt class="literal">aix</tt>, <tt class="literal">qnx</tt>,
+<tt class="literal">plp</tt>, <tt class="literal">softq</tt>, or
+<tt class="literal">lprng</tt></p>
+</td>
+<td>
+<p>Printing system type of the Samba host</p>
+</td>
+<td>
+<p>System-dependent</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">printable</tt> <tt class="literal">(print ok)</tt></p>
+</td>
+<td>
+<p>boolean</p>
+</td>
+<td>
+<p>Marks a share as a printing share</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">printer</tt> <tt class="literal">(printer name)</tt></p>
+</td>
+<td>
+<p>string (Unix printer name)</p>
+</td>
+<td>
+<p>Name for the printer that is shown to clients</p>
+</td>
+<td>
+<p>System-dependent</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">lpq cache time</tt></p>
+</td>
+<td>
+<p>numeric (time in seconds)</p>
+</td>
+<td>
+<p>Amount of time in seconds that Samba will cache the printer queue
+status</p>
+</td>
+<td>
+<p><tt class="literal">10</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">postscript</tt></p>
+</td>
+<td>
+<p>boolean</p>
+</td>
+<td>
+<p>Treats all print jobs as PostScript by prefixing
+<tt class="literal">%!</tt> at the beginning of each file</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">load printers</tt></p>
+</td>
+<td>
+<p>boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, automatically loads each printer in the
+<em class="emphasis">printcap</em> file as printing shares</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">print command</tt></p>
+</td>
+<td>
+<p>string (shell command)</p>
+</td>
+<td>
+<p>Unix command to perform printing</p>
+</td>
+<td>
+<p>See below</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">lpq command</tt></p>
+</td>
+<td>
+<p>string (shell command)</p>
+</td>
+<td>
+<p>Unix command to return the status of the printing queue</p>
+</td>
+<td>
+<p>See below</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">lprm command</tt></p>
+</td>
+<td>
+<p>string (shell command)</p>
+</td>
+<td>
+<p>Unix command to remove a job from the printing queue</p>
+</td>
+<td>
+<p>See below</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">lppause command</tt></p>
+</td>
+<td>
+<p>string (shell command)</p>
+</td>
+<td>
+<p>Unix command to pause a job on the printing queue</p>
+</td>
+<td>
+<p>See below</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">lpresume</tt> <tt class="literal">command</tt></p>
+</td>
+<td>
+<p>string (shell command)</p>
+</td>
+<td>
+<p>Unix command to resume a paused job on the printing queue</p>
+</td>
+<td>
+<p>See below</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">printcap name</tt></p>
+
+<p><tt class="literal">(printcap)</tt></p>
+</td>
+<td>
+<p>string (filename)</p>
+</td>
+<td>
+<p>Location of the printer capabilities file</p>
+</td>
+<td>
+<p>System-dependent</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">min print space</tt></p>
+</td>
+<td>
+<p>numeric (size in kilobytes)</p>
+</td>
+<td>
+<p>Minimum amount of free disk space that must be present to print</p>
+</td>
+<td>
+<p><tt class="literal">0</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">queuepause</tt> <tt class="literal">command</tt></p>
+</td>
+<td>
+<p>string (shell command)</p>
+</td>
+<td>
+<p>Unix command to pause a queue</p>
+</td>
+<td>
+<p>See below</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">queueresume</tt> <tt class="literal">command</tt></p>
+</td>
+<td>
+<p>string (shell command)</p>
+</td>
+<td>
+<p>Unix command to resume a queue</p>
+</td>
+<td>
+<p>See below</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-10-SECT-2.3.1"/>
+
+<h3 class="head3">printing</h3>
+
+<p>The <tt class="literal">printing</tt><a name="INDEX-51"/> configuration option tells
+Samba which <a name="INDEX-52"/>printing system to use. There are
+several different families of commands to control printing and print
+statusing. Samba supports seven different types, as shown in <a href="ch10.html#samba2-CHP-10-TABLE-3">Table 10-3</a>.</p>
+
+<a name="samba2-CHP-10-TABLE-3"/><h4 class="head4">Table 10-3. Printing system types</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Variable</p>
+</th>
+<th>
+<p>Definition</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p>BSD</p>
+</td>
+<td>
+<p>Berkeley Unix system</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>SYSV</p>
+</td>
+<td>
+<p>System V</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>CUPS</p>
+</td>
+<td>
+<p>Common Unix Printing System</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>AIX</p>
+</td>
+<td>
+<p>IBM's AIX operating system</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>HPUX</p>
+</td>
+<td>
+<p>Hewlett-Packard Unix</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>QNX</p>
+</td>
+<td>
+<p>QNX Realtime Operating System</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>LPRNG</p>
+</td>
+<td>
+<p>LPR Next Generation</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>SOFTQ</p>
+</td>
+<td>
+<p>SOFTQ system</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>PLP</p>
+</td>
+<td>
+<p>Portable Line Printer</p>
+</td>
+</tr>
+
+</table>
+
+<p>The value for this option must be one of these seven selections. For
+example:</p>
+
+<blockquote><pre class="code">printing = SYSV</pre></blockquote>
+
+<p>The default value of this option is system-dependent and is
+configured when Samba is first compiled. For most systems, the
+<em class="filename">configure</em> script automatically detects the
+printing system to be used and configures it properly in the Samba
+makefile. However, if your system is a PLP, LPRNG, or QNX printing
+system, you need to specify this explicitly in the makefile or the
+printing share.</p>
+
+<p>The most common system types are BSD, SYSV, and CUPS. Each printer on
+a BSD Unix server is described in the printer capabilities
+file&mdash;normally <em class="filename">/etc/printcap</em>. See the
+section on the <tt class="literal">printcap</tt> <tt class="literal">file</tt>
+parameter for more information on this topic.</p>
+
+<p>Setting the <tt class="literal">printing</tt> configuration option
+automatically sets at least three other printing options for the
+service in question: <tt class="literal">print</tt>
+<tt class="literal">command</tt>, <tt class="literal">lpq</tt>
+<tt class="literal">command</tt>, and <tt class="literal">lprm</tt>
+<tt class="literal">command</tt>. If you are running Samba on a system that
+doesn't support any of the printing styles listed in
+<a href="ch10.html#samba2-CHP-10-TABLE-3">Table 10-3</a>, simply set the commands for each of
+these manually.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-10-SECT-2.3.2"/>
+
+<h3 class="head3">printable</h3>
+
+<p>The <tt class="literal">printable</tt><a name="INDEX-53"/> option must be set to
+<tt class="literal">yes</tt> to flag a share as a printing service. If this
+option is not set, the share will be treated as a disk share instead.
+You can set the option as follows:</p>
+
+<blockquote><pre class="code">[printer1]
+    printable = yes</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-10-SECT-2.3.3"/>
+
+<a name="INDEX-54"/><h3 class="head3">printer</h3>
+
+<p>The option, also called
+<tt class="literal">printer</tt><a name="INDEX-55"/> <tt class="literal">name</tt>,
+specifies the name of the printer on the server to which the share
+points. This option has no default and should be set explicitly in
+the configuration file, even though Unix systems themselves often
+recognize a default name such as <tt class="literal">lp</tt> for a printer.
+For example:</p>
+
+<blockquote><pre class="code">[deskjet]
+    printer = hpdkjet1</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-10-SECT-2.3.4"/>
+
+<h3 class="head3">lpq cache time</h3>
+
+<p>The global <tt class="literal">lpq</tt><a name="INDEX-56"/> <tt class="literal">cache</tt>
+<tt class="literal">time</tt> option allows you to set the number of
+seconds for which Samba will remember the current printer status.
+After this time elapses, Samba will issue an <em class="emphasis">lpq</em>
+command (or whatever command you specify with the
+<tt class="literal">lpq</tt> <tt class="literal">command</tt> option) to get a
+more up-to-date status that it can report to users. This defaults to
+10 seconds, but can be increased if your <tt class="literal">lpq</tt>
+<tt class="literal">command</tt> takes an unusually long time to run or you
+have lots of clients. A time setting of 0 disables caching of queue
+status. The following example resets the time to 30 seconds:</p>
+
+<blockquote><pre class="code">[deskjet]
+    lpq cache time = 30</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-10-SECT-2.3.5"/>
+
+<h3 class="head3">postscript</h3>
+
+<p>The <tt class="literal">postscript</tt><a name="INDEX-57"/> option forces the
+printer to treat all data sent to it as PostScript. It does this by
+prefixing the characters <tt class="literal">%!</tt> to the beginning of
+the first line of each job. It is normally used with PCs that insert
+a <tt class="literal">^D</tt> (control-D or
+&quot;end-of-file&quot; mark) in front of the
+first line of a PostScript file. It will not, obviously, turn a
+non-PostScript printer into a PostScript one. The default value of
+this options is <tt class="literal">no</tt>. You can override it as
+follows:</p>
+
+<blockquote><pre class="code">[deskjet]
+    postscript = yes</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-10-SECT-2.3.6"/>
+
+<h3 class="head3">load printers</h3>
+
+<p>The <tt class="literal">load</tt><a name="INDEX-58"/> <tt class="literal">printers</tt>
+option tells Samba to create shares for all known printer names and
+load those shares into the browse list. Samba will create and list a
+printer share for each printer name in
+<em class="filename">/etc/printcap</em> (or the system equivalent). For
+example, if your
+<em class="filename">printcap</em><a name="INDEX-59"/> file looks
+like this:<a name="FNPTR-3"/><a href="#FOOTNOTE-3">[3]</a></p>
+
+<blockquote><pre class="code">lp:\
+  :sd=/var/spool/lpd/lp:\            <i class="lineannotation">spool directory</i>
+  :mx#0:\                            <i class="lineannotation">maximum file size (none)</i>
+  :sh:\                              <i class="lineannotation">supress burst header (no)</i>
+  :lp=/dev/lp1:\                     <i class="lineannotation">device name for output</i>
+  :if=/var/spool/lpd/lp/filter:      <i class="lineannotation">text filter</i>
+
+laser:\
+  :sd=/var/spool/lpd/laser:\         <i class="lineannotation">spool directory</i>
+  :mx#0:\                            <i class="lineannotation">maximum file size (none)</i>
+  :sh:\                              <i class="lineannotation">supress burst header (no)</i>
+  :lp=/dev/laser:\                   <i class="lineannotation">device name for output</i>
+  :if=/var/spool/lpd/lp/filter:      <i class="lineannotation">text filter</i></pre></blockquote>
+
+<p>the shares <tt class="literal">[lp]</tt> and <tt class="literal">[laser]</tt> are
+automatically created as valid print shares when Samba is started.
+Both shares borrow the configuration options specified in the
+<tt class="literal">[printers]</tt> section to configure themselves and are
+available in the browse list for the Samba server. The default value
+for this option is <tt class="literal">yes</tt>. If you prefer to specify
+each printer explicitly in your configuration file, use the
+following:</p>
+
+<blockquote><pre class="code">[global]
+    load printers = no</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-10-SECT-2.3.7"/>
+
+<a name="INDEX-60"/><a name="INDEX-61"/><a name="INDEX-62"/><a name="INDEX-63"/><a name="INDEX-64"/><h3 class="head3">print command, lpq command, lprm command,lppause command, lpresume command</h3>
+
+<p>These options tell Samba which Unix commands control and send data to
+the printer. The Unix commands involved are: <em class="emphasis">lpr</em>
+(send to Line PRinter), <em class="emphasis">lpq</em> (List Printer
+Queue), <em class="emphasis">lprm</em> (Line Printer ReMove), and
+optionally <em class="emphasis">lppause</em> and
+<em class="emphasis">lpresume</em>. Samba provides an option named after
+each command, in case you need to override any of the system
+defaults. For example, consider the following:</p>
+
+<blockquote><pre class="code">lpq command = /usr/ucb/lpq %p</pre></blockquote>
+
+<p>This would set <tt class="literal">lpq</tt> <tt class="literal">command</tt> to
+use <em class="filename">/usr/ucb/lpq</em>. Similarly:</p>
+
+<blockquote><pre class="code">lprm command = /usr/local/bin/lprm -P%p %j</pre></blockquote>
+
+<p>would set the Samba printer remove command to
+<em class="filename">/usr/local/bin/lprm</em> and provide it the print job
+number using the <tt class="literal">%j</tt> variable.</p>
+
+<p>The default values for each option are dependent on the value of the
+<tt class="literal">printing</tt> option. <a href="ch10.html#samba2-CHP-10-TABLE-4">Table 10-4</a>
+shows the default commands for each printing option. The most popular
+printing system is BSD.</p>
+
+<a name="samba2-CHP-10-TABLE-4"/><h4 class="head4">Table 10-4. Default commands for various printing options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>BSD, AIX, PLP, LPRNG</p>
+</th>
+<th>
+<p>SYSV, HPUX</p>
+</th>
+<th>
+<p>QNX</p>
+</th>
+<th>
+<p>SOFTQ</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">print</tt> <tt class="literal">command</tt></p>
+</td>
+<td>
+<p><tt class="literal">lpr -r -P%p %s</tt></p>
+</td>
+<td>
+<p><tt class="literal">lp -c -d%p %s; rm</tt> <tt class="literal">%s</tt></p>
+</td>
+<td>
+<p><tt class="literal">lp -r -P%p %s</tt></p>
+</td>
+<td>
+<p><tt class="literal">lp -d%p -s %s; rm %s</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">lpq</tt> <tt class="literal">command</tt></p>
+</td>
+<td>
+<p><tt class="literal">lpq -P%p</tt></p>
+</td>
+<td>
+<p><tt class="literal">lpstat -o%p</tt></p>
+</td>
+<td>
+<p><tt class="literal">lpq -P%p</tt></p>
+</td>
+<td>
+<p><tt class="literal">lpstat -o%p</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">lprm</tt> <tt class="literal">command</tt></p>
+</td>
+<td>
+<p><tt class="literal">lprm -P%p %j</tt></p>
+</td>
+<td>
+<p><tt class="literal">cancel %p-%j</tt></p>
+</td>
+<td>
+<p><tt class="literal">cancel %p-%j</tt></p>
+</td>
+<td>
+<p><tt class="literal">cancel %p-%j</tt></p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">lppause</tt> <tt class="literal">command</tt></p>
+</td>
+<td>
+<p><tt class="literal">lp -i %p-%j -H</tt> <tt class="literal">hold</tt></p>
+
+<p>(SYSV only)</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>None</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">lpresume</tt> <tt class="literal">command</tt></p>
+</td>
+<td>
+<p><tt class="literal">lp -i %p-%j -H</tt> <tt class="literal">resume</tt></p>
+
+<p>(SYSV only)</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p><tt class="literal">qstat -s -j%j -r</tt></p>
+</td>
+</tr>
+
+</table>
+
+<p>It is usually unnecessary to reset these options in Samba, with the
+possible exception of the <tt class="literal">print</tt>
+<tt class="literal">command</tt>. This option might need to be set
+explicitly if your printing system doesn't have a
+<em class="emphasis">-r</em> (remove after printing) option on the
+printing command. For example:</p>
+
+<blockquote><pre class="code">print command = /usr/local/lpr -P%p %s; /bin/rm %s</pre></blockquote>
+
+<p>With a bit of judicious programming, these
+<em class="filename">smb.conf</em> options can also be used for debugging:</p>
+
+<blockquote><pre class="code">print command = cat %s &gt;&gt;/tmp/printlog; lpr -r -P%p %s</pre></blockquote>
+
+<p>Using the previous configuration, it is possible to verify that files
+are actually being delivered to the Samba server. If they are, their
+contents will show up in the file <em class="filename">/tmp/printlog</em>.</p>
+
+<p>After BSD, the next most popular kind of printing system is SYSV (or
+System V) printing, plus some SYSV variants for
+IBM's AIX and Hewlett-Packard's
+HP-UX. These systems do not have an
+<em class="filename">/etc/printcap</em> file. Instead, the
+<tt class="literal">printcap</tt> <tt class="literal">file</tt> option can be set
+to an appropriate <em class="emphasis">lpstat</em> command for the system.
+This tells Samba to get a list of printers from the
+<em class="emphasis">lpstat</em> command. Alternatively, you can set the
+global configuration option <tt class="literal">printcap</tt>
+<tt class="literal">name</tt> to the name of a dummy
+<em class="filename">printcap</em> file you provide. In the latter case,
+the file must contain a series of lines such as:</p>
+
+<blockquote><pre class="code">lp|print1|My Printer 1
+print2|My Printer 2
+print3|My Printer 3</pre></blockquote>
+
+<p>Each line names a printer followed by aliases for it. In this
+example, the first printer is called <tt class="literal">lp</tt>,
+<tt class="literal">print1</tt>, or <tt class="literal">My</tt>
+<tt class="literal">Printer</tt> <tt class="literal">1</tt>, whichever the user
+prefers to use. The first name is used in place of
+<tt class="literal">%p</tt> in any command Samba executes for that printer.</p>
+
+<p>Two additional printer types are also supported by Samba: LPRNG (LPR
+New Generation) and PLP (Public Line Printer). These are public
+domain and open source printing systems and are used by many sites to
+overcome problems with vendor-supplied software. Samba also supports
+the printing systems of the SOFTQ and QNX real-time operating
+systems.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-10-SECT-2.3.8"/>
+
+<h3 class="head3">printcap name</h3>
+
+<p>If the <tt class="literal">printcap</tt><a name="INDEX-65"/><a name="INDEX-66"/>
+<tt class="literal">name</tt> option (also called
+<tt class="literal">printcap</tt>) appears in a printing share, Samba uses
+the file specified as the system printer capabilities file (normally
+<em class="filename">/etc/printcap</em>). However, you can reset it to a
+file consisting of only the printers you want to share over the
+network. The value must be the filename (with its complete path
+specified) of a printer capabilities file on the server:</p>
+
+<blockquote><pre class="code">[deskjet]
+    printcap name = /usr/local/samba/lib/printcap</pre></blockquote>
+
+<p>The CUPS printing system uses its own method of determining printer
+capabilities, rather than the standard <em class="filename">printcap</em>
+file. In this case, set <tt class="literal">printcap</tt>
+<tt class="literal">name</tt> as follows:</p>
+
+<blockquote><pre class="code">[global]
+    printing = cups
+    printcap name = cups</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-10-SECT-2.3.9"/>
+
+<h3 class="head3">min print space</h3>
+
+<p>The <tt class="literal">min</tt><a name="INDEX-67"/> <tt class="literal">print</tt>
+<tt class="literal">space</tt> option sets the amount of space that must be
+available on the disk that contains the spool directory if printing
+is to be allowed. Setting it to zero (the default) turns the check
+off; setting it to any other number sets the amount of free space in
+kilobytes required. This option helps to avoid having print jobs fill
+up the remaining disk space on the server, which can cause other
+processes to fail:</p>
+
+<blockquote><pre class="code">[deskjet]
+    min print space = 4000</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-10-SECT-2.3.10"/>
+
+<a name="INDEX-68"/><h3 class="head3">queuepause command</h3>
+
+<p>This configuration option specifies a command that tells Samba how to
+pause an entire print queue, as opposed to a single job on the queue.
+The default value depends on the printing type chosen. You should not
+need to alter this option.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-10-SECT-2.3.11"/>
+
+<a name="INDEX-69"/><h3 class="head3">queueresume command</h3>
+
+<p>This configuration option specifies a command that tells Samba how to
+resume a paused print queue, as opposed to resuming a single job on
+the print queue. The default value depends on the printing type
+chosen. You should not need to alter this option. <a name="INDEX-70"/> <a name="INDEX-71"/> <a name="INDEX-72"/><a name="INDEX-73"/></p>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+<hr/><h4 class="head4">Footnotes</h4><blockquote><a name="FOOTNOTE-1"/> <p><a href="#FNPTR-1">[1]</a> If
+you are using Linux, you can use the <em class="emphasis">checkpc</em>
+command to check for this type of error.</p> <a name="FOOTNOTE-2"/>
+<p><a href="#FNPTR-2">[2]</a> CUPS is open source software (<a href="http://www.opensource.org">http://www.opensource.org</a>) developed by Easy
+Software Products. For more information, visit <a href="http://www.cups.org">http://www.cups.org</a>.</p> <a name="FOOTNOTE-3"/> <p><a href="#FNPTR-3">[3]</a> We have placed annotated comments off to
+the right in case you've never dealt with this file
+before.</p> </blockquote><hr/><h4 class="head4"><a href="toc.html">TOC</a></h4></body></html>
diff --git a/docs/htmldocs/using_samba/ch11.html b/docs/htmldocs/using_samba/ch11.html
new file mode 100644
index 0000000000..026879db40
--- /dev/null
+++ b/docs/htmldocs/using_samba/ch11.html
@@ -0,0 +1,2123 @@
+<html>
+<body bgcolor="#ffffff">
+
+<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
+hspace="10" align="left" />
+
+<h1 class="head0">Chapter 11. Additional Samba Information</h1>
+
+
+<p>This chapter wraps up our coverage of the
+<em class="filename">smb.conf</em> configuration file with some
+miscellaneous options that can perform a variety of tasks. We talk
+briefly about options for time synchronization, internationalization,
+messages, and common Windows bugs. For the most part, you will use
+these options only in isolated circumstances.</p>
+
+
+
+<div class="sect1"><a name="samba2-CHP-11-SECT-1"/>
+
+<h2 class="head1">Time Synchronization</h2>
+
+<p>In a network of computers, the systems on the network must agree on
+the current time and also on what time files have been modified. One
+example of the importance of synchronization is the
+<a name="INDEX-1"/>roaming profiles we covered in
+<a href="ch04.html">Chapter 4</a>. It is vital for all clients accessing a
+roaming profile to agree on what time it is and which client last
+modified the user's profile.</p>
+
+<p><a name="INDEX-2"/>Time synchronization can also be
+very important to programmers. A useful group of settings consists of
+the following options:</p>
+
+<blockquote><pre class="code">[global]
+    time server = yes
+    dos filetimes = yes
+    fake directory create times = yes
+    dos filetime resolution = yes
+    delete readonly = yes</pre></blockquote>
+
+<p>If you set these options, Samba shares will provide compatibility of
+file-modification times that Visual C++, <em class="emphasis">nmake</em>,
+and other Microsoft programming tools require. Otherwise, PC
+<em class="emphasis">make</em> programs might think that all the files in
+a directory need to be recompiled every time. Obviously, this is not
+the behavior you want.</p>
+
+<p>In <a href="ch04.html">Chapter 4</a>, we showed you how to create a logon
+script that used the <em class="emphasis">net
+time</em><a name="INDEX-3"/> command to synchronize
+clients' clocks automatically when they log on to
+the domain. If your network is configured as a workgroup rather than
+a domain, you can still make use of <em class="emphasis">net time</em> by
+placing the command:</p>
+
+<blockquote><pre class="code">net time \\<em class="replaceable">sambaserver</em> /set /yes</pre></blockquote>
+
+<p>in a startup script on each client that is run when the system boots.
+Samba always provides time service&mdash;regardless of whether it is
+running as a primary domain controller&mdash;or the
+<tt class="literal">time</tt> <tt class="literal">service</tt> configuration file
+parameter is set.</p>
+
+<p>Assuming that domain users log on to the domain at least once per day
+and workgroup clients reboot frequently, the <em class="emphasis">net
+time</em> command can keep client systems'
+clocks fairly well synchronized. However, sometimes domain users stay
+logged on for longer periods, and workgroup clients can run for days
+between reboots. In the meantime, the systems'
+hardware clocks can wander enough to become a problem. It might be
+possible to work around this, depending on the version of Windows the
+client system is running. On Windows 98/Me, you can use the Task
+Scheduler to run the <em class="emphasis">net time</em> command at regular
+intervals. Likewise, on Windows 2000/XP you can use the MS-DOS
+<em class="emphasis">at</em> command. However, a better way to deal with
+this issue is to use Network Time Protocol, which we will discuss
+shortly.</p>
+
+<p>Proper time synchronization is also important when operating in an
+Active Directory domain because Active Directory uses
+<a name="INDEX-4"/>Kerberos authentication.
+When a Kerberos domain controller creates an authentication ticket
+for a client, the time is encoded into the challenge-and-response
+exchanges between the client and domain controller. If the
+client's clock disagrees with the
+server's clock, authentication can fail.</p>
+
+<p>To provide proper time synchronization in <a name="INDEX-5"/>Active Directory domains, Microsoft has
+adopted <a name="INDEX-6"/>Network Time Protocol (NTP), using the
+name Windows Time Service for its implementation. For further
+information, the Microsoft white paper entitled <em class="citetitle">The
+Windows Time Service</em> can be downloaded from <a href="http://www.microsoft.com">http://www.microsoft.com</a>.</p>
+
+<p>The nice thing about this is that NTP is the standard method for
+synchronizing Unix hosts on a network, so you can synchronize all
+your Unix systems (including the Samba server) and Windows systems
+with the following method:</p>
+
+<ol><li>
+<p>Run NTP on the Unix systems in your network. For more information on
+using NTP, refer to <a href="http://www.ntp.org">http://www.ntp.org</a>.</p>
+</li><li>
+<p>Use one of the Unix systems (such as the Samba host system) as an NTP
+server to serve Windows 2000/XP clients.</p>
+</li><li>
+<p>For other Windows clients, you might have to download an update from
+Microsoft to add <a name="INDEX-7"/><a name="INDEX-8"/>Windows Time Service client support or
+use a third-party application such as the free
+<a name="INDEX-9"/>analogX Atomic TimeSync (<a href="http://www.analogx.com">http://www.analogx.com</a>). Or you can use the
+<em class="emphasis">net time</em> command to update the
+client's clock periodically, as discussed
+previously.</p>
+</li></ol>
+
+<div class="sect2"><a name="samba2-CHP-11-SECT-1.1"/>
+
+<h3 class="head2">Time-Synchronization Options</h3>
+
+<p>To support roaming profiles, programmers accessing your Samba server,
+and other time-sensitive functions on your network,
+you'll want to be aware of the options listed in
+<a href="ch11.html#samba2-CHP-11-TABLE-1">Table 11-1</a>.</p>
+
+<a name="samba2-CHP-11-TABLE-1"/><h4 class="head4">Table 11-1. Time-synchronization options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">time server</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, announces <em class="emphasis">nmbd</em> as an
+SMB time service to Windows clients</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">time offset</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Adds a specified number of minutes to the reported time</p>
+</td>
+<td>
+<p><tt class="literal">0</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">dos filetimes</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>Allows non-owners of a file to change its time if they can write to it</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">dos filetime</tt></p>
+
+<p><tt class="literal">resolution</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>Causes file times to be rounded to the next even second</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">fake directory</tt> <tt class="literal">create times</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>Sets directory times to avoid an MS <em class="emphasis">nmake</em> bug</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-1.1.1"/>
+
+<a name="INDEX-12"/><h3 class="head3">time server</h3>
+
+<p>Samba always operates as an SMB time server, matching the behavior of
+Windows systems. However, Samba's default is not to
+advertise itself as a time server to the network. When this option is
+set to <tt class="literal">yes</tt>, Samba advertises itself as an SMB time
+server:</p>
+
+<blockquote><pre class="code">[global]
+    time service = yes</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-1.1.2"/>
+
+<a name="INDEX-13"/><h3 class="head3">time offset</h3>
+
+<p>To deal with clients that don't properly process
+daylight savings time, Samba provides the <tt class="literal">time</tt>
+<tt class="literal">offset</tt> option. If set, it adds the specified
+number of minutes to the current time. This is handy if
+you're in Newfoundland and Windows
+doesn't know about the 30-minute time difference
+there:</p>
+
+<blockquote><pre class="code">[global]
+    time offset = 30</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-1.1.3"/>
+
+<a name="INDEX-14"/><h3 class="head3">dos filetimes</h3>
+
+<p>Traditionally, only the root user and the owner of a file can change
+its last-modified date on a Unix system. The share-level
+<tt class="literal">dos</tt> <tt class="literal">filetimes</tt> option allows the
+Samba server to mimic the characteristics of a DOS or Windows system:
+any user can change the last-modified date on a file in that share if
+she has write permission to it. To do this, Samba uses its root
+privileges to modify the timestamp on the file.</p>
+
+<p>By default, this option is disabled. Setting this option to
+<tt class="literal">yes</tt> is often necessary to allow PC
+<em class="emphasis">make</em> programs to work properly. Without it, they
+cannot change the last-modified date themselves. This often results
+in the program thinking <em class="emphasis">all</em> files need
+recompiling when they really don't.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-1.1.4"/>
+
+<h3 class="head3">dos filetime resolution</h3>
+
+<p>The <tt class="literal">dos</tt><a name="INDEX-15"/>
+<tt class="literal">filetime</tt> <tt class="literal">resolution</tt> parameter
+is a share-level option. If set to <tt class="literal">yes</tt>, Samba
+rounds file times to the closest 2-second boundary. This option
+exists primarily to satisfy a quirk in Windows that prevents Visual
+C++ from correctly recognizing that a file has not changed. You can
+enable it as follows:</p>
+
+<blockquote><pre class="code">[data]
+    dos filetime resolution = yes</pre></blockquote>
+
+<p>We recommend using this option only if you are using Microsoft Visual
+C++ on a Samba share that supports opportunistic locking.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-1.1.5"/>
+
+<h3 class="head3">fake directory create times</h3>
+
+<p>The <tt class="literal">fake</tt><a name="INDEX-16"/>
+<tt class="literal">directory</tt> <tt class="literal">create</tt>
+<tt class="literal">times</tt> option exists to keep PC
+<em class="emphasis">make</em> programs sane. VFAT and NTFS filesystems
+record the creation date of a specific directory, while Unix does
+not. Without this option, Samba takes the earliest recorded date it
+has for the directory (often the last-modified date of a file) and
+returns it to the client. If this is not sufficient, set the
+following option under a share definition:</p>
+
+<blockquote><pre class="code">[data]
+    fake directory create times = yes</pre></blockquote>
+
+<p>If set, Samba will adjust the directory create time it reports to the
+hardcoded value January 1, 1980. This is primarily used to convince
+the Visual C++ <em class="emphasis">nmake</em> program that any object
+files in its build directories are indeed younger than the creation
+date of the directory itself and need to be recompiled. <a name="INDEX-17"/> <a name="INDEX-18"/><a name="INDEX-19"/></p>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-11-SECT-2"/>
+
+<h2 class="head1">Magic Scripts</h2>
+
+<p><em class="firstterm">Magic scripts</em> are a method of running programs
+on Unix and redirecting the output back to the SMB client. These are
+essentially an experimental hack. However, some users and their
+programs still rely on these two options for their programs to
+function correctly. Magic scripts are not widely trusted, and their
+use is highly discouraged by the Samba Team.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-11-SECT-2.1"/>
+
+<h3 class="head2">Magic Script Options</h3>
+
+<p><a href="ch11.html#samba2-CHP-11-TABLE-2">Table 11-2</a> lists the options that deal with
+<a name="INDEX-20"/>magic scripts
+on the Samba server.</p>
+
+<a name="samba2-CHP-11-TABLE-2"/><h4 class="head4">Table 11-2. Magic script options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">magic</tt> <tt class="literal">script</tt></p>
+</td>
+<td>
+<p>string (filename)</p>
+</td>
+<td>
+<p>File to be executed by Samba, as the logged-on user, when closed</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">magic</tt> <tt class="literal">output</tt></p>
+</td>
+<td>
+<p>string (filename)</p>
+</td>
+<td>
+<p>File to log output from the magic file</p>
+</td>
+<td>
+<p><em class="emphasis">scriptname.out</em></p>
+</td>
+<td>
+<p>Share</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-2.1.1"/>
+
+<h3 class="head3">magic script</h3>
+
+<p>If the <tt class="literal">magic</tt><a name="INDEX-21"/>
+<tt class="literal">script</tt> option is set to a filename and the client
+creates a file by that name in that share, Samba will run the file as
+soon as the user has opened and closed it. For example,
+let's assume that the following option was created
+in the share <tt class="literal">[accounting]</tt>:</p>
+
+<blockquote><pre class="code">[accounting]
+    magic script = tally.sh</pre></blockquote>
+
+<p>Samba continually monitors the files in that share. If one by the
+name of <em class="emphasis">tally.sh</em> is closed (after being opened)
+by a user, Samba will execute the contents of that file locally. The
+file will be passed to the shell to execute; it must therefore be a
+legal Unix shell script. This means that it must have newline
+characters as line endings instead of Windows CRLFs. In addition, you
+need to use the <tt class="literal">#!</tt> directive at the beginning of
+the file to indicate under which shell or interpreter the script
+should run, unless the script is for the default shell on your
+system.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-2.1.2"/>
+
+<a name="INDEX-22"/><h3 class="head3">magic output</h3>
+
+<p>This option specifies an output file to which the script specified by
+the <tt class="literal">magic</tt> <tt class="literal">script</tt> option will
+send output. You must specify a filename in a writable directory:</p>
+
+<blockquote><pre class="code">[accounting]
+    magic script = tally.sh
+    magic output = /var/log/magicoutput</pre></blockquote>
+
+<p>If this option is omitted, the default output file is the name of the
+script (as stated in the <tt class="literal">magic</tt>
+<tt class="literal">script</tt> option) with the extension
+<em class="emphasis">.out</em> appended onto it.</p>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-11-SECT-3"/>
+
+<h2 class="head1">Internationalization</h2>
+
+<p><a name="INDEX-23"/><a name="INDEX-24"/>Starting
+with Samba 3.0, Samba supports Unicode &quot;on the
+wire,&quot; requiring no additional effort on your part
+to support filenames and other text containing characters in
+international character sets.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-11-SECT-3.1"/>
+
+<h3 class="head2">Internationalization Options</h3>
+
+<p>Samba 2.2.x has a limited ability to speak foreign tongues: if you
+need to support filenames containing characters that
+aren't in standard ASCII, some options that can help
+you are shown in <a href="ch11.html#samba2-CHP-11-TABLE-3">Table 11-3</a>.</p>
+
+<a name="samba2-CHP-11-TABLE-3"/><h4 class="head4">Table 11-3. Internationalization options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">client code</tt> <tt class="literal">page</tt></p>
+</td>
+<td>
+<p>Described in this section</p>
+</td>
+<td>
+<p>Sets a code page to expect from clients</p>
+</td>
+<td>
+<p>850</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">character set</tt></p>
+</td>
+<td>
+<p>Described in this section</p>
+</td>
+<td>
+<p>Translates code pages into alternate Unix character sets</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">coding system</tt></p>
+</td>
+<td>
+<p>Described in this section</p>
+</td>
+<td>
+<p>Translates code page 932 into an Asian character set</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">valid chars</tt></p>
+</td>
+<td>
+<p>string (set of characters)</p>
+</td>
+<td>
+<p>Adds individual characters to a code page</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-3.1.1"/>
+
+<h3 class="head3">client code page</h3>
+
+<p>The character sets on Windows platforms hark back to the original
+concept of a <em class="emphasis">code page</em><a name="INDEX-25"/>. These code pages are used by DOS and
+Windows clients to determine rules for mapping lowercase letters to
+uppercase letters. Samba can be instructed to use a variety of code
+pages through the use of the global
+<tt class="literal">client</tt><a name="INDEX-26"/> <tt class="literal">code</tt>
+<tt class="literal">page</tt> option to match the corresponding code page
+in use on the client. This option loads a code page definition file
+and can take the values specified in <a href="ch11.html#samba2-CHP-11-TABLE-4">Table 11-4</a>.</p>
+
+<a name="samba2-CHP-11-TABLE-4"/><h4 class="head4">Table 11-4. Valid code pages with Samba 2.0</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Code page</p>
+</th>
+<th>
+<p>Definition</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">437</tt></p>
+</td>
+<td>
+<p>MS-DOS Latin (United States)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">737</tt></p>
+</td>
+<td>
+<p>Windows 95 Greek</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">850</tt></p>
+</td>
+<td>
+<p>MS-DOS Latin 1 (Western European)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">852</tt></p>
+</td>
+<td>
+<p>MS-DOS Latin 2 (Eastern European)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">861</tt></p>
+</td>
+<td>
+<p>MS-DOS Icelandic</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">866</tt></p>
+</td>
+<td>
+<p>MS-DOS Cyrillic (Russian)</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">932</tt></p>
+</td>
+<td>
+<p>MS-DOS Japanese Shift-JIS</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">936</tt></p>
+</td>
+<td>
+<p>MS-DOS Simplified Chinese</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">949</tt></p>
+</td>
+<td>
+<p>MS-DOS Korean Hangul</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">950</tt></p>
+</td>
+<td>
+<p>MS-DOS Traditional Chinese</p>
+</td>
+</tr>
+
+</table>
+
+<p>You can set the client code page as follows:</p>
+
+<blockquote><pre class="code">[global]
+    client code page = 852</pre></blockquote>
+
+<p>The default value of this option is 850, for MS-DOS Latin 1. You can
+use the <em class="emphasis">make_smbcodepage</em> tool that comes with
+Samba (by default in <em class="filename">/usr/local/samba/bin</em> ) to
+create your own SMB code pages, in the event that those listed
+earlier are not sufficient.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-3.1.2"/>
+
+<h3 class="head3">character set</h3>
+
+<p>The global <tt class="literal">character</tt><a name="INDEX-27"/>
+<tt class="literal">set</tt> option can be used to convert filenames
+offered through a DOS code page (see the previous section, <a href="ch11.html#samba2-CHP-11-SECT-3.1.1">Section 11.3.1.1</a>) to equivalents that can be
+represented by Unix character sets other than those in the United
+States. For example, if you want to convert the Western European
+MS-DOS character set on the client to a Western European Unix
+character set on the server, you can use the following in your
+configuration file:</p>
+
+<blockquote><pre class="code">[global]
+    client code page = 850
+    character set = ISO8859-1</pre></blockquote>
+
+<p>Note that you must include a <tt class="literal">client</tt>
+<tt class="literal">code</tt> <tt class="literal">page</tt> option to specify the
+character set from which you are converting. The valid character sets
+(and their matching code pages) that Samba accepts are listed in
+<a href="ch11.html#samba2-CHP-11-TABLE-5">Table 11-5</a>.</p>
+
+<a name="samba2-CHP-11-TABLE-5"/><h4 class="head4">Table 11-5. Valid character sets</h4><table border="1">
+
+
+
+
+<tr>
+<th>
+<p>Character set</p>
+</th>
+<th>
+<p>Matching code page</p>
+</th>
+<th>
+<p>Definition</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">ISO8859-1</tt></p>
+</td>
+<td>
+<p><tt class="literal">850</tt></p>
+</td>
+<td>
+<p>Western European Unix</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">ISO8859-2</tt></p>
+</td>
+<td>
+<p><tt class="literal">852</tt></p>
+</td>
+<td>
+<p>Eastern European Unix</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">ISO8859-5</tt></p>
+</td>
+<td>
+<p><tt class="literal">866</tt></p>
+</td>
+<td>
+<p>Russian Cyrillic Unix</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">ISO8859-7</tt></p>
+</td>
+<td>
+<p>737</p>
+</td>
+<td>
+<p>Greek Unix</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">KOI8-R</tt></p>
+</td>
+<td>
+<p><tt class="literal">866</tt></p>
+</td>
+<td>
+<p>Alternate Russian Cyrillic Unix</p>
+</td>
+</tr>
+
+</table>
+
+<p>Normally, the <tt class="literal">character</tt> <tt class="literal">set</tt>
+option is disabled completely.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-3.1.3"/>
+
+<h3 class="head3">coding system</h3>
+
+<p>The <tt class="literal">coding</tt><a name="INDEX-28"/> <tt class="literal">system</tt>
+option is similar to the <tt class="literal">character</tt>
+<tt class="literal">set</tt> option. However, its purpose is to determine
+how to convert a Japanese Shift JIS code page into an appropriate
+Unix character set. To use this option, the <tt class="literal">client</tt>
+<tt class="literal">code</tt> <tt class="literal">page</tt> option described
+previously must be set to page <tt class="literal">932</tt>. The valid
+coding systems that Samba accepts are listed in <a href="ch11.html#samba2-CHP-11-TABLE-6">Table 11-6</a>.</p>
+
+<a name="samba2-CHP-11-TABLE-6"/><h4 class="head4">Table 11-6. Valid coding-system parameters</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Character set</p>
+</th>
+<th>
+<p>Definition</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">SJIS</tt></p>
+</td>
+<td>
+<p>Standard Shift JIS</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">JIS8</tt></p>
+</td>
+<td>
+<p>Eight-bit JIS codes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">J8BB</tt></p>
+</td>
+<td>
+<p>Eight-bit JIS codes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">J8BH</tt></p>
+</td>
+<td>
+<p>Eight-bit JIS codes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">J8@B</tt></p>
+</td>
+<td>
+<p>Eight-bit JIS codes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">J8@J</tt></p>
+</td>
+<td>
+<p>Eight-bit JIS codes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">J8@H</tt></p>
+</td>
+<td>
+<p>Eight-bit JIS codes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">JIS7</tt></p>
+</td>
+<td>
+<p>Seven-bit JIS codes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">J7BB</tt></p>
+</td>
+<td>
+<p>Seven-bit JIS codes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">J7BH</tt></p>
+</td>
+<td>
+<p>Seven-bit JIS codes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">J7@B</tt></p>
+</td>
+<td>
+<p>Seven-bit JIS codes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">J7@J</tt></p>
+</td>
+<td>
+<p>Seven-bit JIS codes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">J7@H</tt></p>
+</td>
+<td>
+<p>Seven-bit JIS codes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">JUNET</tt></p>
+</td>
+<td>
+<p>JUNET codes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">JUBB</tt></p>
+</td>
+<td>
+<p>JUNET codes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">JUBH</tt></p>
+</td>
+<td>
+<p>JUNET codes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">JU@B</tt></p>
+</td>
+<td>
+<p>JUNET codes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">JU@J</tt></p>
+</td>
+<td>
+<p>JUNET codes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">JU@H</tt></p>
+</td>
+<td>
+<p>JUNET codes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">EUC</tt></p>
+</td>
+<td>
+<p>EUC codes</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">HEX</tt></p>
+</td>
+<td>
+<p>Three-byte hexadecimal code</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">CAP</tt></p>
+</td>
+<td>
+<p>Three-byte hexadecimal code (Columbia AppleTalk Program)</p>
+</td>
+</tr>
+
+</table>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-3.1.4"/>
+
+<h3 class="head3">valid chars</h3>
+
+<p>The <tt class="literal">valid</tt><a name="INDEX-29"/> <tt class="literal">chars</tt> option
+can be used to add individual characters to a code page. You can use
+this option as follows:</p>
+
+<blockquote><pre class="code">valid chars = &Icirc;
+valid chars = 0450:0420 0x0A20:0x0A00
+valid chars = A:a</pre></blockquote>
+
+<p>Each character in the list specified should be separated by spaces.
+If there is a colon between two characters or a numerical equivalent,
+the data to the left of the colon is considered an uppercase
+character, while the data to the right is considered the lowercase
+character. You can represent characters both by literals (if you can
+type them) and by octal, hexadecimal, or decimal Unicode equivalents.</p>
+
+<p>If you use this option, it must be listed after the
+<tt class="literal">client</tt> <tt class="literal">code</tt>
+<tt class="literal">page</tt> to which you wish to add the character.
+<a name="INDEX-30"/><a name="INDEX-31"/></p>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-11-SECT-4"/>
+
+<h2 class="head1">Windows Messenger Service</h2>
+
+<p>One of the odd features of SMB protocol is its ability to send text
+messages between computers. Although both the name and functionality
+are similar to that of Windows Messenger, the two are not the same.
+<a name="INDEX-32"/><a name="INDEX-33"/><a name="INDEX-34"/>Windows Messenger (also called MSN
+Messenger) is an Internet-oriented instant messenging service, while
+Windows Messenger Service is an older and simpler LAN-oriented
+service. Using the Windows Messenger Service, messages can be
+addressed to users, individual computers, or entire workgroups on the
+network.</p>
+
+<p>The <a name="INDEX-35"/>WinPopup
+tool (<em class="filename">Winpopup.exe</em>), shown in <a href="ch11.html#samba2-CHP-11-FIG-1">Figure 11-1</a>, can be used on Windows 95/98/Me to send or
+receive messages. WinPopup is a handy tool for sending messages.
+However, to receive messages, it must already be running when the
+message is sent from the remote system.</p>
+
+<div class="figure"><a name="samba2-CHP-11-FIG-1"/><img src="figs/sam2_1101.gif"/></div><h4 class="head4">Figure 11-1. Sending a message from a Windows 95/98/Me system (left); receiving a message (right)</h4>
+
+<p>On Windows NT/2000/XP, the messenger service lets you receive
+messages without having an application already running; messages will
+automatically appear in a small dialog box on the screen when
+received, as shown in <a href="ch11.html#samba2-CHP-11-FIG-2">Figure 11-2</a>.</p>
+
+<div class="figure"><a name="samba2-CHP-11-FIG-2"/><img src="figs/sam2_1102.gif"/></div><h4 class="head4">Figure 11-2. Receiving a message on a Windows 2000 system</h4>
+
+<p>To send messages, it is necessary to use the <em class="emphasis">net
+send</em> command from a command-prompt window, like this:</p>
+
+<blockquote><pre class="code">C:\&gt; <tt class="userinput"><b>net send maya &quot;Who's There?&quot;</b></tt>
+The message was successfully sent to MAYA.</pre></blockquote>
+
+
+<div class="sect2"><a name="samba2-CHP-11-SECT-4.1"/>
+
+<h3 class="head2">Windows Messenger Service Configuration Option</h3>
+
+<p>Samba has a single option to handle Windows Messenger Service,
+<tt class="literal">message</tt> <tt class="literal">command</tt>, as shown in
+<a href="ch11.html#samba2-CHP-11-TABLE-7">Table 11-7</a>.</p>
+
+<a name="samba2-CHP-11-TABLE-7"/><h4 class="head4">Table 11-7. Windows Messenger Service configuration option</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameter</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">message</tt> <tt class="literal">command</tt></p>
+</td>
+<td>
+<p>string (shell command)</p>
+</td>
+<td>
+<p>Sets a command to run on Unix when a WinPopup message is received</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-4.1.1"/>
+
+<h3 class="head3">message command</h3>
+
+<p>Samba's
+<tt class="literal">message</tt><a name="INDEX-36"/> <tt class="literal">command</tt>
+option defines the command that will run on the server when a Windows
+Messenger Service message arrives. The command will be executed as
+the <tt class="literal">guest</tt> <tt class="literal">account</tt> user. What to
+do with messages is questionable because most Samba hosts run as
+unattended servers. One solution is to mail the messages to root like
+this:</p>
+
+<blockquote><pre class="code">[global]
+    message command = /bin/mail -s &quot;SMB Message From %f on %m&quot; root &lt;%s; rm %s</pre></blockquote>
+
+<p>Note the use of variables here. The <tt class="literal">%s</tt> variable
+will be replaced by the name of the file in which the message
+resides. This file should be deleted when the command is finished
+with it; otherwise, a buildup of message files will collect on the
+Samba server. In addition, the command must either exit quickly or
+fork its own process (using an <tt class="literal">&amp;</tt> after the
+command); otherwise, the client might suspend and wait for
+notification that the command was sent successfully before
+continuing.</p>
+
+<p>In addition to the standard variables, <a href="ch11.html#samba2-CHP-11-TABLE-8">Table 11-8</a>
+shows the three unique variables that you can use in a
+<tt class="literal">message</tt> <tt class="literal">command</tt>.</p>
+
+<a name="samba2-CHP-11-TABLE-8"/><h4 class="head4">Table 11-8. message command variables</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Variable</p>
+</th>
+<th>
+<p>Definition</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">%s</tt></p>
+</td>
+<td>
+<p>The name of the file in which the message resides</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%f</tt></p>
+</td>
+<td>
+<p>The name of the system that sent the message</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">%t</tt></p>
+</td>
+<td>
+<p>The name of the system that is the destination of the message
+<a name="INDEX-37"/><a name="INDEX-38"/><a name="INDEX-39"/></p>
+</td>
+</tr>
+
+</table>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-11-SECT-5"/>
+
+<h2 class="head1">Miscellaneous Options</h2>
+
+<p>Many Samba options are available to deal with operating system issues
+on either Unix or Windows. In particular, some of these options are
+used for setting limits for clients' use of
+resources on the Unix server. The options shown in <a href="ch11.html#samba2-CHP-11-TABLE-9">Table 11-9</a> deal with some of these issues.</p>
+
+<a name="samba2-CHP-11-TABLE-9"/><h4 class="head4">Table 11-9. Miscellaneous options</h4><table border="1">
+
+
+
+
+
+
+<tr>
+<th>
+<p>Option</p>
+</th>
+<th>
+<p>Parameters</p>
+</th>
+<th>
+<p>Function</p>
+</th>
+<th>
+<p>Default</p>
+</th>
+<th>
+<p>Scope</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p><tt class="literal">deadtime</tt></p>
+</td>
+<td>
+<p>numeric (minutes)</p>
+</td>
+<td>
+<p>Number of minutes of inactivity before a connection should be
+terminated.</p>
+</td>
+<td>
+<p><tt class="literal">0</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">dfree command</tt></p>
+</td>
+<td>
+<p>string (command)</p>
+</td>
+<td>
+<p>Used to specify a command that returns free disk space in a format
+recognized by Samba.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">fstype</tt></p>
+</td>
+<td>
+<p><tt class="literal">NTFS</tt>, <tt class="literal">FAT</tt>, or
+<tt class="literal">Samba</tt></p>
+</td>
+<td>
+<p>Filesystem type reported by the server to the client.</p>
+</td>
+<td>
+<p><tt class="literal">NTFS</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">keepalive</tt></p>
+</td>
+<td>
+<p>numeric (seconds)</p>
+</td>
+<td>
+<p>Number of seconds between checks for an inoperative client.</p>
+</td>
+<td>
+<p><tt class="literal">300</tt> (none)</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">max disk size</tt></p>
+</td>
+<td>
+<p>numeric (MB)</p>
+</td>
+<td>
+<p>Largest disk size to return to a client, some of which have limits.
+Does not affect actual operations on the disk.</p>
+</td>
+<td>
+<p><tt class="literal">0</tt> (infinity)</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">max mux</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Maximum number of simultaneous SMB operations that clients can make.</p>
+</td>
+<td>
+<p><tt class="literal">50</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">max open files</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Limits number of open files to be below Unix limits.</p>
+</td>
+<td>
+<p><tt class="literal">10000</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">max xmit</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Specifies the maximum packet size that Samba will send.</p>
+</td>
+<td>
+<p><tt class="literal">65535</tt> or <tt class="literal">16644</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">nt pipe support</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>Turns off an NT/2000/XP support feature; for benchmarking or in case
+of an error.</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">nt smb support</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>Turns off an NT/2000/XP support feature; for benchmarking or in case
+of an error.</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">ole locking</tt> <tt class="literal">compatibility</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>Remaps out-of-range lock requests used on Windows to fit in allowable
+range on Unix. Turning it off causes Unix lock errors.</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">panic action</tt></p>
+</td>
+<td>
+<p>string</p>
+</td>
+<td>
+<p>Command to run if Samba server fails; for debugging.</p>
+</td>
+<td>
+<p>None</p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">set directory</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, allows VMS clients to issue
+<tt class="literal">set</tt> <tt class="literal">dir</tt> commands.</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">status</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, allows Samba to monitor status for
+<tt class="literal">smbstatus</tt> command.</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">strict sync</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">no</tt>, ignores Windows application requests to
+perform a sync-to-disk.</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">sync always</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, forces all client writes to be committed
+to disk before returning from the call.</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">strip dot</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, strips trailing dots from Unix filenames.</p>
+</td>
+<td>
+<p><tt class="literal">no</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">change notify timeout</tt></p>
+</td>
+<td>
+<p>numeric (seconds)</p>
+</td>
+<td>
+<p>Interval between checks when a client asks to wait for a change in a
+specified directory.</p>
+</td>
+<td>
+<p><tt class="literal">60</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">stat cache</tt></p>
+</td>
+<td>
+<p>Boolean</p>
+</td>
+<td>
+<p>If <tt class="literal">yes</tt>, Samba will cache recent name mappings.</p>
+</td>
+<td>
+<p><tt class="literal">yes</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+<tr>
+<td>
+<p><tt class="literal">stat cache size</tt></p>
+</td>
+<td>
+<p>numeric</p>
+</td>
+<td>
+<p>Number of entries in the stat cache.</p>
+</td>
+<td>
+<p><tt class="literal">50</tt></p>
+</td>
+<td>
+<p>Global</p>
+</td>
+</tr>
+
+</table>
+
+
+<div class="sect2"><a name="samba2-CHP-11-SECT-5.1"/>
+
+<a name="INDEX-40"/><h3 class="head2">deadtime</h3>
+
+<p>This global option sets the number of minutes that Samba will wait
+for an inactive client before closing its session with the Samba
+server. A client is considered inactive when it has no open files and
+no data is being sent from it. The default value for this option is
+0, which means that Samba never closes any connection, regardless of
+how long they have been inactive. This can lead to unnecessary
+consumption of the server's resources by inactive
+clients. We recommend that you override the default as follows:</p>
+
+<blockquote><pre class="code">[global]
+    deadtime = 10</pre></blockquote>
+
+<p>This tells Samba to terminate any inactive client sessions after 10
+minutes. For most networks, setting this option as such will not
+inconvenience users because reconnections from the client are
+generally performed transparently to the user. See also the
+<tt class="literal">keepalive</tt> parameter.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.1"/>
+
+<a name="INDEX-41"/><h3 class="head3">dfree command</h3>
+
+<p>This global option is used on systems that incorrectly determine the
+free space left on the disk. So far, the only confirmed system that
+needs this option set is Ultrix. There is no default value for this
+option, which means that Samba already knows how to compute the free
+disk space on its own and the results are considered reliable. You
+can override it as follows:</p>
+
+<blockquote><pre class="code">[global]
+    dfree command = /usr/local/bin/dfree</pre></blockquote>
+
+<p>This option should point to a script that returns the total disk
+space in a block and the number of available blocks. The Samba
+documentation recommends the following as a usable script:</p>
+
+<blockquote><pre class="code">#!/bin/sh
+df $1 | tail -1 | awk '{print $2&quot; &quot;$4}'</pre></blockquote>
+
+<p>On System V machines, the following will work:</p>
+
+<blockquote><pre class="code">#!/bin/sh
+/usr/bin/df $1 | tail -1 | awk '{print $3&quot; &quot;$5}'</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.2"/>
+
+<a name="INDEX-42"/><h3 class="head3">fstype</h3>
+
+<p>This share-level option sets the type of filesystem that Samba
+reports when queried by the client. Three strings can be used as a
+value to this configuration option, as listed in <a href="ch11.html#samba2-CHP-11-TABLE-10">Table 11-10</a>.</p>
+
+<a name="samba2-CHP-11-TABLE-10"/><h4 class="head4">Table 11-10. Filesystem types</h4><table border="1">
+
+
+
+<tr>
+<th>
+<p>Value</p>
+</th>
+<th>
+<p>Definition</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p>NTFS</p>
+</td>
+<td>
+<p>Microsoft Windows NT filesystem</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>FAT</p>
+</td>
+<td>
+<p>DOS FAT filesystem</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Samba</p>
+</td>
+<td>
+<p>Samba filesystem</p>
+</td>
+</tr>
+
+</table>
+
+<p>The default value for this option is <tt class="literal">NTFS</tt>, which
+represents a Windows NT filesystem. There probably
+isn't a need to specify any other type of
+filesystem. However, if you need to, you can override the default
+value per share as follows:</p>
+
+<blockquote><pre class="code">[data]
+    fstype = FAT</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.3"/>
+
+<a name="INDEX-43"/><h3 class="head3">keepalive</h3>
+
+<p>This global option specifies the number of seconds that Samba waits
+between sending NetBIOS <em class="emphasis">keepalive packets</em>. These
+packets are used to ping a client to detect whether it is still alive
+and on the network. The default value for this option is
+<tt class="literal">300</tt> (5 minutes), which you can override as
+follows:</p>
+
+<blockquote><pre class="code">[global]
+    keepalive = 600</pre></blockquote>
+
+<p>The value of <tt class="literal">600</tt> (10 minutes) is good for networks
+populated by reliable clients. If your network contains relatively
+unreliable clients, you might prefer to set
+<tt class="literal">keepalive</tt> to a lower value, such as
+<tt class="literal">30</tt>. If <tt class="literal">keepalive</tt> is set to 0,
+no NetBIOS keepalive packets will be sent. See also the
+<tt class="literal">deadtime</tt> parameter.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.4"/>
+
+<a name="INDEX-44"/><h3 class="head3">max disk size</h3>
+
+<p>This global option specifies an illusory limit, in megabytes, for
+each share that Samba is offering. It only affects how much disk
+space Samba reports the share as having and does not prevent more
+disk space from actually being available for use. You would typically
+set this option to prevent clients with older operating
+systems&mdash;or running buggy applications&mdash;from being confused
+by large disk spaces. For example, some older Windows applications
+become confused when they encounter a share larger than 1 gigabyte.
+To work around this problem, <tt class="literal">max</tt>
+<tt class="literal">disk</tt> <tt class="literal">size</tt> can be set as
+follows:</p>
+
+<blockquote><pre class="code">[global]
+    max disk size = 1000</pre></blockquote>
+
+<p>The default value for this option is <tt class="literal">0</tt>, which
+means there is no upper limit.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.5"/>
+
+<a name="INDEX-45"/><h3 class="head3">max mux</h3>
+
+<p>This global option specifies the maximum number of concurrent SMB
+operations Samba allows. The default value for this option is
+<tt class="literal">50</tt>. You can override it as follows:</p>
+
+<blockquote><pre class="code">[global]
+    max mux = 100</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.6"/>
+
+<a name="INDEX-46"/><h3 class="head3">max open files</h3>
+
+<p>This global option specifies the maximum number of open files that
+Samba should allow at any given time for all processes. This value
+must be equal to or less than the amount allowed by the operating
+system, which varies from system to system. The default value for
+this option is <tt class="literal">10000</tt>. You can override it as
+follows:</p>
+
+<blockquote><pre class="code">[global]
+    max open files = 8000</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.7"/>
+
+<a name="INDEX-47"/><h3 class="head3">max xmit</h3>
+
+<p>This global option sets the maximum size of packets that Samba
+exchanges with a client. In rare cases, setting a smaller maximum
+packet size can increase performance, especially with Windows for
+Workgroups. In Samba versions up to 2.2.5, the default value for this
+option is <tt class="literal">65535</tt>. In 2.2.7 and later versions, the
+default was changed to <tt class="literal">16644</tt> to match the behavior
+of Windows 2000 and improve support for Windows NT 4.0. You can
+override the default as follows:</p>
+
+<blockquote><pre class="code">[global]
+    max xmit = 4096</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.8"/>
+
+<a name="INDEX-48"/><h3 class="head3">nt pipe support</h3>
+
+<p>This global option is used by developers to allow or disallow Windows
+NT/2000/XP clients the ability to make connections to
+<a name="INDEX-49"/>NT-specific SMB IPC$ pipes. As a user, you
+should never need to override the default:</p>
+
+<blockquote><pre class="code">[global]
+    nt pipe support = yes</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.9"/>
+
+<a name="INDEX-50"/><h3 class="head3">nt smb support</h3>
+
+<p>This global option is used by developers to negotiate NT-specific SMB
+options with Windows NT/2000/XP clients. The Samba Team has
+discovered that slightly better performance comes from setting this
+value to <tt class="literal">no</tt>. However, as a user, you should
+probably not override the default:</p>
+
+<blockquote><pre class="code">[global]
+    nt smb support = yes</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.10"/>
+
+<a name="INDEX-51"/><h3 class="head3">ole locking compatibility</h3>
+
+<p>This global option turns off Samba's internal
+byte-range locking manipulation in files, which gives compatibility
+with Object Linking and Embedding (OLE) applications that use high
+byte-range locks as a method of interprocess communication. The
+default value for this option is <tt class="literal">yes</tt>. If you trust
+your Unix locking mechanisms, you can override it as follows:</p>
+
+<blockquote><pre class="code">[global]
+    ole locking compatibility = no</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.11"/>
+
+<a name="INDEX-52"/><h3 class="head3">panic action</h3>
+
+<p>This global option specifies a command to execute in the event that
+Samba encounters a fatal error when loading or running. There is no
+default value for this option. You can specify an action as follows:</p>
+
+<blockquote><pre class="code">[global]
+    panic action = /bin/csh -c
+          'xedit &lt;&lt;: &quot;Samba has shutdown unexpectedly&quot;;:'</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.12"/>
+
+<a name="INDEX-53"/><h3 class="head3">set directory</h3>
+
+<p>This Boolean share-level option allows <a name="INDEX-54"/>Digital Pathworks clients to
+use the <em class="emphasis">setdir</em> command to change directories on
+the server. If you are not using the Digital Pathworks client, you
+should not need to alter this option. The default value for this
+option is <tt class="literal">no</tt>. You can override it per share as
+follows:</p>
+
+<blockquote><pre class="code">[data]
+    set directory = yes</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.13"/>
+
+<a name="INDEX-55"/><h3 class="head3">status</h3>
+
+<p>This global option indicates whether Samba should log all active
+connections to a status file. This file is used only by the
+<em class="emphasis">smbstatus</em> command. If you have no intentions of
+using this command, you can set this option to <tt class="literal">no</tt>,
+which can result in a small increase of speed on the server. The
+default value for this option is <tt class="literal">yes</tt>. You can
+override it as follows:</p>
+
+<blockquote><pre class="code">[global]
+    status = no</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.14"/>
+
+<a name="INDEX-56"/><h3 class="head3">strict sync</h3>
+
+<p>This share-level option determines whether Samba honors all requests
+to perform a disk sync when requested to do so by a client. Many
+Windows clients request a disk sync when they are really just trying
+to flush data to their own open files. In this case, a disk sync is
+generally unnecessary on Unix due to its high reliability, and it
+mostly has the effect of substantially reducing the performance of
+the Samba host system. The default value for this option is
+<tt class="literal">no</tt>, which allows the superfluous disk sync
+requests to be ignored. You can override the default as follows:</p>
+
+<blockquote><pre class="code">[data]
+    strict sync = yes</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.15"/>
+
+<a name="INDEX-57"/><h3 class="head3">sync always</h3>
+
+<p>This share-level option decides whether every write to disk should be
+followed by a disk synchronization before the write call returns
+control to the client. Even if the value of this option is
+<tt class="literal">no</tt>, clients can request a disk synchronization;
+see the earlier <tt class="literal">strict</tt> <tt class="literal">sync</tt>
+option. The default value for this option is <tt class="literal">no</tt>.
+You can override it per share as follows:</p>
+
+<blockquote><pre class="code">[data]
+    sync always = yes</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.16"/>
+
+<a name="INDEX-58"/><h3 class="head3">strip dot</h3>
+
+<p>This global option determines whether to remove the trailing dot from
+Unix filenames that are formatted with a dot at the end. The default
+value for this option is <tt class="literal">no</tt>. You can override it
+per share as follows:</p>
+
+<blockquote><pre class="code">[global]
+    strip dot = yes</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.17"/>
+
+<h3 class="head3">change notify timeout</h3>
+
+<p>The <tt class="literal">change</tt><a name="INDEX-59"/>
+<tt class="literal">notify</tt> <tt class="literal">timeout</tt> global option
+emulates a Windows NT/2000 SMB feature called <em class="firstterm">change
+notification</em><a name="INDEX-60"/>. This allows a client to request
+that a Windows NT/2000 server periodically monitor a specific
+directory on a share for any changes. If changes occur, the server
+will notify the client.</p>
+
+<p>Samba performs this function for its clients at an interval that
+defaults to 1 minute (60 seconds). Performing these checks too often
+can slow down the server considerably; however, you can use this
+option to specify an alternate time that Samba should wait between
+performing checks:</p>
+
+<blockquote><pre class="code">[global]
+    change notify timeout = 30</pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.18"/>
+
+<h3 class="head3">stat cache</h3>
+
+<p>The <tt class="literal">stat</tt><a name="INDEX-61"/> <tt class="literal">cache</tt> global
+option turns on caching of recent case-insensitive name mappings. The
+default is <tt class="literal">yes</tt>. The Samba Team recommends that you
+never change this parameter.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-11-SECT-5.1.19"/>
+
+<h3 class="head3">stat cache size</h3>
+
+<p>The <tt class="literal">stat</tt><a name="INDEX-62"/> <tt class="literal">cache</tt>
+<tt class="literal">size</tt> global option sets the number of cache
+entries to be used for the <tt class="literal">stat</tt>
+<tt class="literal">cache</tt> option. The default here is
+<tt class="literal">50</tt>. Again, the Samba Team recommends that you
+never change this parameter.</p>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+<hr/><h4 class="head4"><a href="toc.html">TOC</a></h4></body></html>
diff --git a/docs/htmldocs/using_samba/ch12.html b/docs/htmldocs/using_samba/ch12.html
new file mode 100644
index 0000000000..6ba643fe73
--- /dev/null
+++ b/docs/htmldocs/using_samba/ch12.html
@@ -0,0 +1,3341 @@
+<html>
+<body bgcolor="#ffffff">
+
+<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
+hspace="10" align="left" />
+
+<h1 class="head0">Chapter 12. Troubleshooting Samba</h1>
+
+
+<p><a name="INDEX-1"/><a name="INDEX-2"/>Samba is extremely robust. Once you have
+everything set up the way you want, you'll probably
+forget that it is running. When trouble occurs, it's
+typically during installation or when you're trying
+to reconfigure the server. Fortunately, a wide variety of resources
+are available to diagnose these troubles. While we
+can't describe in detail the solution to every
+problem you might encounter, you should be able to get a good start
+at resolving the problem by following the advice given in this
+chapter.</p>
+
+<p>The first section of this chapter lists the tool bag, a collection of
+tools available for troubleshooting Samba; the second section is a
+detailed how-to; the last section lists extra resources to track down
+particularly stubborn problems.</p>
+
+
+
+<div class="sect1"><a name="samba2-CHP-12-SECT-1"/>
+
+<h2 class="head1">The Tool Box</h2>
+
+<p><a name="INDEX-3"/><a name="INDEX-4"/>Sometimes Unix
+seems to be made up of a grab bag of applications and tools. There
+are tools to troubleshoot tools. And of course, there are several
+ways to accomplish the same task. When trying to solve a problem
+related to Samba, a good plan of attack is to use the following:</p>
+
+<ul><li>
+<p>Samba logs</p>
+</li><li>
+<p>Samba test utilities</p>
+</li><li>
+<p>Unix utilities</p>
+</li><li>
+<p>Fault tree</p>
+</li><li>
+<p>Documentation and FAQs</p>
+</li><li>
+<p>Samba newsgroups</p>
+</li><li>
+<p>Searchable mailing list archives</p>
+</li></ul>
+<p>Let's go over each of these one-by-one in the
+following sections.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-1.1"/>
+
+<h3 class="head2">Samba Logs</h3>
+
+<p><a name="INDEX-5"/><a name="INDEX-6"/>Your first line of attack should always
+be to check the log files. The Samba log files can help diagnose the
+vast majority of the problems faced by beginning- to
+intermediate-level Samba administrators. Samba is quite flexible when
+it comes to logging. You can set up the server to log as little or as
+much information as you want. Using substitution variables in the
+Samba configuration file allows you to isolate individual logs for
+each system, share, or combination thereof.</p>
+
+<p>Logs are placed in <em class="filename">/usr/local/samba/var/smbd.log</em>
+and <em class="filename">/usr/local/samba/var/nmbd.log</em> by default.
+You can specify a log directory to use with the
+<em class="emphasis">-l</em> flag on the command line when starting the
+Samba daemons. For example:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>smbd -l /var/log/samba</b></tt>
+# <tt class="userinput"><b>nmbd -l /var/log/samba</b></tt></pre></blockquote>
+
+<p>Alternatively, you can override the location and name using the
+<tt class="literal">log</tt><a name="INDEX-7"/> <tt class="literal">file</tt> configuration
+option in <em class="filename">smb.conf</em>. This option accepts all the
+substitution variables, so you could easily have the server keep a
+separate log for each connecting client system by specifying the
+following:</p>
+
+<blockquote><pre class="code">[global]
+    log file = %m.log</pre></blockquote>
+
+<p>Another useful trick is to have the server keep a log for each
+service (share) that is offered, especially if you suspect a
+particular share is causing trouble. To do this, use the
+<tt class="literal">%S</tt> variable, like this:</p>
+
+<blockquote><pre class="code">[global]
+    log file = %S.log</pre></blockquote>
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-1.1.1"/>
+
+<h3 class="head3">Log levels</h3>
+
+<p><a name="INDEX-8"/>The level of logging that Samba uses
+can be set in the <em class="filename">smb.conf</em> file using the global
+<tt class="literal">log</tt> <tt class="literal">level</tt> or
+<tt class="literal">debug</tt> <tt class="literal">level</tt> option; they are
+equivalent. The logging level is an integer that can range from 0 to
+10. At level 0, no logging is done. Higher values result in more
+voluminous logging. For example, let's assume that
+we will use a Windows client to browse a directory on a Samba server.
+For a small amount of log information, you can use
+<tt class="literal">log</tt> <tt class="literal">level</tt> <tt class="literal">=</tt>
+<tt class="literal">1</tt>, which instructs Samba to show only cursory
+information, in this case only the connection itself:</p>
+
+<blockquote><pre class="code">05/25/02 22:02:11 server (192.168.236.86) connect to service public as user pcguest 
+(uid=503,gid=100) (pid 3377)</pre></blockquote>
+
+<p>Higher debug levels produce more detailed information. Usually, you
+won't need more than level 3, which is fully
+adequate for most Samba administrators. Levels above 3 are used by
+the developers and dump enormous amounts of cryptic information.</p>
+
+<p>Here is an example of output at levels 2 and 3 for the same
+operation. Don't worry if you don't
+understand the intricacies of an SMB connection; the point is simply
+to show you what types of information are shown at the different
+<a name="INDEX-9"/>logging levels:</p>
+
+<blockquote><pre class="code"> /* Level 2 */
+Got SIGHUP
+Processing section &quot;[homes]&quot;
+Processing section &quot;[public]&quot;
+Processing section &quot;[temp]&quot;
+Allowed connection from 192.168.236.86 (192.168.236.86) to IPC$
+Allowed connection from 192.168.236.86 (192.168.236.86) to IPC/
+
+
+/* Level 3 */
+05/25/02 22:15:09 Transaction 63 of length 67
+switch message SMBtconX (pid 3377)
+Allowed connection from 192.168.236.86 (192.168.236.86) to IPC$
+ACCEPTED: guest account and guest ok
+found free connection number 105
+Connect path is /tmp
+chdir to /tmp
+chdir to /
+05/25/02 22:15:09 server (192.168.236.86) connect to service IPC$ as user pcguest 
+(uid=503,gid=100) (pid 3377)
+05/25/02 22:15:09 tconX service=ipc$ user=pcguest cnum=105
+05/25/02 22:15:09 Transaction 64 of length 99
+switch message SMBtrans (pid 3377)
+chdir to /tmp
+trans &lt;\PIPE\LANMAN&gt; data=0 params=19 setup=0
+Got API command 0 of form &lt;WrLeh&gt; &lt;B13BWz&gt; (tdscnt=0,tpscnt=19,mdrcnt=4096,mprcnt=8)
+Doing RNetShareEnum
+RNetShareEnum gave 4 entries of 4 (1 4096 126 4096)
+05/25/02 22:15:11 Transaction 65 of length 99
+switch message SMBtrans (pid 3377)
+chdir to /
+chdir to /tmp
+trans &lt;\PIPE\LANMAN&gt; data=0 params=19 setup=0
+Got API command 0 of form &lt;WrLeh&gt; &lt;B13BWz&gt; (tdscnt=0,tpscnt=19,mdrcnt=4096,mprcnt=8)
+Doing RNetShareEnum
+RNetShareEnum gave 4 entries of 4 (1 4096 126 4096)
+05/25/02 22:15:11 Transaction 66 of length 95
+switch message SMBtrans2 (pid 3377)
+chdir to /
+chdir to /pcdisk/public
+call_trans2findfirst: dirtype = 0, maxentries = 6, close_after_first=0, close_if_end 
+= 0 requires_resume_key = 0 level = 260, max_data_bytes = 2432
+unix_clean_name [./DESKTOP.INI]
+unix_clean_name [desktop.ini]
+unix_clean_name [./]
+creating new dirptr 1 for path ./, expect_close = 1
+05/25/02 22:15:11 Transaction 67 of length 53
+switch message SMBgetatr (pid 3377)
+chdir to /
+
+<i class="lineannotation">[... deleted ...]</i></pre></blockquote>
+
+<p>We cut off this listing after the first packet because it runs on for
+many pages. However, be aware that log levels above 3 will quickly
+consume disk space with megabytes of excruciating detail concerning
+Samba's internal operations. Log level 3 is
+extremely useful for following exactly what the server is doing, and
+most of the time it will be obvious where an error occurs by glancing
+through the log file.</p>
+
+<p>Using a high log level (3 or above) will
+<em class="emphasis">seriously</em> slow down the Samba server. Remember
+that every log message generated causes a write to disk (an
+inherently slow operation) and log levels greater than 2 produce
+massive amounts of data. Essentially, you should turn on logging
+level 3 only when you're actively tracking a problem
+in the Samba server. <a name="INDEX-10"/></p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-1.1.2"/>
+
+<h3 class="head3">Activating and deactivating logging</h3>
+
+<p><a name="INDEX-11"/><a name="INDEX-12"/>To turn logging on and off,
+set the appropriate level in the <tt class="literal">[global]</tt> section
+of <em class="filename">smb.conf</em>. Then, you can either restart Samba
+or force the current daemon to reprocess the configuration file by
+sending it a hangup (HUP) signal. You also can send the
+<em class="emphasis">smbd</em> process a SIGUSR1 signal to increase its
+log level by one while it's running, like this:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>kill -SIGUSR1 1234</b></tt></pre></blockquote>
+
+<p>or a SIGUSR2 signal to decrease it by one:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>kill -SIGUSR2 1234</b></tt></pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-1.1.3"/>
+
+<h3 class="head3">Logging by individual client systems or users</h3>
+
+<p>An effective way to diagnose problems without hampering other users
+is to assign different log levels for different systems in the
+<tt class="literal">[global]</tt> section of the
+<em class="filename">smb.conf</em> file. We can do this by building on the
+strategy we presented earlier:</p>
+
+<blockquote><pre class="code">[global]
+    log level = 0
+    log file = /usr/local/samba/var/log.%m
+    include = /usr/local/samba/lib/smb.conf.%m</pre></blockquote>
+
+<p>These options instruct Samba to use unique configuration and log
+files for each client that connects. Now all you have to do is create
+an <em class="filename">smb.conf</em> file for a specific client system
+with a <tt class="literal">log</tt> <tt class="literal">level</tt>
+<tt class="literal">=</tt> <tt class="literal">3</tt> entry in it (the others
+will pick up the default log level of 0) and use that log file to
+track down the problem.</p>
+
+<p>Similarly, if only particular users are experiencing a
+problem&mdash;and it travels from system to system with
+them&mdash;you can isolate logging to a specific user by adding the
+following to the <em class="filename">smb.conf</em> file:</p>
+
+<blockquote><pre class="code">[global]
+    log level = 0
+    log file = /usr/local/samba/var/log.%u
+    include = /usr/local/samba/lib/smb.conf.%u</pre></blockquote>
+
+<p>Then you can create a unique <em class="filename">smb.conf</em> file for
+each user you wish to monitor (e.g.,
+<em class="filename">/usr/local/samba/lib/smb.conf.tim</em>). Files
+containing the configuration option <tt class="literal">log</tt>
+<tt class="literal">level</tt> <tt class="literal">=</tt> <tt class="literal">3</tt>
+and only those users will get more detailed logging.<a name="INDEX-13"/><a name="INDEX-14"/></p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-1.2"/>
+
+<h3 class="head2">Samba Test Utilities</h3>
+
+<p><a name="INDEX-15"/><a name="INDEX-16"/>A rigorous set of tests that exercise
+the major parts of Samba are described in various files in the
+<em class="emphasis">/docs/textdocs</em> directory of the Samba
+distribution kit, starting with <em class="emphasis">DIAGNOSIS.txt</em>.
+The fault tree in this chapter is a more detailed version of the
+basic tests suggested by the Samba Team, but it covers only
+installation and reconfiguration diagnosis, such as
+<em class="emphasis">DIAGNOSIS.txt</em>. The other files in the
+<em class="emphasis">/docs</em> subdirectories address specific problems
+and instruct you how to troubleshoot items not included in this book.
+If the fault tree doesn't suffice, be sure to look
+at
+<em class="emphasis">DIAGNOSIS.txt</em><a name="INDEX-17"/>
+and its friends.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-1.3"/>
+
+<h3 class="head2">Unix Utilities</h3>
+
+<p>Sometimes it's useful to use a tool outside the
+Samba suite to examine what's happening inside the
+server. Three diagnostic tools can be of particular help in debugging
+Samba troubles: <em class="emphasis">trace</em>,
+<em class="emphasis">tcpdump</em>, and <em class="emphasis">Ethereal</em>.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-1.3.1"/>
+
+<h3 class="head3">Using trace</h3>
+
+<p>The <em class="emphasis">trace</em><a name="INDEX-18"/> command masquerades under several
+different names, depending on the operating system you are using. On
+Linux it will be
+<em class="emphasis">strace</em><a name="INDEX-19"/>; on Solaris you'll use
+<em class="emphasis">truss</em><a name="INDEX-20"/>; SGI will have
+<em class="emphasis">padc</em><a name="INDEX-21"/> and
+<em class="emphasis">par</em><a name="INDEX-22"/>; and HP-UX will have
+<em class="emphasis">trace</em> or
+<em class="emphasis">tusc</em><a name="INDEX-23"/>. All have essentially the same
+function, which is to display each operating system function call as
+it is executed. This allows you to follow the execution of a program,
+such as the Samba server, and often pinpoints the exact call that is
+causing the difficulty.</p>
+
+<p>One problem that <em class="emphasis">trace</em> can highlight is an
+incorrect version of a dynamically linked library. This can happen if
+you've downloaded prebuilt binaries of Samba.
+You'll typically see the offending call at the end
+of the <em class="emphasis">trace</em>, just before the program
+terminates.</p>
+
+<p>A sample <em class="emphasis">strace</em> output for the Linux operating
+system follows. This is a small section of a larger file created
+during the opening of a directory on the Samba server. Each line
+lists a system call and includes its parameters and the return value.
+If there was an error, the error value (e.g.,
+<tt class="literal">ENOENT</tt>) and its explanation are also shown. You
+can look up the parameter types and the errors that can occur in the
+appropriate <em class="emphasis">trace</em> manual page for the operating
+system you are using.</p>
+
+<blockquote><pre class="code">chdir(&quot;/pcdisk/public&quot;)                 = 0
+stat(&quot;mini/desktop.ini&quot;, 0xbffff7ec)    = -1 ENOENT (No such file or directory)
+stat(&quot;mini&quot;, {st_mode=S_IFDIR|0755, st_size=1024, ...}) = 0
+stat(&quot;mini/desktop.ini&quot;, 0xbffff7ec)    = -1 ENOENT (No such file or directory)
+open(&quot;mini&quot;, O_RDONLY)                  = 5
+fcntl(5, F_SETFD, FD_CLOEXEC)           = 0
+fstat(5, {st_mode=S_IFDIR|0755, st_size=1024, ...}) = 0
+lseek(5, 0, SEEK_CUR)                   = 0
+SYS_141(0x5, 0xbfffdbbc, 0xedc, 0xbfffdbbc, 0x80ba708) = 196
+lseek(5, 0, SEEK_CUR)                   = 1024
+SYS_141(0x5, 0xbfffdbbc, 0xedc, 0xbfffdbbc, 0x80ba708) = 0
+close(5)                                = 0
+stat(&quot;mini/desktop.ini&quot;, 0xbffff86c)    = -1 ENOENT (No such file or directory)
+write(3, &quot;\0\0\0#\377SMB\10\1\0\2\0\200\1\0&quot;..., 39) = 39
+SYS_142(0xff, 0xbffffc3c, 0, 0, 0xbffffc08) = 1
+read(3, &quot;\0\0\0?&quot;, 4)                   = 4
+read(3, &quot;\377SMBu\0\0\0\0\0\0\0\0\0\0\0\0&quot;..., 63) = 63
+time(NULL)                              = 896143871</pre></blockquote>
+
+<p>This example shows several <em class="emphasis">stat() calls</em> failing
+to find the files they were expecting. You don't
+have to be an expert to see that the file
+<em class="emphasis">desktop.ini</em> is missing from that directory. In
+fact, many difficult problems can be identified by looking for
+obvious, repeatable errors with <em class="emphasis">trace</em>. Often,
+you need not look further than the last message before a crash.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-1.3.2"/>
+
+<h3 class="head3">Using tcpdump</h3>
+
+<p>The <em class="emphasis">tcpdump</em><a name="INDEX-24"/> program, as extended by Andrew
+<a name="INDEX-25"/>Tridgell,
+allows you to monitor SMB <a name="INDEX-26"/>network
+traffic in real time. A variety of output formats are available, and
+you can filter the output to look at only a particular type of
+traffic. You can examine all conversations between client and server,
+including SMB and NMB broadcast messages. While its troubleshooting
+capabilities lie mainly at the OSI network layer, you can still use
+its output to get a general idea of what the server and client are
+attempting to do.</p>
+
+<p>A sample <em class="emphasis">tcpdump</em> log follows. In this instance,
+the client has requested a directory listing, and the server has
+responded appropriately, giving the directory names
+<tt class="literal">homes</tt>, <tt class="literal">public</tt>,
+<tt class="literal">IPC$</tt>, and <tt class="literal">temp</tt>
+(we've added a few explanations on the right):</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>tcpdump -v -s 255 -i eth0 port not telnet</b></tt>
+SMB PACKET: SMBtrans (REQUEST)                <i class="lineannotation"> Request packet</i>
+SMB Command   =  0x25                         <i class="lineannotation">Request was ls or dir</i>
+
+[000] 01 00 00 10                             <i class="lineannotation">....</i>
+
+
+&gt;&gt;&gt; NBT Packet                                <i class="lineannotation">Outer frame of SMB packet</i>
+NBT Session Packet
+Flags=0x0
+Length=226
+[lines skipped]
+                         
+SMB PACKET: SMBtrans (REPLY)                  <i class="lineannotation">Beginning of a reply to  request</i>
+SMB Command   =  0x25                         <i class="lineannotation">Command was an ls or dir</i>
+Error class   =  0x0             
+Error code    =  0                            <i class="lineannotation">No errors</i>
+Flags1        =  0x80
+Flags2        =  0x1
+Tree ID       =  105
+Proc ID       =  6075
+UID           =  100
+MID           =  30337
+Word Count    =  10
+TotParamCnt=8 
+TotDataCnt=163 
+Res1=0
+ParamCnt=8 
+ParamOff=55 
+Res2=0 
+DataCnt=163 
+DataOff=63 
+Res3=0
+Lsetup=0
+Param Data: (8 bytes)
+[000] 00 00 00 00 05 00 05 00                           ........ 
+
+Data Data: (135 bytes)                        <i class="lineannotation">Actual directory contents:</i>
+[000] 68 6F 6D 65 73 00 00 00  00 00 00 00 00 00 00 00  homes... ........
+[010] 64 00 00 00 70 75 62 6C  69 63 00 00 00 00 00 00  d...publ ic......
+[020] 00 00 00 00 75 00 00 00  74 65 6D 70 00 00 00 00  ....u... temp....
+[030] 00 00 00 00 00 00 00 00  76 00 00 00 49 50 43 24  ........ v...IPC$
+[040] 00 00 00 00 00 00 00 00  00 00 03 00 77 00 00 00  ........ ....w...
+[050] 64 6F 6E 68 61 6D 00 00  00 00 00 00 00 00 00 00  donham.. ........
+[060] 92 00 00 00 48 6F 6D 65  20 44 69 72 65 63 74 6F  ....Home  Directo
+[070] 72 69 65 73 00 00 00 49  50 43 20 53 65 72 76 69  ries...I PC Servi
+[080] 63 65 20 28 53 61 6D                              ce (Sam</pre></blockquote>
+
+<p>This is more of the same debugging session as we saw before with the
+<em class="emphasis">trace</em> command: the listing of a directory. The options
+we used were <em class="emphasis">-v</em> (verbose), <em class="emphasis">-i
+eth0</em> to tell <em class="emphasis">tcpdump</em> on which
+interface to listen (an Ethernet port), and <em class="emphasis">-s
+255</em> to tell it to save the first 255 bytes of each packet
+instead of the default: the first 68. The option
+<tt class="literal">port</tt> <tt class="literal">not</tt>
+<tt class="literal">telnet</tt> is used to avoid screens of telnet traffic,
+because we were logged in to the server remotely. The
+<em class="emphasis">tcpdump</em> program actually has quite a number of
+options to filter just the traffic you want to look at. If
+you've used <em class="emphasis">snoop</em> or
+<em class="emphasis">etherdump</em>, it will look vaguely familiar.</p>
+
+<p>You can download the modified <em class="emphasis">tcpdump</em> from the
+Samba FTP server, located at
+<a href="ftp://samba.anu.edu.au/pub/samba/tcpdump-smb">ftp://samba.anu.edu.au/pub/samba/tcpdump-smb</a>.
+Other versions might not include support for the SMB protocol; if you
+don't see output such as that shown in the example,
+you'll need to use the SMB-enabled version.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-1.3.3"/>
+
+<h3 class="head3">Using Ethereal</h3>
+
+<p><a name="INDEX-27"/>Ethereal (<a href="http://www.ethereal.com">http://www.ethereal.com</a>) is a GUI-based
+utility that performs the same basic function as
+<em class="emphasis">tcpdump</em>. You might prefer Ethereal because it is
+much easier to use. Once you have Ethereal running, just do the
+following:</p>
+
+<ol><li>
+<p>Select Start from the Capture menu.</p>
+</li><li>
+<p>Click the OK button in the dialog box that appears. This will bring
+up a dialog box showing how many packets Ethereal has seen. Perform
+the actions on the system(s) in your network to reproduce the problem
+you are analyzing.</p>
+</li><li>
+<p>Click the Stop button in the Ethereal dialog box to make it finish
+collecting data.</p>
+</li><li>
+<p>In the main Ethereal window, click any item in the upper window to
+view it in the lower window. In the lower window, click any of the
+boxes containing a plus sign (<tt class="literal">+</tt>) to expand the
+view.</p>
+</li></ol>
+<p>Ethereal does a good job of translating the content of the packets it
+encounters into human-readable format, and you should have little
+trouble seeing what happened on the network during the capture
+period. <a name="INDEX-28"/><a name="INDEX-29"/></p>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-12-SECT-2"/>
+
+<h2 class="head1">The Fault Tree</h2>
+
+<p><a name="INDEX-30"/><a name="INDEX-31"/><a name="INDEX-32"/><a name="INDEX-33"/>The fault
+tree presented in this section is for diagnosing and fixing problems
+that occur when you're installing and reconfiguring
+Samba. It's an expanded form of the trouble and
+diagnostic document <em class="filename">DIAGNOSIS.txt</em>, which is part
+of the Samba distribution.</p>
+
+<p>Before you set out to troubleshoot any part of the Samba suite, you
+should know the following information:</p>
+
+<ul><li>
+<p>Your client IP address (we use 192.168.236.10)</p>
+</li><li>
+<p>Your server IP address (we use 192.168.236.86)</p>
+</li><li>
+<p>The netmask for your network (typically 255.255.255.0)</p>
+</li><li>
+<p>Whether the systems are all on the same subnet (ours are)</p>
+</li></ul>
+<p>For clarity, we've renamed the server in the
+following examples to <tt class="literal">server.example.com</tt>, and the
+client system to <tt class="literal">client.example.com</tt>.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-2.1"/>
+
+<h3 class="head2">How to Use the Fault Tree</h3>
+
+<p>Start the tests here, without skipping forward; it
+won't take long (about 5 minutes) and might actually
+save you time backtracking. Whenever a test succeeds, you will be
+given a name of a section to which you can safely skip.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-2.2"/>
+
+<h3 class="head2">Troubleshooting Low-Level IP</h3>
+
+<p><a name="INDEX-34"/>The
+first series of tests is that of the low-level services that Samba
+needs to run. The tests in this section verify that:</p>
+
+<ul><li>
+<p>The IP software works</p>
+</li><li>
+<p>The Ethernet hardware works</p>
+</li><li>
+<p>Basic name service is in place</p>
+</li></ul>
+<p>Subsequent sections add TCP software, the Samba daemons
+<em class="emphasis">smbd</em> and <em class="emphasis">nmbd</em>, host-based
+access control, authentication and per-user access control, file
+services, and browsing. The tests are described in considerable
+detail to make them understandable by both technically oriented end
+users and experienced systems and network administrators.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.2.1"/>
+
+<h3 class="head3">Testing the networking software with ping</h3>
+
+<p><a name="INDEX-35"/>The first command to enter
+on both the server and the client is
+<tt class="literal">ping</tt><a name="INDEX-36"/><a name="INDEX-37"/>
+<tt class="literal">127.0.0.1</tt>. This pings the loopback address and
+indicates whether any networking support is functioning. On Unix, you
+can use <tt class="literal">ping</tt> <tt class="literal">127.0.0.1</tt> with the
+statistics option and interrupt it after a few lines. On Sun
+workstations, the command is typically
+<tt class="literal">/usr/etc/ping</tt> <tt class="literal">-s</tt>
+<tt class="literal">127.0.0.1</tt>; on Linux, just <tt class="literal">ping</tt>
+<tt class="literal">127.0.0.1</tt>. On Windows clients, run
+<tt class="literal">ping</tt> <tt class="literal">127.0.0.1</tt> in an MS-DOS
+(command prompt) window, and it will stop by itself after four lines.</p>
+
+<p>Here is an example on a Linux server:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>ping 127.0.0.1 </b></tt>
+PING localhost: 56 data bytes 64 bytes from localhost (127.0.0.1): 
+icmp-seq=0. time=1. ms 64 bytes from localhost (127.0.0.1): 
+icmp-seq=1. time=0. ms 64 bytes from localhost (127.0.0.1): 
+icmp-seq=2. time=1. ms ^C 
+----127.0.0.1 PING Statistics---- 
+3 packets transmitted, 3 packets received, 0% packet loss round-trip (ms)  
+min/avg/max = 0/0/1</pre></blockquote>
+
+<p>If you get &quot;ping: no answer from . . .
+&quot; or &quot;100% packet
+loss,&quot; you have no IP networking installed on the
+system. The address <tt class="literal">127.0.0.1</tt> is the internal
+loopback address and doesn't depend on the computer
+being physically connected to a network. If this test fails, you have
+a serious local problem. TCP/IP either isn't
+installed or is seriously misconfigured. See your operating system
+documentation if it's a Unix server. If
+it's a Windows client, follow the instructions in
+<a href="ch03.html">Chapter 3</a> to install networking support.</p>
+
+<a name="samba2-CHP-12-NOTE-155"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>If <em class="emphasis">you're</em> the network manager,
+some good references are Craig Hunt's
+<em class="emphasis">TCP/IP Network Administration</em>, Chapter 11, and Craig Hunt and Robert Bruce
+Thompson's <em class="emphasis">Windows NT TCP/IP Network
+Administration</em>, both published by
+O'Reilly.</p>
+</blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.2.2"/>
+
+<h3 class="head3">Testing local name services with ping</h3>
+
+<p><a name="INDEX-38"/>Next, try to ping
+<tt class="literal">localhost</tt> on the Samba server. The
+<tt class="literal">localhost</tt> hostname is the conventional hostname
+for the <tt class="literal">127.0.0.1</tt> loopback interface, and it
+should resolve to that address. After typing <tt class="literal">ping</tt>
+<tt class="literal">localhost</tt>, you should see output similar to the
+following:</p>
+
+<blockquote><pre class="code">$  <tt class="userinput"><b>ping localhost  </b></tt>
+PING localhost: 56 data bytes  64 bytes from localhost (127.0.0.1):
+icmp-seq=0. time=0. ms  64 bytes from localhost (127.0.0.1): 
+icmp-seq=1. time=0. ms  64 bytes from localhost (127.0.0.1): 
+icmp-seq=2. time=0. ms  ^C</pre></blockquote>
+
+<p>If this succeeds, try the same test on the client. Otherwise:</p>
+
+<ul><li>
+<p>If you get &quot;unknown host:
+localhost,&quot; there is a problem resolving the
+hostname <em class="filename">localhost</em> into a valid IP address.
+(This might be as simple as a missing entry in a local
+<em class="emphasis">hosts</em> file.) From here, skip down to
+<a href="ch03.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a> later in this chapter.</p>
+</li><li>
+<p>If you get &quot;ping: no answer,&quot; or
+&quot;100% packet loss,&quot; but pinging
+<tt class="literal">127.0.0.1</tt> worked, name services is resolving to an
+address, but it isn't the correct one. Check the
+file or database (typically <em class="filename">/etc/hosts</em> on a Unix
+system) that the name service is using to resolve addresses to ensure
+that the entry is correct.</p>
+</li></ul>
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.2.3"/>
+
+<h3 class="head3">Testing the networking hardware with ping</h3>
+
+<p><a name="INDEX-39"/>Next, ping the
+server's network IP address from itself. This should
+get you exactly the same results as pinging
+<tt class="literal">127.0.0.1</tt>:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>ping 192.168.236.86 </b></tt>
+PING 192.168.236.86: 56 data bytes 64 bytes from 192.168.236.86 (192.168.236.86): 
+icmp-seq=0. time=1. ms 64 bytes from 192.168.236.86 (192.168.236.86): 
+icmp-seq=1. time=0. ms 64 bytes from 192.168.236.86 (192.168.236.86): 
+icmp-seq=2. time=1. ms ^C 
+----192.168.236.86 PING Statistics---- 
+3 packets transmitted, 3 packets received, 0% packet loss round-trip (ms)  
+min/avg/max = 0/0/1</pre></blockquote>
+
+<p>If this works on the server, repeat it for the client. Otherwise:</p>
+
+<ul><li>
+<p>If <tt class="literal">ping</tt> <em class="replaceable">network_ip</em>
+fails on either the server or client, but <tt class="literal">ping</tt>
+<tt class="literal">127.0.0.1</tt> works on that system, you have a TCP/IP
+problem that is specific to the Ethernet network interface card on
+the computer. Check with the documentation for the network card or
+host operating system to determine how to configure it correctly.
+However, be aware that on some operating systems, the
+<em class="emphasis">ping</em> command appears to work even if the network
+is disconnected, so this test doesn't always
+diagnose all hardware problems.</p>
+</li></ul>
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.2.4"/>
+
+<h3 class="head3">Testing connections with ping</h3>
+
+<p><a name="INDEX-40"/>Now, ping the server by name (instead
+of its IP address)&mdash;once from the server and once from the
+client. This is the general test for working network hardware:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>ping server </b></tt>
+PING server.example.com: 56 data bytes 64 bytes from server.example.com (192.168.236.86): 
+icmp-seq=0. time=1. ms 64 bytes from server.example.com (192.168.236.86): 
+icmp-seq=1. time=0. ms 64 bytes from server.example.com (192.168.236.86): 
+icmp-seq=2. time=1. ms ^C 
+----server.example.com PING Statistics---- 
+3 packets transmitted, 3 packets received, 0% packet loss round-trip (ms)  
+min/avg/max = 0/0/1</pre></blockquote>
+
+<p>If successful, this test tells us five things:</p>
+
+<ul><li>
+<p>The hostname (e.g., <tt class="literal">server</tt>) is being found by your
+local name server.</p>
+</li><li>
+<p>The hostname has been expanded to the full name (e.g.,
+<tt class="literal">server.example.com</tt>).</p>
+</li><li>
+<p>Its address is being returned (<tt class="literal">192.168.236.86</tt>).</p>
+</li><li>
+<p>The client has sent the Samba server four 56-byte UDP/IP packets.</p>
+</li><li>
+<p>The Samba server has replied to all four packets.</p>
+</li></ul>
+<p>If this test isn't successful, one of several things
+can be wrong with the network:</p>
+
+<ul><li>
+<p>First, if you get <tt class="literal">ping</tt>: <tt class="literal">no</tt>
+<tt class="literal">answer</tt>, or <tt class="literal">100%</tt>
+<tt class="literal">packet</tt> <tt class="literal">loss</tt>,
+you're not connecting to the network, the other
+system isn't connecting, or one of the addresses is
+incorrect. Check the addresses that the <em class="emphasis">ping</em>
+command reports on each system, and ensure that they match the ones
+you set up initially.</p>
+
+<p>If not, there is at least one mismatched address between the two
+systems. Try entering the command <tt class="literal">arp</tt>
+<tt class="literal">-a</tt>, and see if there is an entry for the other
+system. (The <em class="emphasis">arp</em> command stands for the Address
+Resolution Protocol. The <tt class="literal">arp</tt> <tt class="literal">-a</tt>
+command lists all the addresses known on the local system.) Here are
+some things to try:</p>
+<ul><li>
+<p>If you receive a message like <tt class="literal">192.168.236.86</tt>
+<tt class="literal">at</tt> <tt class="literal">(incomplete)</tt>, the Ethernet
+address of 192.168.236.86 is unknown. This indicates a complete lack
+of connectivity, and you're likely having a problem
+at the very bottom of the TCP/IP protocol stack&mdash;the Ethernet
+interface layer. This is discussed in Chapters 5 and 6 of
+<em class="citetitle">TCP/IP Network Administration
+</em>(O'Reilly).</p>
+</li><li>
+<p>If you receive a response similar to server
+<tt class="literal">(192.168.236.86)</tt> <tt class="literal">at</tt>
+<tt class="literal">8:0:20:12:7c:94</tt>, the server has been reached at
+some time, or another system is answering on its behalf. However,
+this means that <em class="emphasis">ping</em> should have worked: you may
+have an intermittent networking or ARP problem.</p>
+</li><li>
+<p>If the IP address from ARP doesn't match the
+addresses you expected, investigate and correct the addresses
+manually.</p>
+</li>
+</ul>
+</li>
+
+<li>
+<p>If each system can ping itself but not another, something is wrong on
+the network between them.</p>
+</li><li>
+<p>If you get <tt class="literal">ping</tt>: <tt class="literal">network</tt>
+<tt class="literal">unreachable</tt> or <tt class="literal">ICMP</tt>
+<tt class="literal">Host</tt> <tt class="literal">Unreachable</tt>,
+you're not receiving an answer, and more than one
+network is probably involved.</p>
+
+<p>In principle, you shouldn't try to troubleshoot SMB
+clients and servers on different networks. Try to test a server and
+client that are on the same network:</p>
+
+<ol><li>
+<p>First, perform the tests for <tt class="literal">ping</tt>:
+<tt class="literal">no</tt> <tt class="literal">answer</tt> described earlier in
+this section. If this doesn't identify the problem,
+the remaining possibilities are the following: an address is wrong,
+your netmask is wrong, a network is down, or the packets have been
+stopped by a firewall.</p>
+</li>
+<li>
+<p>Check both the address and the netmasks on source and destination
+systems to see if something is obviously wrong. Assuming both systems
+really are on the same network, they both should have the same
+netmasks, and <em class="emphasis">ping</em> should report the correct
+addresses. If the addresses are wrong, you'll need
+to correct them. If they are correct, the programs might be confused
+by an incorrect netmask. See <a href="ch12.html#samba2-CHP-12-SECT-2.8.1">Section 12.2.8.1</a>, later in this chapter.</p>
+</li>
+<li>
+<p>If the commands are still reporting that the network is unreachable
+and neither of the previous two conditions are in error, one network
+really might be unreachable from the other. This, too, is an issue
+for the network manager.</p>
+</li></ol>
+</li><li>
+<p>If you get <tt class="literal">ICMP</tt>
+<tt class="literal">Administratively</tt> <tt class="literal">Prohibited</tt>,
+you've struck a firewall of some sort or a
+misconfigured router. You will need to speak to your network security
+officer.</p>
+</li><li>
+<p>If you get <tt class="literal">ICMP</tt> <tt class="literal">Host</tt>
+<tt class="literal">redirect</tt> and <em class="emphasis">ping</em> reports
+packets getting through, this is generally harmless:
+you're simply being rerouted over the network.</p>
+</li><li>
+<p>If you get a host redirect and no <em class="emphasis">ping</em>
+responses, you are being redirected, but no one is responding. Treat
+this just like the <tt class="literal">Network</tt>
+<tt class="literal">unreachable</tt> response, and check your addresses and
+netmasks.</p>
+</li><li>
+<p>If you get <tt class="literal">ICMP</tt> <tt class="literal">Host</tt>
+<tt class="literal">Unreachable</tt> <tt class="literal">from</tt>
+<tt class="literal">gateway</tt> <tt class="literal">gateway</tt>
+<tt class="literal">name</tt>, ping packets are being routed to another
+network, but the other system isn't responding and
+the router is reporting the problem on its behalf. Again, treat this
+like a <tt class="literal">Network</tt> <tt class="literal">unreachable</tt>
+response, and start checking addresses and netmasks.</p>
+</li><li>
+<p>If you get <tt class="literal">ping</tt>: <tt class="literal">unknown</tt>
+<tt class="literal">host</tt> <tt class="literal">hostname</tt>, your
+system's name is not known. This tends to indicate a
+name service problem, which didn't affect
+<tt class="literal">localhost</tt>. Have a look at <a href="ch12.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a>, later in this chapter.</p>
+</li><li>
+<p>If you get a partial success&mdash;with some pings failing but others
+succeeding&mdash;you have either an intermittent problem between the
+systems or an overloaded network. Ping a bit longer, and see if more
+than about three percent of the packets fail. If so, check it with
+your network manager: a problem might just be starting. However, if
+only a few fail, or if you happen to know some massive network
+program is running, don't worry unduly. The ICMP
+(and UDP) protocols used by <em class="emphasis">ping</em> are allowed to
+drop occasional packets.</p>
+</li><li>
+<p>If you get a response such as <tt class="literal">smtsvr.antares.net</tt>
+<tt class="literal">is</tt> <tt class="literal">alive</tt> when you actually
+pinged <tt class="literal">client.example.com</tt>, either
+you're using someone else's address
+or the system has multiple names and addresses. If the address is
+wrong, the name service is clearly the culprit;
+you'll need to change the address in the name
+service database to refer to the correct system. This is discussed in
+<a href="ch12.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a>, later in this
+chapter.</p>
+
+<p>Servers are often <em class="emphasis">multihomed</em> &mdash;i.e.,
+connected to more than one network, with different names on each net.
+If you are getting a response from an unexpected name on a multihomed
+server, look at the address and see if it's on your
+network (see <a href="ch12.html#samba2-CHP-12-SECT-2.8.1">Section 12.2.8.1</a>, later in this chapter). If
+so, you should use that address, rather than one on a different
+network, for both performance and reliability reasons.</p>
+
+<p>Servers can also have multiple names for a single Ethernet address,
+especially if they are web servers. This is harmless, albeit
+startling. You probably will want to use the official (and permanent)
+name, rather than an alias that might change.</p>
+</li><li>
+<p>If everything works but the IP address reported is
+<tt class="literal">127.0.0.1</tt>, you have a name service error. This
+typically occurs when an operating-system installation program
+generates an <em class="filename">/etc/hosts</em> line similar to
+<tt class="literal">127.0.0.1</tt> <tt class="literal">localhost</tt>
+<em class="emphasis">hostname.domainname</em>. The localhost line should
+say <tt class="literal">127.0.0.1</tt> <tt class="literal">localhost</tt> or
+<tt class="literal">127.0.0.1</tt> <tt class="literal">localhost</tt>
+<tt class="literal">loghost</tt>. Correct it, lest it cause failures to
+negotiate who is the master browse list holder and who is the master
+browser. It can also cause (ambiguous) errors in later tests.</p>
+</li></ul>
+<p>If this worked from the server, repeat it from the client. <a name="INDEX-41"/>
+<a name="INDEX-42"/><a name="INDEX-43"/></p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-2.3"/>
+
+<h3 class="head2">Troubleshooting TCP</h3>
+
+<p><a name="INDEX-44"/><a name="INDEX-45"/>Now that
+you've tested IP, UDP, and a name service with
+<em class="emphasis">ping</em>, it's time to test TCP.
+Browsing and <em class="emphasis">ping</em> use ICMP and UDP; file and
+print services (shares) use TCP. Both depend on IP as a lower layer,
+and all four depend on name services. Testing TCP is most
+conveniently done using the FTP program.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.3.1"/>
+
+<h3 class="head3">Testing TCP with FTP</h3>
+
+<p>Try connecting via FTP, once from the server to itself, and once from
+the client to the server:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>ftp server</b></tt>
+Connected to server.example.com. 
+220 server.example.com FTP server (Version 6.2/OpenBSD/Linux-0.10) ready.
+ Name (server:davecb): 
+331 Password required for davecb. 
+Password: 
+230 User davecb logged in.
+ ftp&gt;<tt class="userinput"><b> quit </b></tt>
+221 Goodbye.</pre></blockquote>
+
+<p>If this worked, skip to the next section, <a href="ch12.html#samba2-CHP-12-SECT-2.4">Section 12.2.4</a>. Otherwise:</p>
+
+<ul><li>
+<p>If you received the message <tt class="literal">server</tt>:
+<tt class="literal">unknown</tt> <tt class="literal">host</tt>, name service has
+failed. Go back to the corresponding <em class="emphasis">ping</em> step,
+<a href="ch12.html#samba2-CHP-12-SECT-2.2.2">Section 12.2.2.2</a>, and rerun those tests
+to see why name lookup failed.</p>
+</li><li>
+<p>If you received <tt class="literal">ftp</tt>: <tt class="literal">connect</tt>:
+<tt class="literal">Connection</tt> <tt class="literal">refused</tt>, the system
+isn't running an FTP daemon. This is mildly unusual
+on Unix servers. Optionally, you might try this test by connecting to
+the system using <em class="emphasis">telnet</em> instead of
+<em class="emphasis">ftp</em>; the messages are very similar, and
+<em class="emphasis">telnet</em> uses TCP as well.</p>
+</li><li>
+<p>If there was a long pause, and then <tt class="literal">ftp</tt>:
+<tt class="literal">connect</tt>: <tt class="literal">Connection</tt>
+<tt class="literal">timed</tt> <tt class="literal">out</tt>, the system
+isn't reachable. Return to <a href="ch12.html#samba2-CHP-12-SECT-2.2.4">Section 12.2.2.4</a>.</p>
+</li><li>
+<p>If you received <tt class="literal">530</tt> <tt class="literal">Logon</tt>
+<tt class="literal">Incorrect</tt>, you connected successfully, but
+you've just found a different problem. You likely
+provided an incorrect username or password. Try again, making sure
+you use your username from the Unix server and type your password
+correctly.</p>
+</li></ul>
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-2.4"/>
+
+<h3 class="head2">Troubleshooting Server Daemons</h3>
+
+<p><a name="INDEX-46"/>Once
+you've confirmed that TCP networking is working
+properly, the next step is to make sure the daemons are running on
+the server. This takes three separate tests because no single one of
+the following will decisively prove that they're
+working correctly.</p>
+
+<p>To be sure they're running, you need to find out
+whether the daemons:</p>
+
+<ol><li>
+<p>Have started</p>
+</li><li>
+<p>Are registered or bound to a TCP/IP port by the operating system</p>
+</li><li>
+<p>Are actually paying attention</p>
+</li></ol>
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.4.1"/>
+
+<h3 class="head3">Tracking daemon startup</h3>
+
+<p><a name="INDEX-47"/>First, check the Samba logs. If
+you've started the daemons, the message
+<tt class="literal">smbd</tt> <tt class="literal">version</tt>
+<tt class="literal">number</tt> <tt class="literal">started</tt> should appear.
+If it doesn't, you need to restart the Samba
+daemons.</p>
+
+<p>If the daemon reports that it has indeed started, look out for
+<tt class="literal">bind</tt> <tt class="literal">failed</tt>
+<tt class="literal">on</tt> <tt class="literal">port</tt> <tt class="literal">139</tt>
+<tt class="literal">socket_addr=0</tt> <tt class="literal">(Address</tt>
+<tt class="literal">already</tt> <tt class="literal">in</tt>
+<tt class="literal">use)</tt>. This means another daemon has been started
+on port 139 (<em class="emphasis">smbd</em> ). Also,
+<em class="emphasis">nmbd</em> will report a similar failure if it cannot
+bind to port 137. Either you've started them twice,
+or the <em class="emphasis">inetd</em> server has tried to provide a
+daemon for you. If it's the latter,
+we'll diagnose that in a moment.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.4.2"/>
+
+<h3 class="head3">Looking for daemon processes with ps</h3>
+
+<p><a name="INDEX-48"/>Another way to make sure the daemons are
+running is to check their processes on the system. Use the
+<em class="emphasis">ps</em><a name="INDEX-49"/> command on the server with the
+&quot;long&quot; option for your system type
+(commonly <tt class="literal">ps</tt> <tt class="literal">ax</tt> or
+<tt class="literal">ps</tt> <tt class="literal">-ef</tt>), and see whether
+<em class="emphasis">smbd</em> and <em class="emphasis">nmbd</em> are already
+running. This often looks like the following:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>ps ax</b></tt>
+ PID TTY STAT TIME   COMMAND
+ 1   ?   S    0:03   init [2] 
+ 2   ?   SW   0:00   (kflushd)
+<i class="lineannotation">(...many lines of processes...) </i>
+ 234 ?   S    0:14   nmbd -D3
+ 237 ?   S    0:11   smbd -D3
+<i class="lineannotation">(...more lines, possibly including more smbd lines...)</i></pre></blockquote>
+
+<p>This example illustrates that <em class="emphasis">smbd</em> and
+<em class="emphasis">nmbd</em> have already started as standalone daemons
+(the <em class="emphasis">-D</em> option) at log level 3.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.4.3"/>
+
+<h3 class="head3">Looking for daemons bound to ports</h3>
+
+<p><a name="INDEX-50"/>Next, the daemons have to be registered
+with the operating system so that they can get access to TCP/IP
+ports. The <em class="emphasis">netstat</em> command will tell you if this
+has been done. Run the command <tt class="literal">netstat</tt>
+<tt class="literal">-a</tt> on the server, and look for lines mentioning
+<tt class="literal">netbios</tt>, <tt class="literal">137</tt>, or
+<tt class="literal">139</tt>:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>netstat -a </b></tt>
+Active Internet connections (including servers) 
+Proto Recv-Q Send-Q  Local Address          Foreign Address        (state) 
+udp   0      0       *.137                  *.* 
+tcp   0      0       *.139                  *.*                    LISTEN 
+tcp   8370   8760    server.139             client.1439            ESTABLISHED</pre></blockquote>
+
+<p>Among similar lines, there should be at least one UDP line for
+<tt class="literal">*.netbios-</tt> or <tt class="literal">*.137</tt>. This
+indicates that the <em class="emphasis">nmbd</em> server is registered and
+(we hope) is waiting to answer requests. There should also be at
+least one TCP line mentioning <tt class="literal">*.netbios-</tt> or
+<tt class="literal">*.139</tt>, and it will probably be in the LISTEN
+state. This means that <em class="emphasis">smbd</em> is up and listening
+for connections.</p>
+
+<p>There might be other TCP lines indicating connections from
+<em class="emphasis">smbd</em> to clients, one for each client. These are
+usually in the ESTABLISHED state. If there are
+<em class="emphasis">smbd</em> lines in the ESTABLISHED state,
+<em class="emphasis">smbd</em> is definitely running. If there is only one
+line in the LISTEN state, we're not sure yet. If
+both of the lines are missing, a daemon has not succeeded in
+starting, so it's time to check the logs and then go
+back to <a href="ch02.html">Chapter 2</a>.</p>
+
+<p>If there is a line for each client, it might be coming either from a
+Samba daemon or from the master IP daemon,
+<em class="emphasis">inetd</em>. It's quite possible that
+your <em class="emphasis">inetd</em> startup file contains lines that
+start Samba daemons without your realizing it; for instance, the
+lines might have been placed there if you installed Samba as part of
+a Linux distribution. The daemons started by
+<em class="emphasis">inetd</em> prevent ours from running. This problem
+typically produces log messages such as <tt class="literal">bind</tt>
+<tt class="literal">failed</tt> <tt class="literal">on</tt>
+<tt class="literal">port</tt> <tt class="literal">139</tt>
+<tt class="literal">socket</tt> <tt class="literal">addr=0</tt>
+<tt class="literal">(Address</tt> <tt class="literal">already</tt>
+<tt class="literal">in</tt> <tt class="literal">use)</tt>.</p>
+
+<p>Check your <em class="filename">/etc/inetd.conf</em> ; unless
+you're intentionally starting the daemons from
+there, <tt class="literal">netbios-ns</tt> (UDP port 137) or
+<tt class="literal">netbios-ssn</tt> (tcp port 139) servers should be
+mentioned there. If your system is providing an SMB daemon via
+<em class="emphasis">inetd</em>, lines such as the following will appear
+in the <em class="filename">inetd.conf</em> file:</p>
+
+<blockquote><pre class="code">netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd
+netbios-ns dgram udp wait root /usr/local/samba/bin/nmbd nmbd</pre></blockquote>
+
+<p>If your system uses <em class="emphasis">xinetd</em> instead of
+<em class="emphasis">inetd</em>, see <a href="ch02.html">Chapter 2</a> for
+details concerning its configuration.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.4.4"/>
+
+<h3 class="head3">Checking smbd with telnet</h3>
+
+<p><a name="INDEX-51"/><a name="INDEX-52"/><a name="INDEX-53"/>Ironically, the easiest way to test that
+the <em class="emphasis">smbd</em> server is actually working is to send
+it a meaningless message and see if it is rejected. Try something
+such as the following:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>echo &quot;hello&quot; | telnet localhost 139 </b></tt>
+Trying
+Trying 192.168.236.86 ... 
+Connected to localhost. Escape character is '^]'. 
+Connection closed by foreign host.</pre></blockquote>
+
+<p>This sends an erroneous but harmless message to
+<em class="emphasis">smbd</em>. If you get a <tt class="literal">Connected</tt>
+message followed by a <tt class="literal">Connection</tt>
+<tt class="literal">closed</tt> message, the test was a success. You have
+an <em class="emphasis">smbd</em> daemon listening on the port and
+rejecting improper connection messages. On the other hand, if you get
+<tt class="literal">telnet</tt>: <tt class="literal">connect</tt>:
+<tt class="literal">Connection</tt> <tt class="literal">refused</tt>, most likely
+no daemon is present. Check the logs and go back to <a href="ch02.html">Chapter 2</a>.</p>
+
+<p>Regrettably, there isn't an easy test for
+<em class="emphasis">nmbd</em>. If the <em class="emphasis">telnet</em> test
+and the <em class="emphasis">netstat</em> test both say that an
+<em class="emphasis">smbd</em> is running, there is a good chance that
+<em class="emphasis">netstat</em> will also be correct about
+<em class="emphasis">nmbd</em> running.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.4.5"/>
+
+<h3 class="head3">Testing daemons with testparm</h3>
+
+<p><a name="INDEX-54"/><a name="INDEX-55"/>Once you know
+there's a daemon, you should always run
+<em class="emphasis">testparm</em>, in hopes of getting something such as
+the following:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>testparm </b></tt>
+Load smb config files from /opt/samba/lib/smb.conf
+Processing section &quot;[homes]&quot; 
+Processing section &quot;[printers]&quot; ... 
+Processing section &quot;[tmp]&quot; 
+Loaded services file OK. ...</pre></blockquote>
+
+<p>The <em class="emphasis">testparm</em> program normally reports the
+processing of a series of sections and responds with
+<tt class="literal">Loaded</tt> <tt class="literal">services</tt>
+<tt class="literal">file</tt> <tt class="literal">OK</tt> if it succeeds. If not,
+it reports one or more of the following messages, which also appear
+in the logs as noted:</p>
+
+<dl>
+<dt><b>Allow/Deny connection from account (n) to service</b></dt>
+<dd>
+<p>A <em class="emphasis">testparm</em>-only message produced if you have
+<tt class="literal">valid</tt> <tt class="literal">user</tt> or
+<tt class="literal">invalid</tt> <tt class="literal">user</tt> options set in
+your <em class="emphasis">smb.conf</em>. You will want to make sure that
+you are on the valid user list, and that <tt class="literal">root</tt>,
+<tt class="literal">bin</tt>, etc., are on the invalid user list. If you
+don't, you will not be able to connect, or users who
+shouldn't <em class="emphasis">will</em> be able to.</p>
+</dd>
+
+
+
+<dt><b>Warning: You have some share names that are longer than eight chars</b></dt>
+<dd>
+<p>For anyone using Windows for Workgroups and older clients. They fail
+to connect to shares with long names, producing an overflow message
+that sounds confusingly like a memory overflow.</p>
+</dd>
+
+
+
+<dt><b>Warning: [name] service MUST be printable!</b></dt>
+<dd>
+<p>A printer share lacks a <tt class="literal">printable</tt>
+<tt class="literal">=</tt> <tt class="literal">yes</tt> option.</p>
+</dd>
+
+
+
+<dt><b>No path in service name using [name]</b></dt>
+<dd>
+<p>A file share doesn't know which directory to provide
+to the user, or a print share doesn't know which
+directory to use for spooling. If no path is specified, the service
+will try to run with a path of <em class="emphasis">/tmp</em>, which might
+not be what you want.</p>
+</dd>
+
+
+
+<dt><b>Note: Servicename is flagged unavailable</b></dt>
+<dd>
+<p>Just a reminder that you have used the <tt class="literal">available</tt>
+<tt class="literal">=</tt> <tt class="literal">no</tt> option in a share.</p>
+</dd>
+
+
+
+<dt><b>Can't find include file [name] </b></dt>
+<dd>
+<p>A configuration file referred to by an <tt class="literal">include</tt>
+option did not exist. If you were including the file unconditionally,
+this is an error and probably a serious one: the share will not have
+the configuration you intended. If you were including it based on one
+of the <tt class="literal">%</tt> variables, such as <tt class="literal">%a</tt>
+(architecture), you will need to decide whether, for example, a
+missing Windows for Workgroups configuration file is a problem. It
+often isn't.</p>
+</dd>
+
+
+
+<dt><b>Can't copy service name, unable to copy to itself</b></dt>
+<dd>
+<p>You tried to copy an <em class="filename">smb.conf</em> section into
+itself.</p>
+</dd>
+
+
+
+<dt><b>Unable to copy service&mdash;source not found: [name]</b></dt>
+<dd>
+<p>Indicates a missing or misspelled section in a
+<tt class="literal">copy</tt> <tt class="literal">=</tt> option.</p>
+</dd>
+
+
+
+<dt><b>Ignoring unknown parameter name </b></dt>
+<dd>
+<p>Typically indicates an obsolete, misspelled, or unsupported option.</p>
+</dd>
+
+
+
+<dt><b>Global parameter name found in service section </b></dt>
+<dd>
+<p>Indicates that a global-only parameter has been used in an individual
+share. Samba ignores the parameter.</p>
+</dd>
+
+</dl>
+
+<p>After the <em class="emphasis">testparm</em> test, repeat it with
+(exactly) three parameters: the name of your
+<em class="filename">smb.conf</em> file, the name of your client, and its
+IP address:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>testparm /usr/local/samba/lib/smb.conf client 192.168.236.10</b></tt></pre></blockquote>
+
+<p>This will run one more test that checks the hostname and address
+against <tt class="literal">hosts</tt> <tt class="literal">allow</tt> and
+<tt class="literal">hosts</tt> <tt class="literal">deny</tt> options and might
+produce the <tt class="literal">Allow</tt> <tt class="literal">connection</tt>
+<tt class="literal">from</tt> <tt class="literal">hostname</tt>
+<tt class="literal">to</tt> <tt class="literal">service</tt> and/or
+<tt class="literal">Deny</tt> <tt class="literal">connection</tt>
+<tt class="literal">from</tt> <tt class="literal">hostname</tt>
+<tt class="literal">to</tt> <tt class="literal">service</tt> messages for the
+client system. These messages indicate that you have
+<tt class="literal">hosts</tt> <tt class="literal">allow</tt> and/or
+<tt class="literal">hosts</tt> <tt class="literal">deny</tt> options in your
+<em class="filename">smb.conf</em>, and they prohibit access from the
+client system. <a name="INDEX-56"/></p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-2.5"/>
+
+<h3 class="head2">Troubleshooting SMB Connections</h3>
+
+<p><a name="INDEX-57"/><a name="INDEX-58"/>Now
+that you know the servers are up, you need to make sure
+they're running properly. We start by placing a
+simple <em class="filename">smb.conf</em> file in the
+<em class="filename">/usr/local/samba/lib</em> directory.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.5.1"/>
+
+<h3 class="head3">A minimal smb.conf file</h3>
+
+<p>In the following tests, we assume you have a
+<tt class="literal">[temp]</tt> share suitable for testing, plus at least
+one account. An <em class="filename">smb.conf</em> file that includes just
+these is as follows:</p>
+
+<blockquote><pre class="code">[global] 
+    workgroup = <em class="replaceable">EXAMPLE</em> 
+    security = user
+    browsable = yes 
+    local master = yes 
+[homes] 
+    guest ok = no 
+    browsable = no
+[temp] 
+    path = /tmp 
+    public = yes</pre></blockquote>
+<a name="samba2-CHP-12-NOTE-156"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>The <tt class="literal">public</tt> <tt class="literal">=</tt>
+<tt class="literal">yes</tt> option in the <tt class="literal">[temp]</tt> share
+is just for testing. You probably don't want people
+without accounts storing things on your Samba server, so you should
+comment it out when you're done.</p>
+</blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.5.2"/>
+
+<h3 class="head3">Testing locally with smbclient</h3>
+
+<p><a name="INDEX-59"/><a name="INDEX-60"/>The first test is to ensure that the
+server can list its own services (shares). Run the command
+<tt class="literal">smbclient</tt> <em class="emphasis">-L</em>
+<tt class="literal">localhost</tt> <tt class="literal">-U%</tt> to connect to the
+server from itself, and specify the guest user. You should see the
+following:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient -L localhost -U% </b></tt>
+Server time is Wed May 27 17:57:40 2002 Timezone is UTC-4.0
+Server=[localhost] 
+User=[davecb] 
+Workgroup=[EXAMPLE] 
+Domain=[EXAMPLE]
+    Sharename      Type      Comment 
+    ---------      -----     ----------
+    temp           Disk
+    IPC$           IPC       IPC Service (Samba 1.9.18) 
+    homes          Disk      Home directories
+This machine does not have a browse list</pre></blockquote>
+
+<p>If you received this output, move on to the next section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.3">Section 12.2.5.3</a>. On the other hand, if you
+receive an error, check the following:</p>
+
+<ul><li>
+<p>If you get <tt class="literal">Get_hostbyname</tt>:
+<tt class="literal">unknown</tt> <tt class="literal">host</tt>
+<tt class="literal">localhost</tt>, either you've spelled
+its name wrong or there actually is a problem (which should have been
+seen back in <a href="ch12.html#samba2-CHP-12-SECT-2.2.2">Section 12.2.2.2</a>). In the
+latter case, move on to <a href="ch12.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a>, later in this chapter.</p>
+</li><li>
+<p>If you get <tt class="literal">Connect</tt> <tt class="literal">error</tt>:
+<tt class="literal">Connection</tt> <tt class="literal">refused</tt>, the server
+was found, but it wasn't running an
+<em class="emphasis">nmbd</em> daemon. Skip back to
+<a href="ch12.html#samba2-CHP-12-SECT-2.4">Section 12.2.4</a>,
+earlier in this chapter, and retest the daemons.</p>
+</li><li>
+<p>If you get the message <tt class="literal">Your</tt>
+<tt class="literal">server</tt> <tt class="literal">software</tt>
+<tt class="literal">is</tt> <tt class="literal">being</tt>
+<tt class="literal">unfriendly</tt>, the initial session request packet got
+a garbage response from the server. The server might have crashed or
+started improperly. The common causes of this can be discovered by
+scanning the logs for the following:</p>
+<ul><li>
+<p>Invalid command-line parameters to <em class="emphasis">smbd</em> ; see
+the <em class="emphasis">smbd</em> manual page.</p>
+</li><li>
+<p>A fatal problem with the <em class="filename">smb.conf</em> file that
+prevents the startup of <em class="emphasis">smbd</em>. Always check your
+changes with <em class="emphasis">testparm</em>, as was done in <a href="ch12.html#samba2-CHP-12-SECT-2.4.5">Section 12.2.4.5</a>, earlier in this chapter.</p>
+</li><li>
+<p>Missing directories where Samba is supposed to keep its log and lock
+files.</p>
+</li><li>
+<p>The presence of a server already on the port (139 for
+<em class="emphasis">smbd</em>, 137 for <em class="emphasis">nmbd</em> ),
+preventing the daemon from starting.</p>
+</li></ul>
+</li>
+<li>
+<p>If you're using <em class="emphasis">inetd</em> (or
+xinetd ) instead of standalone daemons, be sure to check your
+<em class="filename">/etc/inetd.conf</em> (or xinetd configuration files)
+and <em class="filename">/etc/services</em> entries against their manual
+pages for errors as well.</p>
+</li><li>
+<p>If you get a <tt class="literal">Password</tt>: prompt, your guest account
+is not set up properly. The <em class="emphasis">-U%</em> option tells
+<em class="emphasis">smbclient</em> to do a &quot;null
+login,&quot; which requires that the guest account be
+present but does not require it to have any privileges.</p>
+</li><li>
+<p>If you get the message <tt class="literal">SMBtconX</tt>
+<tt class="literal">failed</tt>. <tt class="literal">ERRSRV--ERRaccess</tt>, you
+aren't permitted access to the server. This normally
+means you have a <tt class="literal">hosts</tt> <tt class="literal">allow</tt>
+option that doesn't include the server or a
+<tt class="literal">hosts</tt> <tt class="literal">deny</tt> option that does.
+Recheck with the command <tt class="literal">testparm</tt>
+<tt class="literal">smb.conf</tt> <em class="replaceable">your_hostname</em>
+<em class="replaceable">your_ip_address</em> (see
+<a href="ch12.html#samba2-CHP-12-SECT-2.4.5">Section 12.2.4.5</a>),
+and correct any unintended prohibitions.</p>
+</li></ul>
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.5.3"/>
+
+<h3 class="head3">Testing connections with smbclient</h3>
+
+<p><a name="INDEX-61"/><a name="INDEX-62"/>Run the command
+<tt class="literal">smbclient</tt>
+<tt class="literal">\\</tt><em class="replaceable">server</em><tt class="literal">\temp</tt>
+to connect to the server's <tt class="literal">[temp]</tt>
+share and to see if you can connect to a file service. You should get
+the following response:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient '\\server\temp' </b></tt>
+Server time is Tue May  5 09:49:32 2002 Timezone is UTC-4.0 Password:
+<b class="emphasis-bold">smb: \&gt; quit</b></pre></blockquote>
+<p>You might receive the following errors:</p>
+
+<ul><li>
+<p>If you get <tt class="literal">Get_Hostbyname</tt>:
+<tt class="literal">Unknown</tt> <tt class="literal">host</tt>
+<tt class="literal">name</tt>, <tt class="literal">Connect</tt>
+<tt class="literal">error</tt>: <tt class="literal">Connection</tt>
+<tt class="literal">refused</tt>, or <tt class="literal">Your</tt>
+<tt class="literal">server</tt> <tt class="literal">software</tt>
+<tt class="literal">is</tt> <tt class="literal">being</tt>
+<tt class="literal">unfriendly</tt>, see the previous section,
+<a href="ch12.html#samba2-CHP-12-SECT-2.5.2">Section 12.2.5.2</a>, for
+the diagnoses.</p>
+</li><li>
+<p>If you get the message <tt class="literal">servertemp</tt>:
+<tt class="literal">Not</tt> <tt class="literal">enough</tt>
+<tt class="literal">`\</tt>'
+<tt class="literal">characters</tt> <tt class="literal">in</tt>
+<tt class="literal">service</tt>, you likely didn't quote
+the address, so Unix stripped off backslashes. You can also write the
+command:</p>
+
+<blockquote><pre class="code">smbclient \\\\<em class="replaceable">server</em>\\temp</pre></blockquote>
+
+<p>or:</p>
+<blockquote><pre class="code">smbclient //<em class="replaceable">server</em>/temp</pre></blockquote>
+</li>
+</ul>
+<p>Now, provide your Unix account password to the
+<tt class="literal">Password</tt>: prompt. If you then get an
+<tt class="literal">smb</tt>: <tt class="literal">\&gt;</tt> prompt, it worked.
+Enter <tt class="literal">quit</tt> and continue on to the next section,
+<a href="ch12.html#samba2-CHP-12-SECT-2.5.4">Section 12.2.5.4</a>. If
+you got <tt class="literal">SMBtconX</tt> <tt class="literal">failed</tt>.
+<tt class="literal">ERRSRV--ERRinvnetname</tt>, the problem can be any of
+the following:</p>
+
+<ul><li>
+<p>A wrong share name: you might have spelled it wrong, it might be too
+long, it might be in mixed case, or it might not be available. Check
+that it's what you expect with
+<em class="emphasis">testparm</em> (see the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.4.5">Section 12.2.4.5</a>).</p>
+</li><li>
+<p>A <tt class="literal">security</tt> <tt class="literal">=</tt>
+<tt class="literal">share</tt> parameter in your Samba configuration file,
+in which case you might have to add <tt class="literal">-U</tt>
+<em class="replaceable">your_account</em> to the
+<em class="emphasis">smbclient</em> command.</p>
+</li><li>
+<p>An erroneous username.</p>
+</li><li>
+<p>An erroneous password.</p>
+</li><li>
+<p>An <tt class="literal">invalid</tt> <tt class="literal">users</tt> or
+<tt class="literal">valid</tt> <tt class="literal">users</tt> option in your
+<em class="emphasis">smb.conf</em> file that doesn't
+allow your account to connect. Recheck using
+<tt class="literal">testparm</tt> <tt class="literal">smb.conf</tt>
+<em class="replaceable">your_hostname your_ip_address</em> (see the
+earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.4.5">Section 12.2.4.5</a>).</p>
+</li><li>
+<p>A <tt class="literal">valid</tt> <tt class="literal">hosts</tt> option that
+doesn't include the server, or an
+<tt class="literal">invalid</tt> <tt class="literal">hosts</tt> option that does.
+Also test this with <em class="emphasis">testparm</em>.</p>
+</li><li>
+<p>A problem in authentication, such as if shadow passwords or the
+Password Authentication Module (PAM) is used on the server, but Samba
+is not compiled to use it. This is rare, but it occasionally happens
+when a SunOS 4 Samba binary (with no shadow passwords) is run without
+recompilation on a Solaris system (with shadow passwords).</p>
+</li><li>
+<p>The <tt class="literal">encrypted</tt> <tt class="literal">passwords</tt>
+<tt class="literal">=</tt> <tt class="literal">yes</tt> option is in the
+configuration file, but no password for your account is in the
+<em class="emphasis">smbpasswd</em> file.</p>
+</li><li>
+<p>You have a null password entry, either in Unix
+<em class="filename">/etc/passwd</em> or in the
+<em class="emphasis">smbpasswd</em> file.</p>
+</li><li>
+<p>You are connecting to <tt class="literal">[temp]</tt>, and you do not have
+the <tt class="literal">guest</tt> <tt class="literal">ok</tt>
+<tt class="literal">=</tt> <tt class="literal">yes</tt> option in the
+<tt class="literal">[temp]</tt> section of the
+<em class="emphasis">smb.conf</em> file.</p>
+</li><li>
+<p>You are connecting to <tt class="literal">[temp]</tt> before connecting to
+your home directory, and your guest account isn't
+set up correctly. If you can connect to your home directory and then
+connect to <tt class="literal">[temp]</tt>, that's the
+problem. See <a href="ch02.html">Chapter 2</a> for more information on
+creating a basic Samba configuration file.</p>
+
+<p>A bad guest account will also prevent you from printing or browsing
+until after you've logged in to your home directory.</p>
+</li></ul>
+<p>There is one more reason for this failure that has nothing at all to
+do with passwords: the <tt class="literal">path</tt> parameter in your
+<em class="filename">smb.conf</em> file might point somewhere that
+doesn't exist. This will not be diagnosed by
+<em class="emphasis">testparm</em>, and most SMB clients
+can't distinguish it from other types of bad user
+accounts. You will have to check it manually.</p>
+
+<p>Once you have connected to <tt class="literal">[temp]</tt> successfully,
+repeat the test, this time logging in to your home directory (e.g.,
+map network drive
+<em class="replaceable">server</em><tt class="literal">\davecb</tt>). If you
+have to change anything to get that to work, retest
+<tt class="literal">[temp]</tt> again afterward.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.5.4"/>
+
+<h3 class="head3">Testing connections with net use</h3>
+
+<p><a name="INDEX-63"/><a name="INDEX-64"/>Run the command
+<tt class="literal">net</tt> <tt class="literal">use</tt> <tt class="literal">*</tt>
+<tt class="literal">\</tt><em class="replaceable">server</em><tt class="literal">\temp</tt>
+on the Windows client to see if it can connect to the server. You
+should be prompted for a password, then receive the response
+<tt class="literal">The</tt> <tt class="literal">command</tt>
+<tt class="literal">was</tt> <tt class="literal">completed</tt>
+<tt class="literal">successfully</tt>.</p>
+
+<p>If that worked, continue with the steps in the next section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.5">Section 12.2.5.5</a>. Otherwise:</p>
+
+<ul><li>
+<p>If you get <tt class="literal">The</tt> <tt class="literal">specified</tt>
+<tt class="literal">shared</tt> <tt class="literal">directory</tt>
+<tt class="literal">cannot</tt> <tt class="literal">be</tt>
+<tt class="literal">found</tt>, or <tt class="literal">Cannot</tt>
+<tt class="literal">locate</tt> <tt class="literal">specified</tt>
+<tt class="literal">share</tt> <tt class="literal">name</tt>, the directory name
+is either misspelled or not in the <em class="emphasis">smb.conf</em>
+file. This message can also warn of a name that is in mixed case,
+including spaces, or that is longer than eight characters.</p>
+</li><li>
+<p>If you get <tt class="literal">The</tt> <tt class="literal">computer</tt>
+<tt class="literal">name</tt> <tt class="literal">specified</tt>
+<tt class="literal">in</tt> <tt class="literal">the</tt>
+<tt class="literal">network</tt> <tt class="literal">path</tt>
+<tt class="literal">cannot</tt> <tt class="literal">be</tt>
+<tt class="literal">located</tt> or <tt class="literal">Cannot</tt>
+<tt class="literal">locate</tt> <tt class="literal">specified</tt>
+<tt class="literal">computer</tt>, the directory name has been misspelled,
+the name service has failed, there is a networking problem, or the
+<tt class="literal">hosts</tt> <tt class="literal">deny</tt> option includes your
+host.</p>
+<ul><li>
+<p>If it is not a spelling mistake, you need to double back at least to
+<a href="ch12.html#samba2-CHP-12-SECT-2.5.3">Section 12.2.5.3</a> to
+investigate why it doesn't connect.</p>
+</li><li>
+<p>If <em class="emphasis">smbclient</em> does work, there is a name service
+problem with the client name service, and you need to go forward to
+<a href="ch12.html#samba2-CHP-12-SECT-2.6.2">Section 12.2.6.2</a> and see if
+you can look up both the client and server with
+<em class="emphasis">nmblookup</em>.</p>
+</li>
+</ul>
+</li>
+
+<li>
+<p>If you get <tt class="literal">The</tt> <tt class="literal">password</tt>
+<tt class="literal">is</tt> <tt class="literal">invalid</tt>
+<tt class="literal">for</tt> <tt class="literal">\server\username</tt>, your
+locally cached copy on the client doesn't match the
+one on the server. You will be prompted for a replacement.</p>
+
+<a name="samba2-CHP-12-NOTE-157"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>Each Windows 95/98/Me client keeps a local
+<em class="emphasis">password</em> file, but it's really
+just a cached copy of the password it sends to Samba and NT/2000/XP
+servers to authenticate you. That's what is being
+prompted for here. You can still log on to a Windows system without a
+password (but not to NT/2000/XP).</p>
+</blockquote>
+
+<p>If you provide your password and it still fails, your password is not
+being matched on the server, you have a <tt class="literal">valid</tt>
+<tt class="literal">users</tt> or <tt class="literal">invalid</tt>
+<tt class="literal">users</tt> list denying you permission, NetBEUI is
+interfering, or the encrypted password problem described in the next
+paragraph exists.</p>
+</li><li>
+<p>If your client is Windows NT 4.0, NT 3.5 with Patch 3, Windows 95
+with Patch 3, Windows 98, any of these with Internet Explorer 4.0, or
+any subsequent version of Windows, the system will default to
+Microsoft encryption for passwords. In general, if you have installed
+a major Microsoft product on any of the older Windows versions, you
+might have applied an update and turned on encrypted passwords. If
+the client is defaulting to encrypted passwords, you will need to
+specify <tt class="literal">encrypt</tt> <tt class="literal">passwords</tt>
+<tt class="literal">=</tt> <tt class="literal">yes</tt> in your Samba
+configuration file if you are using a version of Samba prior to Samba
+3.0.</p>
+
+<a name="samba2-CHP-12-NOTE-158"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>Because of Internet Explorer's willingness to honor
+URLs such as <em class="filename">file://somehost/somefile</em> by making
+SMB connections, clients up to and including Windows 95 Patch Level 2
+would happily send your password, in plain text, to SMB servers
+anywhere on the Internet. This was considered a bad idea, and
+Microsoft switched to using only encrypted passwords in the SMB
+protocol. All subsequent releases of Microsoft's
+products have included this correction.</p>
+</blockquote>
+</li>
+
+<li>
+<p>If you have a mixed-case password on Unix, the client is probably
+sending it in all one case. If changing your password to all one case
+works, this was the problem. Regrettably, all but the oldest clients
+support uppercase passwords, so Samba will try once with the password
+in uppercase and once in lowercase. If you wish to use mixed-case
+passwords, see the <tt class="literal">password</tt>
+<tt class="literal">level</tt> option in <a href="ch09.html">Chapter 9</a> for a
+workaround.</p>
+</li><li>
+<p>You might have a <tt class="literal">valid</tt> <tt class="literal">users</tt>
+problem, as tested with <em class="emphasis">smbclient</em> (see the
+earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.3">Section 12.2.5.3</a>).</p>
+</li><li>
+<p>You might have the NetBEUI protocol bound to the Microsoft client.
+This often produces long timeouts and erratic failures and is known
+to have caused failures to accept passwords in the past. Unless you
+absolutely need the NetBEUI protocol, remove it.</p>
+</li></ul>
+<a name="samba2-CHP-12-NOTE-159"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>The term &quot;bind&quot; is used here to
+mean connecting one piece of software to another. When configured
+correctly, the Microsoft SMB client is &quot;bound
+to&quot; TCP/IP in the bindings section of the TCP/IP
+properties panel under the Windows 95/98/Me Network icon in the
+Control Panel. TCP/IP in turn is bound to an Ethernet card. This is
+not the same sense of the word as binding an SMB daemon to a TCP/IP
+port.</p>
+</blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.5.5"/>
+
+<h3 class="head3">Testing connections with Windows Explorer</h3>
+
+<p><a name="INDEX-65"/><a name="INDEX-66"/>Start Windows Explorer
+(not Internet Explorer), select Map Network Drive from the Tools
+menu, and specify the UNC for one of your shares on the Samba server
+to see if you can make Explorer connect to it. If so,
+you've succeeded and can skip to the next section,
+<a href="ch12.html#samba2-CHP-12-SECT-2.6">Section 12.2.6</a>.</p>
+
+<p>Windows Explorer is a rather poor diagnostic tool: it tells you that
+something's wrong, but rarely what it is. If you get
+a failure, you'll need to track it down with the
+Windows <em class="emphasis">net use</em> command, which has far superior
+error reporting:</p>
+
+<ul><li>
+<p>If you get <tt class="literal">The</tt> <tt class="literal">password</tt>
+<tt class="literal">for</tt> <tt class="literal">this</tt>
+<tt class="literal">connection</tt> <tt class="literal">that</tt>
+<tt class="literal">is</tt> <tt class="literal">in</tt> <tt class="literal">your</tt>
+<tt class="literal">password</tt> <tt class="literal">file</tt>
+<tt class="literal">is</tt> <tt class="literal">no</tt> <tt class="literal">longer</tt>
+<tt class="literal">correct</tt>, you might have any of the following:</p>
+<ul><li>
+<p>Your locally cached copy on the client doesn't match
+the one on the server.</p>
+</li><li>
+<p>You didn't provide a username and password when
+logging on to the client. Some versions of Explorer will continue to
+send a null username and password, even if you provide a password.</p>
+</li><li>
+<p>You have misspelled the password.</p>
+</li><li>
+<p>You have an <tt class="literal">invalid</tt> <tt class="literal">users</tt> or
+<tt class="literal">valid</tt> <tt class="literal">users</tt> list denying
+permission.</p>
+</li><li>
+<p>Your client is defaulting to encrypted passwords, but Samba is
+configured with the <tt class="literal">encrypt</tt>
+<tt class="literal">passwords</tt> <tt class="literal">=</tt>
+<tt class="literal">no</tt> configuration file parameter.</p>
+</li><li>
+<p>You have a mixed-case password, which the client is supplying in all
+one case.</p>
+</li>
+</ul>
+</li>
+<li>
+<p>If you get <tt class="literal">The</tt> <tt class="literal">network</tt>
+<tt class="literal">name</tt> <tt class="literal">is</tt>
+<tt class="literal">either</tt> <tt class="literal">incorrect</tt>,
+<tt class="literal">or</tt> <tt class="literal">a</tt> <tt class="literal">network</tt>
+<tt class="literal">to</tt> <tt class="literal">which</tt> <tt class="literal">you</tt>
+<tt class="literal">do</tt> <tt class="literal">not</tt> <tt class="literal">have</tt>
+<tt class="literal">full</tt> <tt class="literal">access</tt>, or
+<tt class="literal">Cannot</tt> <tt class="literal">locate</tt>
+<tt class="literal">specified</tt> <tt class="literal">computer</tt>, you might
+have any of the following:</p>
+<ul><li>
+<p>Misspelled name</p>
+</li><li>
+<p>Malfunctioning service</p>
+</li><li>
+<p>Failed share</p>
+</li><li>
+<p>Networking problem</p>
+</li><li>
+<p>Bad <tt class="literal">path</tt> parameter in
+<em class="filename">smb.conf</em></p>
+</li><li>
+<p><tt class="literal">hosts</tt> <tt class="literal">deny</tt> line that excludes
+you</p>
+</li>
+</ul>
+</li>
+<li>
+<p>If you get <tt class="literal">You</tt> <tt class="literal">must</tt>
+<tt class="literal">supply</tt> <tt class="literal">a</tt>
+<tt class="literal">password</tt> <tt class="literal">to</tt>
+<tt class="literal">make</tt> <tt class="literal">this</tt>
+<tt class="literal">connection</tt>, the password on the client is out of
+synchronization with the server, or this is the first time
+you've tried from this client system and the client
+hasn't cached it locally yet.</p>
+</li><li>
+<p>If you get <tt class="literal">Cannot</tt> <tt class="literal">locate</tt>
+<tt class="literal">specified</tt> <tt class="literal">share</tt>
+<tt class="literal">name</tt>, you have a wrong share name or a syntax
+error in specifying it, a share name longer than eight characters, or
+one containing spaces or in mixed case.</p>
+</li></ul>
+<p>Once you can reliably connect to the share, try again, this time
+using your home directory. If you have to change something to get
+home directories working, retest with the first share, and vice
+versa, as we showed in the earlier section, &quot;Testing
+connections with net use.&quot; As always, if Explorer
+fails, drop back to that section and debug the connection there.
+<a name="INDEX-67"/><a name="INDEX-68"/></p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-2.6"/>
+
+<h3 class="head2">Troubleshooting Browsing</h3>
+
+<p><a name="INDEX-69"/><a name="INDEX-70"/>Finally, we
+come to browsing. We've left this for last, not
+because it is the most difficult, but because it's
+both optional and partially dependent on a protocol that
+doesn't guarantee delivery of a packet. Browsing is
+hard to diagnose if you don't already know that all
+the other services are running.</p>
+
+<p>Browsing is purely optional: it's just a way to find
+the servers on your network and the shares that they provide. Unix
+has nothing of the sort and happily does without. Browsing also
+assumes all your systems are on a local area network (LAN) where
+broadcasts are allowable.</p>
+
+<p>First, the browsing mechanism identifies a system using the
+unreliable UDP protocol; it then makes a normal (reliable) TCP/IP
+connection to list the shares the system provides.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.6.1"/>
+
+<h3 class="head3">Testing browsing with smbclient</h3>
+
+<p><a name="INDEX-71"/><a name="INDEX-72"/>We'll start with
+testing the reliable connection first. From the server, try listing
+its own shares using <em class="emphasis">smbclient</em> with a
+<tt class="literal">-L</tt> option and your server's name.
+You should get something resembling the following:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient -L server</b></tt> 
+Added interface ip=192.168.236.86 bcast=192.168.236.255 nmask=255.255.255.0 Server 
+time is Tue Apr 28 09:57:28 2002 Timezone is UTC-4.0 
+Password: 
+Domain=[EXAMPLE] OS=[Unix] Server=[Samba 2.2.5]
+
+   Sharename      Type      Comment    
+   ---------      ----      -------    
+    cdrom          Disk      CD-ROM    
+    cl             Printer   Color Printer 1    
+    davecb         Disk      Home Directories
+
+   Server         Comment    
+   ---------      -------    
+   SERVER         Samba 2.2.5
+
+   Workgroup      Master    
+   ---------      -------    
+   EXAMPLE        SERVER</pre></blockquote>
+
+<ul><li>
+<p>If you didn't get a Sharename list, the server is
+not allowing you to browse any shares. This should not be the case if
+you've tested any of the shares with Windows
+Explorer or the <em class="emphasis">net use</em> command. If you
+haven't done the <tt class="literal">smbclient</tt>
+<tt class="literal">-L</tt> <tt class="literal">localhost</tt>
+<tt class="literal">-U%</tt> test yet (see the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.2">Section 12.2.5.2</a>), do it now. An erroneous
+guest account can prevent the shares from being seen. Also, check the
+<em class="filename">smb.conf</em> file to make sure you do not have the
+option <tt class="literal">browsable</tt> <tt class="literal">=</tt>
+<tt class="literal">no</tt> anywhere in it: we suggest using a minimal
+<em class="filename">smb.conf</em> file (see the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.1">Section 12.2.5.1</a>). You need to have
+<tt class="literal">browsable</tt> enabled (which is the default) to see
+the share.</p>
+</li><li>
+<p>If you didn't get a browse list, the server is not
+providing information about the systems on the network. At least one
+system on the net must support browse lists. Make sure you have
+<tt class="literal">local</tt> <tt class="literal">master</tt>
+<tt class="literal">=</tt> <tt class="literal">yes</tt> in the
+<em class="filename">smb.conf</em> file if you want Samba to be the local
+master browser.</p>
+</li><li>
+<p>If you got a browse list but didn't get
+<em class="emphasis">/tmp</em>, you probably have a
+<em class="filename">smb.conf</em> problem. Go back to <a href="ch12.html#samba2-CHP-12-SECT-2.4.5">Section 12.2.4.5</a>.</p>
+</li><li>
+<p>If you didn't get a workgroup list with your
+workgroup name in it, it is possible that your workgroup is set
+incorrectly in the <em class="filename">smb.conf</em> file.</p>
+</li><li>
+<p>If you didn't get a workgroup list at all, ensure
+that <tt class="literal">workgroup</tt> <tt class="literal">=</tt>
+<tt class="literal">EXAMPLE</tt> is present in the
+<em class="filename">smb.conf</em> file.</p>
+</li><li>
+<p>If you get nothing, try once more with the options
+<tt class="literal">-I</tt> <em class="emphasis">ip_address</em>
+<tt class="literal">-n</tt> <em class="emphasis">netbios_name</em>
+<tt class="literal">-W</tt> <em class="emphasis">workgroup</em>
+<tt class="literal">-d3</tt> with the NetBIOS and workgroup name in
+uppercase. (The <tt class="literal">-d3</tt> option sets the log /debugging
+level to 3.) Then check the Samba logs for clues.</p>
+</li></ul>
+<p>If you're still getting nothing, you
+shouldn't have gotten this far; double back to at
+least <a href="ch12.html#samba2-CHP-12-SECT-2.3.1">Section 12.2.3.1</a>, or perhaps
+<a href="ch12.html#samba2-CHP-12-SECT-2.2.4">Section 12.2.2.4</a>. On the other hand:</p>
+
+<ul><li>
+<p>If you get <tt class="literal">SMBtconX</tt> <tt class="literal">failed</tt>.
+<tt class="literal">ERRSRV--ERRaccess</tt>, you aren't
+permitted access to the server. This normally means you have a
+<tt class="literal">hosts</tt> <tt class="literal">allow</tt> option that
+doesn't include the server or a
+<tt class="literal">hosts</tt> <tt class="literal">deny</tt> option that does.</p>
+</li><li>
+<p>If you get <tt class="literal">Bad</tt> <tt class="literal">password</tt>, you
+presumably have one of the following:</p>
+<ul><li>
+<p>An incorrect <tt class="literal">hosts</tt> <tt class="literal">allow</tt> or
+<tt class="literal">hosts</tt> <tt class="literal">deny</tt> line</p>
+</li><li>
+<p>An incorrect <tt class="literal">invalid</tt> <tt class="literal">users</tt> or
+<tt class="literal">valid</tt> <tt class="literal">users</tt> line</p>
+</li><li>
+<p>A lowercase password and OS/2 or Windows for Workgroups clients</p>
+</li><li>
+<p>A missing or invalid guest account</p>
+</li></ul>
+<p>Check what your guest account is (see the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.2">Section 12.2.5.2</a>), change or comment out any
+<tt class="literal">hosts</tt> <tt class="literal">allow</tt>,
+<tt class="literal">hosts</tt> <tt class="literal">deny</tt>,
+<tt class="literal">valid</tt> <tt class="literal">users</tt>, or
+<tt class="literal">invalid</tt> <tt class="literal">users</tt> lines, and verify
+your <em class="filename">smb.conf</em> file with
+<tt class="literal">testparm</tt> <tt class="literal">smb.conf</tt>
+<em class="replaceable">your_hostname your_ip_address</em> (see the
+earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.4.5">Section 12.2.4.5</a>).</p>
+</li><li>
+<p>If you get <tt class="literal">Connection</tt> <tt class="literal">refused</tt>,
+the <em class="emphasis">smbd</em> server is not running or has crashed.
+Check that it's up, running, and listening to the
+network with <em class="emphasis">netstat</em>. See the earlier section,
+<a href="ch12.html#samba2-CHP-12-SECT-2.4">Section 12.2.4</a>.</p>
+</li><li>
+<p>If you get <tt class="literal">Get_Hostbyname</tt>:
+<tt class="literal">Unknown</tt> <tt class="literal">host</tt>
+<tt class="literal">name</tt>, you've made a spelling
+error, there is a mismatch between the Unix and NetBIOS hostname, or
+there is a name service problem. Start name service debugging as
+discussed in the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.4">Section 12.2.5.4</a>. If this works, suspect a
+name mismatch, and go to the later section, <a href="ch12.html#samba2-CHP-12-SECT-2.9">Section 12.2.9</a>.</p>
+</li><li>
+<p>If you get <tt class="literal">Session</tt> <tt class="literal">request</tt>
+<tt class="literal">failed</tt>, the server refused the connection. This
+usually indicates an internal error, such as insufficient memory to
+fork a process.</p>
+</li><li>
+<p>If you get <tt class="literal">Your</tt> <tt class="literal">server</tt>
+<tt class="literal">software</tt> <tt class="literal">is</tt>
+<tt class="literal">being</tt> <tt class="literal">unfriendly</tt>, the initial
+session request packet received a garbage response from the server.
+The server might have crashed or started improperly. Go back to <a href="ch12.html#samba2-CHP-12-SECT-2.5.2">Section 12.2.5.2</a>, where the
+problem is first analyzed.</p>
+</li><li>
+<p>If you suspect the server is not running, go back to
+<a href="ch12.html#samba2-CHP-12-SECT-2.4.2">Section 12.2.4.2</a> to see why the server
+daemon isn't responding.</p>
+</li></ul>
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.6.2"/>
+
+<h3 class="head3">Testing the server with nmblookup</h3>
+
+<p><a name="INDEX-73"/><a name="INDEX-74"/>This will test the
+&quot;advertising&quot; system used for
+Windows name services and browsing. Advertising works by broadcasting
+one's presence or willingness to provide services.
+It is the part of browsing that uses an unreliable protocol (UDP) and
+works only on broadcast networks such as Ethernets. The
+<em class="emphasis">nmblookup</em> program broadcasts name queries for
+the hostname you provide and returns its IP address and the name of
+the system, much as <em class="emphasis">nslookup</em> does with DNS.
+Here, the <em class="emphasis">-d</em> (debug or log-level) and
+<em class="emphasis">-B</em> (broadcast address) options direct queries to
+specific systems.</p>
+
+<p>First, we check the server from itself. Run
+<em class="emphasis">nmblookup</em> with a <em class="emphasis">-B</em> option
+of your server's name (to tell it to send the query
+to the Samba server) and a parameter of <tt class="literal">_ _SAMBA_
+_</tt> as the symbolic name to look up. You should get:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>nmblookup -B server _ _SAMBA_ _</b></tt>
+Added interface ip=192.168.236.86 bcast=192.168.236.255 nmask=255.255.255.0 
+Sending queries to 192.168.236.86 192.168.236.86 _ _SAMBA_ _</pre></blockquote>
+
+<p>You should get the IP address of the server, followed by the name
+<tt class="literal">_ _SAMBA_ _</tt> , which means that the server has
+successfully advertised that it has a service called <tt class="literal">_
+_SAMBA_ _</tt> , and therefore at least part of NetBIOS name
+service works.</p>
+
+<ul><li>
+<p>If you get <tt class="literal">Name_query</tt> <tt class="literal">failed</tt>
+<tt class="literal">to</tt> <tt class="literal">find</tt> <tt class="literal">name</tt>
+<tt class="literal">_ _SAMBA_ _</tt>, you might have specified the server
+name to the <em class="emphasis">-B</em> option, or
+<em class="emphasis">nmbd</em> is not running. The <em class="emphasis">-B</em>
+option actually takes a broadcast address: we're
+using a computer name to get a unicast address and to ask the server
+if it has claimed <tt class="literal">_ _SAMBA_ _</tt>. Try again with
+<tt class="literal">nmblookup</tt> <tt class="literal">-B</tt>
+<em class="replaceable">ip_address</em>, and if that fails too,
+<em class="emphasis">nmbd</em> isn't claiming the name.
+Go back briefly to the earlier section, &quot;Testing
+daemons with testparm,&quot; to see if
+<em class="emphasis">nmbd</em> is running. If so, it might not be claiming
+names; this means that Samba is not providing the browsing
+service&mdash;a configuration problem. If that is the case, make sure
+that <em class="filename">smb.conf</em> doesn't contain
+the option <tt class="literal">browsing</tt> <tt class="literal">=</tt>
+<tt class="literal">no</tt>.</p>
+</li></ul>
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.6.3"/>
+
+<h3 class="head3">Testing the client with nmblookup</h3>
+
+<p><a name="INDEX-75"/><a name="INDEX-76"/>Next, check the IP address of the
+client from the server with <em class="emphasis">nmblookup</em> using the
+<tt class="literal">-B</tt> option for the client's name
+and a parameter of '<tt class="literal">*</tt>' meaning
+&quot;anything,&quot; as shown here:</p>
+
+<blockquote><pre class="code">$ <b class="emphasis-bold">nmblookup -B client '*</b>' 
+Sending queries to 192.168.236.10 192.168.236.10 *
+Got a positive name query response from 192.168.236.10 (192.168.236.10)</pre></blockquote>
+
+<p>You might get the following error:</p>
+
+<ul><li>
+<p>If you receive <tt class="literal">Name-query</tt>
+<tt class="literal">failed</tt> <tt class="literal">to</tt>
+<tt class="literal">find</tt> <tt class="literal">name</tt> <tt class="literal">*</tt>,
+you have made a spelling mistake, or the client software on the PC
+isn't installed, started, or bound to TCP/IP. Double
+back to <a href="ch03.html">Chapter 3</a> and ensure that you have a
+client installed that is listening to the network.</p>
+</li></ul>
+<p>Repeat the command with the following options if you had any failures:</p>
+
+<ul><li>
+<p>If <tt class="literal">nmblookup</tt> <tt class="literal">-B</tt>
+<em class="replaceable">client_IP_address</em> succeeds but
+<tt class="literal">nmblookup</tt> <tt class="literal">-B</tt>
+<em class="replaceable">client_name</em> fails, there is a name service
+problem with the client's name; go to <a href="ch12.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a>, later in this chapter.</p>
+</li><li>
+<p>If <tt class="literal">nmblookup</tt> <tt class="literal">-B</tt>
+<tt class="literal">127.0.0.1</tt> '<tt class="literal">*</tt>' succeeds, but
+<tt class="literal">nmblookup</tt> <tt class="literal">-B</tt>
+<em class="replaceable">client_IP_address</em> fails, there is a
+hardware problem, and <em class="emphasis">ping</em> should have failed.
+See your network manager.</p>
+</li></ul>
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.6.4"/>
+
+<h3 class="head3">Testing the network with nmblookup</h3>
+
+<p><a name="INDEX-77"/><a name="INDEX-78"/>Run the command
+<em class="emphasis">nmblookup</em> again with a <em class="emphasis">-d2</em>
+option (for a debug level of 2) and a parameter of
+'<tt class="literal">*</tt>'. This time we are testing the ability of
+programs (such as <em class="emphasis">nmbd</em> ) to use broadcast.
+It's essentially a connectivity test, done via a
+broadcast to the default broadcast address.</p>
+
+<p>A number of NetBIOS over TCP/IP hosts on the network should respond
+with <tt class="literal">got</tt> <tt class="literal">a</tt>
+<tt class="literal">positive</tt> <tt class="literal">name</tt>
+<tt class="literal">query</tt> <tt class="literal">response</tt> messages. Samba
+might not catch all the responses in the short time it listens, so
+you won't always see all the SMB clients on the
+network. However, you should see most of them:</p>
+
+<blockquote><pre class="code">$ <b class="emphasis-bold">nmblookup -d 2 '*</b>' 
+Added interface ip=192.168.236.86 bcast=192.168.236.255 nmask=255.255.255.0 Sending 
+queries to 192.168.236.255 
+Got a positive name query response from 192.168.236.191 (192.168.236.191) 
+Got a positive name query response from 192.168.236.228 (192.168.236.228) 
+Got a positive name query response from 192.168.236.75 (192.168.236.75) 
+Got a positive name query response from 192.168.236.79 (192.168.236.79) 
+Got a positive name query response from 192.168.236.206 (192.168.236.206) 
+Got a positive name query response from 192.168.236.207 (192.168.236.207) 
+Got a positive name query response from 192.168.236.217 (192.168.236.217) 
+Got a positive name query response from 192.168.236.72 (192.168.236.72) 192.168.236.86 *</pre></blockquote>
+
+<p>However:</p>
+
+<ul><li>
+<p>If this doesn't give at least the client address you
+previously tested, the default broadcast address is wrong. Try
+<tt class="literal">nmblookup</tt> <tt class="literal">-B</tt>
+<tt class="literal">255.255.255.255</tt> <tt class="literal">-d</tt>
+<tt class="literal">2</tt> '<tt class="literal">*</tt>', which is a last-ditch
+variant (using a broadcast address of all 1s). If this draws
+responses, the broadcast address you've been using
+before is wrong. Troubleshooting these is discussed in <a href="ch12.html#samba2-CHP-12-SECT-2.8.2">Section 12.2.8.2</a>, later in this
+chapter.</p>
+</li><li>
+<p>If the address 255.255.255.255 fails too, check your notes to see if
+your PC and server are on different subnets, as discovered in the
+earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.2.4">Section 12.2.2.4</a>. You
+should try to diagnose this step with a server and client on the same
+subnet, but if you can't, you can try specifying the
+remote subnet's broadcast address with
+<em class="emphasis">-B</em>. Finding that address is discussed in <a href="ch12.html#samba2-CHP-12-SECT-2.8.2">Section 12.2.8.2</a>, later in this
+chapter. The <em class="emphasis">-B</em> option will work if your router
+supports directed broadcasts; if it doesn't, you
+might be forced to test with a client on the same network.</p>
+</li></ul>
+<p>As usual, you can check the Samba log files for additional clues.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.6.5"/>
+
+<h3 class="head3">Testing client browsing with net view</h3>
+
+<p><a name="INDEX-79"/><a name="INDEX-80"/>On the client, run the
+command <em class="replaceable">net view \\server</em> in an MS-DOS
+(command prompt) window to see if you can connect to the client and
+ask what shares it provides. You should get back a list of available
+shares on the server.</p>
+
+<p>If this works, continue with the later section <a href="ch12.html#samba2-CHP-12-SECT-3.1">Section 12.3.1</a>. Otherwise:</p>
+
+<ul><li>
+<p>If you get <tt class="literal">Network</tt> <tt class="literal">name</tt>
+<tt class="literal">not</tt> <tt class="literal">found</tt> for the name you just
+tested in the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.6.3">Section 12.2.6.3</a>, there is a problem with the
+client software itself. Double-check this by running
+<em class="emphasis">nmblookup</em> on the client; if it works and
+<em class="emphasis">net view</em> doesn't, the client is
+at fault.</p>
+</li><li>
+<p>If <em class="emphasis">nmblookup</em> fails, there is a NetBIOS name
+service problem, as discussed in the later section, <a href="ch12.html#samba2-CHP-12-SECT-2.9">Section 12.2.9</a>.</p>
+</li><li>
+<p>If you get <tt class="literal">You</tt> <tt class="literal">do</tt>
+<tt class="literal">not</tt> <tt class="literal">have</tt> <tt class="literal">the</tt>
+<tt class="literal">necessary</tt> <tt class="literal">access</tt>
+<tt class="literal">rights</tt>, or <tt class="literal">This</tt>
+<tt class="literal">server</tt> <tt class="literal">is</tt>
+<tt class="literal">not</tt> <tt class="literal">configured</tt>
+<tt class="literal">to</tt> <tt class="literal">list</tt>
+<tt class="literal">shared</tt> <tt class="literal">resources</tt>, either your
+guest account is misconfigured (see the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.2">Section 12.2.5.2</a>) or you have a
+<tt class="literal">hosts</tt> <tt class="literal">allow</tt> or
+<tt class="literal">hosts</tt> <tt class="literal">deny</tt> line that prohibits
+connections from your system. These problems should have been
+detected by the <em class="emphasis">smbclient</em> tests starting in the
+earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.6.1">Section 12.2.6.1</a>.</p>
+</li><li>
+<p>If you get <tt class="literal">The</tt> <tt class="literal">specified</tt>
+<tt class="literal">computer</tt> <tt class="literal">is</tt>
+<tt class="literal">not</tt> <tt class="literal">receiving</tt>
+<tt class="literal">requests</tt>, you have misspelled the name, the system
+is unreachable by broadcast (tested in the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.6.4">Section 12.2.6.4</a>), or it's
+not running <em class="emphasis">nmbd</em>.</p>
+</li><li>
+<p>If you get <tt class="literal">Bad</tt> <tt class="literal">password</tt>
+<tt class="literal">error</tt>, you're probably
+encountering the Microsoft-encrypted password problem, as discussed
+earlier in this chapter and in <a href="ch09.html">Chapter 9</a>, with its
+corrections.</p>
+</li></ul>
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.6.6"/>
+
+<h3 class="head3">Browsing the server from the client</h3>
+
+<p><a name="INDEX-81"/><a name="INDEX-82"/>From the Windows Network
+Neighborhood (or My Network Places in newer releases), try to browse
+the server. Your Samba server should appear in the browse list of
+your local workgroup. You should be able to double-click the name of
+the server to get a list of shares.</p>
+
+<ul><li>
+<p>If you get an <tt class="literal">Invalid</tt> <tt class="literal">password</tt>
+error, it's most likely the encryption problem
+again.</p>
+</li><li>
+<p>If you receive an <tt class="literal">Unable</tt> <tt class="literal">to</tt>
+<tt class="literal">browse</tt> <tt class="literal">the</tt>
+<tt class="literal">network</tt> error, one of the following has occurred:</p>
+<ul><li>
+<p>You have looked too soon, before the broadcasts and updates have
+completed. Wait 30 seconds and try again.</p>
+</li><li>
+<p>There is a network problem you've not yet diagnosed.</p>
+</li><li>
+<p>There is no browse master. Add the configuration option
+<tt class="literal">local</tt> <tt class="literal">master</tt>
+<tt class="literal">=</tt> <tt class="literal">yes</tt> to your
+<em class="emphasis">smb.conf</em> file.</p>
+</li><li>
+<p>No shares are made browsable in the <em class="emphasis">smb.conf</em>
+file.</p>
+</li></ul>
+</li>
+<li>
+<p>If you receive the message <tt class="literal">\\server</tt>
+<tt class="literal">is</tt> <tt class="literal">not</tt>
+<tt class="literal">accessible</tt> then:</p>
+<ul><li>
+<p>You have the encrypted password problem.</p>
+</li><li>
+<p>The system really isn't accessible.</p>
+</li><li>
+<p>The system doesn't support browsing.</p>
+</li></ul>
+</li>
+</ul>
+
+<p>If you've made it this far and the problem is not
+yet solved, either the problem is one we've not yet
+seen, or it is a problem related to a topic we have already covered,
+and further analysis is required. Name resolution is often related to
+difficulties with Samba, so we cover it in more detail in the next
+sections. If you know your problem is not related to name resolution,
+skip to the <a href="ch12.html#samba2-CHP-12-SECT-3">Section 12.3</a> at the end of the chapter. <a name="INDEX-83"/><a name="INDEX-84"/></p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-2.7"/>
+
+<h3 class="head2">Troubleshooting Name Services</h3>
+
+<p><a name="INDEX-85"/><a name="INDEX-86"/>This
+section looks at simple troubleshooting of all the name services
+you'll encounter, but only for the common problems
+that affect Samba.</p>
+
+<p>There are several good references for troubleshooting particular name
+services: Paul <a name="INDEX-87"/>Albitz and Cricket <a name="INDEX-88"/>Liu's <em class="emphasis">DNS and
+Bind</em> (O'Reilly) covers the DNS, Hal
+<a name="INDEX-89"/>Stern's <em class="emphasis">NFS and
+NIS</em> (O'Reilly) covers NIS
+(&quot;Yellow pages&quot;), while Windows
+Internet Name Service (WINS), <em class="filename">hosts/LMHOSTS</em>
+files, and NIS+ are best covered by their respective
+vendors' manuals.</p>
+
+<p>The problems addressed in this section are as follows:</p>
+
+<ul><li>
+<p>Name services are identified.</p>
+</li><li>
+<p>A hostname can't be looked up.</p>
+</li><li>
+<p>The long (FQDN) form of a hostname works but the short form
+doesn't.</p>
+</li><li>
+<p>The short form of the name works, but the long form
+doesn't.</p>
+</li><li>
+<p>A long delay occurs before the expected result.</p>
+</li></ul>
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.7.1"/>
+
+<h3 class="head3">Identifying what's in use</h3>
+
+<p><a name="INDEX-90"/>First, see if both the
+server and the client are using DNS, WINS, NIS, or
+<em class="filename">hosts</em> files to look up IP addresses when you
+give them a name. Each kind of system has a different preference:</p>
+
+<ul><li>
+<p>Windows 95/98/Me tries WINS and the <em class="filename">LMHOSTS</em> file
+first, then broadcast, and finally DNS and <em class="filename">HOSTS</em>
+files.</p>
+</li><li>
+<p>Windows NT/2000/XP tries WINS, then broadcast, then the
+<em class="filename">LMHOSTS</em> file, and finally
+<em class="filename">HOSTS</em> and DNS.</p>
+</li><li>
+<p>Windows programs using the WINSOCK standard use the HOSTS file, DNS,
+WINS, and then broadcast. Don't assume that if a
+different program's name service works, the SMB
+client program's name service will!</p>
+</li><li>
+<p>Samba daemons use <em class="filename">lmhosts</em>, WINS, the Unix
+system's name resolution, and then broadcast.</p>
+</li><li>
+<p>Unix systems can be configured to use any combination of DNS,
+<em class="filename">HOSTS</em> files, NIS or NIS+, and winbind, generally
+in any order.</p>
+</li></ul>
+<p>We recommend that the client systems be configured to use WINS and
+DNS, the Samba daemons to use WINS and DNS, and the Unix server to
+use DNS, <em class="filename">hosts</em> files, and perhaps NIS+.
+You'll have to look at your notes and the actual
+systems to see which is in use.</p>
+
+<p>On the clients, the name services are all set in the TCP/IP
+Properties panel of the Networking Control Panel, as discussed in
+<a href="ch03.html">Chapter 3</a>. You might need to check there to see
+what you've actually turned on. On the server, see
+if a <em class="filename">/etc/resolv.conf</em> file exists. If it does,
+you're using DNS. You might be using the others as
+well, though. You'll need to check for NIS and
+combinations of services.</p>
+
+<p>Check for a <em class="filename">/etc/nsswitch.conf</em> file on Solaris
+and other System V Unix operating systems. If you have one, look for
+a line that begins with <tt class="literal">host</tt>: followed by one or
+more of <tt class="literal">files</tt>, <tt class="literal">bind</tt>,
+<tt class="literal">nis</tt>, or <tt class="literal">nis+</tt>. These are the
+name services to use, in order, with optional extra material in
+square brackets. The <tt class="literal">files</tt> keyword is for
+using <em class="emphasis">HOSTS</em> files, while <tt class="literal">bind</tt>
+(the Berkeley Internet Name Daemon) refers to using DNS.</p>
+
+<p>If the client and server differ, the first thing to do is to get them
+in sync. Clients can use DNS, WINS, <em class="emphasis">HOSTS</em>, and
+<em class="emphasis">LMHOSTS</em> files, but not NIS or NIS+. Servers can
+use <em class="emphasis">HOSTS</em> and <em class="filename">LMHOSTS</em>
+files, DNS, NIS or NIS+, and winbind, but not WINS&mdash;even if your
+Samba server provides WINS services. If you can't
+get all the systems to use the same services, you'll
+have to check the server and the client carefully for the same data.</p>
+
+<p>You can also make use of the <em class="emphasis">-R</em> (resolve order)
+option for <em class="emphasis">smbclient</em>. If you want to
+troubleshoot WINS, for example, you'd say:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient -L </b></tt><em class="replaceable">server</em> <tt class="userinput"><b>-R wins</b></tt></pre></blockquote>
+
+<p>The possible settings are <tt class="literal">hosts</tt> (which means
+whatever the Unix system is using, not just<em class="filename">
+/etc/hosts</em> files), <tt class="literal">lmhosts</tt>,
+<tt class="literal">wins</tt>, and <tt class="literal">bcast</tt> (broadcast).</p>
+
+<p>In the following sections, we use the term <em class="emphasis">long
+name</em> for a fully qualified domain name (FQDN), such as
+<tt class="literal">server.example.com</tt> , and the term <em class="emphasis">short
+name</em> for the host part of an FQDN, such as
+<tt class="literal">server</tt>.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.7.2"/>
+
+<h3 class="head3">Cannot look up hostnames</h3>
+
+<p><a name="INDEX-91"/>Try the
+following:</p>
+
+<dl>
+<dt><b>DNS</b></dt>
+<dd>
+<p>Run <tt class="literal">nslookup</tt> <em class="replaceable">name</em>. If
+this fails, look for a <em class="filename">resolv.conf</em> error, a
+downed DNS server, or a short/long name problem (see the next
+section). Try the following:</p>
+
+
+<ul><li>
+<p>Your <em class="filename">/etc/resolv.conf</em> file should contain one or
+more <tt class="literal">nameserver</tt> lines, each with an IP address.
+These are the addresses of your DNS servers.</p>
+</li><li>
+<p>Ping each server address you find. If this fails for one, suspect the
+system. If it fails for each, suspect your network.</p>
+</li><li>
+<p>Retry the lookup using the full domain name (e.g.,
+<tt class="literal">server.example.com</tt>) if you tried the short name
+first, or the short name if you tried the long name first. If results
+differ, skip to the next section.</p>
+</li></ul>
+</dd>
+
+
+
+<dt><b>Broadcast/ WINS</b></dt>
+<dd>
+<p>Broadcast/ WINS does only short names such as
+<tt class="literal">server</tt>, and not long ones, such as
+<tt class="literal">server.example.com</tt>. Run
+<tt class="literal">nmblookup</tt> <tt class="literal">-S</tt>
+<em class="replaceable">server</em>. This reports everything broadcast
+has registered for the name. In our example, it looks like this:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>nmblookup -S server</b></tt>
+Looking up status of 192.168.236.86
+received 10 names
+        SERVER           &lt;00&gt; -         M &lt;ACTIVE&gt; 
+        SERVER           &lt;03&gt; -         M &lt;ACTIVE&gt; 
+        SERVER           &lt;1f&gt; -         M &lt;ACTIVE&gt; 
+        SERVER           &lt;20&gt; -         M &lt;ACTIVE&gt; 
+        ..__MSBROWSE__.  &lt;01&gt; - &lt;GROUP&gt; M &lt;ACTIVE&gt; 
+        MYGROUP          &lt;00&gt; - &lt;GROUP&gt; M &lt;ACTIVE&gt; 
+        MYGROUP          &lt;1b&gt; -         M &lt;ACTIVE&gt; 
+        MYGROUP          &lt;1c&gt; - &lt;GROUP&gt; M &lt;ACTIVE&gt; 
+        MYGROUP          &lt;1d&gt; -         M &lt;ACTIVE&gt; 
+        MYGROUP          &lt;1e&gt; - &lt;GROUP&gt; M &lt;ACTIVE&gt;</pre></blockquote>
+
+<p>The required entry is <tt class="literal">SERVER</tt>
+<tt class="literal">&lt;00&gt;</tt>, which identifies
+<em class="replaceable">server</em> as being this
+system's NetBIOS name. You should also see your
+workgroup mentioned one or more times. If these lines are missing,
+Broadcast/WINS cannot look up names and will need attention.</p>
+
+<a name="samba2-CHP-12-NOTE-160"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>The numbers in angle brackets in the previous output identify NetBIOS
+names as being workgroups, workstations, and file users of the
+messenger service, master browsers, domain master browsers, domain
+controllers, and a plethora of others. We primarily use
+<tt class="literal">&lt;00&gt;</tt> to identify system and workgroup names
+and <tt class="literal">&lt;20&gt;</tt> to identify systems as servers. The
+complete list is available at <a href="http://support.microsoft.com/support/kb/articles/q163/4/09.asp">http://support.microsoft.com/support/kb/articles/q163/4/09.asp</a>.</p>
+</blockquote>
+</dd>
+
+
+
+<dt><b>NIS</b></dt>
+<dd>
+<p>Try <tt class="literal">ypmatch</tt> <tt class="literal">name</tt>
+<tt class="literal">hosts</tt>. If this fails, NIS is down. Find out the
+NIS server's name by running
+<em class="emphasis">ypwhich</em>, and ping the system to see if
+it's accessible.</p>
+</dd>
+
+
+
+<dt><b>NIS+</b></dt>
+<dd>
+<p>If you're running NIS+, try
+<tt class="literal">nismatch</tt> <tt class="literal">name</tt>
+<tt class="literal">hosts</tt>. If this fails, NIS is down. Find out the
+NIS+ server's name by running
+<em class="emphasis">niswhich</em>, and ping that system to see if
+it's accessible.</p>
+</dd>
+
+
+
+<dt><b>hosts and HOSTS files</b></dt>
+<dd>
+<p>Inspect the <em class="filename">HOSTS</em> file on the client
+(<em class="filename">C:\Windows\ Hosts</em> on Windows 95/98/Me, and
+<em class="filename">C:\WINNT \system32\drivers\etc\hosts</em> on Windows
+NT/2000/XP). Each line should have an IP number and one or more
+names, the primary name first, then any optional aliases. An example
+follows:</p>
+
+
+<blockquote><pre class="code">127.0.0.1         localhost
+192.168.236.1     dns.svc.example.com 
+192.168.236.10    client.example.com client 
+192.168.236.11    backup.example.com loghost 
+192.168.236.86    server.example.com server 
+192.168.236.254   router.svc.example.com</pre></blockquote>
+
+<p>On Unix, <tt class="literal">localhost</tt> should always be 127.0.0.1,
+although it might be just an alias for a hostname on the PC. On the
+client, check that there are no <tt class="literal">#XXX</tt> directives at
+the ends of the lines; these are LAN Manager/NetBIOS directives and
+should appear only in <em class="emphasis">LMHOSTS</em> files.</p>
+</dd>
+
+
+
+<dt><b>LMHOSTS files</b></dt>
+<dd>
+<p>This file is a local source for LAN Manager (NetBIOS) names. It has a
+format similar to <em class="filename">hosts</em> files, but it does not
+support long-form domain names (e.g.,
+<tt class="literal">server.example.com</tt>) and can have a number of
+optional <tt class="literal">#XXX</tt> directives following the NetBIOS
+names. There is usually an <em class="emphasis">lmhosts.sam</em> (for
+sample) file located in <em class="filename">C:\Windows</em> on Windows
+95/98/Me, and in <em class="filename">C:\WINNT\system32\drivers\etc</em>
+on Windows NT/2000/XP, but it's not used unless it
+is renamed to <em class="emphasis">Lmhosts</em> in the same directory.</p>
+</dd>
+
+</dl>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.7.3"/>
+
+<h3 class="head3">Long and short hostnames</h3>
+
+<p><a name="INDEX-92"/>Where the long (FQDN) form of a hostname
+works but the short name doesn't (for example,
+<tt class="literal">client.example.com</tt> works but
+<tt class="literal">client</tt> doesn't), consider the
+following:</p>
+
+<dl>
+<dt><b>DNS </b></dt>
+<dd>
+<p>This usually indicates that there is no default domain in which to
+look up the short names. Look for a <tt class="literal">default</tt> line
+in <em class="filename">/etc/resolv.conf</em> on the Samba server with
+your domain in it, or look for a <tt class="literal">search</tt> line with
+one or more domains in it. One or the other might need to be present
+to make short names usable; which one depends on the vendor and
+version of the DNS resolver. Try adding <tt class="literal">domain</tt>
+<em class="replaceable">your_domain</em> to
+<em class="filename">resolv.conf</em>, and ask your network or DNS
+administrator what should be in the file.</p>
+</dd>
+
+
+
+<dt><b>Broadcast/WINS </b></dt>
+<dd>
+<p>Broadcast/WINS doesn't support long names; it
+won't suffer from this problem.</p>
+</dd>
+
+
+
+<dt><b>NIS </b></dt>
+<dd>
+<p>Try the command <tt class="literal">ypmatch</tt>
+<em class="replaceable">hostname</em> <tt class="literal">hosts</tt>. If you
+don't get a match, your tables
+don't include short names. Speak to your network
+manager; short names might be missing by accident or might be
+unsupported as a matter of policy. Some sites don't
+ever use (ambiguous) short names.</p>
+</dd>
+
+
+
+<dt><b>NIS+</b></dt>
+<dd>
+<p>Try <tt class="literal">nismatch</tt> <em class="replaceable">hostname</em>
+<tt class="literal">hosts</tt>, and treat failure exactly as with NIS.</p>
+</dd>
+
+
+
+<dt><b>hosts </b></dt>
+<dd>
+<p>If the short name is not in <em class="filename">/etc/hosts</em>, consider
+adding it as an alias. Avoid, if you can, short names as primary
+names (the first one on a line). Have them as aliases if your system
+permits.</p>
+</dd>
+
+
+
+<dt><b>LMHOSTS </b></dt>
+<dd>
+<p>LAN Manager doesn't support long names, so it
+won't suffer from this problem.</p>
+</dd>
+
+</dl>
+
+<p>On the other hand, if the short form of the name works and the long
+form doesn't, consider the following:</p>
+
+<dl>
+<dt><b>DNS </b></dt>
+<dd>
+<p>This is bizarre; see your network or DNS administrator, as this is
+probably a DNS setup error.</p>
+</dd>
+
+
+
+<dt><b>Broadcast/WINS </b></dt>
+<dd>
+<p>This is normal; Broadcast/WINS can't use the long
+form. Optionally, consider DNS. (Be aware that Microsoft has stated
+that it will eventually switch entirely to DNS, even though DNS does
+not provide name types such as &lt;00&gt;.)</p>
+</dd>
+
+
+
+<dt><b>NIS</b></dt>
+<dd>
+<p>If you can use <em class="emphasis">ypmatch</em> to look up the short form
+but not the long, consider adding the long form to the table as at
+least an alias.</p>
+</dd>
+
+
+
+<dt><b>NIS+ </b></dt>
+<dd>
+<p>Same as NIS, except you use <em class="emphasis">nismatch</em> instead of
+<em class="emphasis">ypmatch</em> to look up names.</p>
+</dd>
+
+
+
+<dt><b>hosts and HOSTS</b></dt>
+<dd>
+<p>Add the long name as at least an alias, and preferably as the primary
+form. Also consider using DNS if it's practical.</p>
+</dd>
+
+
+
+<dt><b>LMHOSTS </b></dt>
+<dd>
+<p>This is normal. LAN Manager can't use the long form;
+consider switching to DNS or <em class="filename">hosts</em>.</p>
+</dd>
+
+</dl>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.7.4"/>
+
+<h3 class="head3">Unusual delays</h3>
+
+<p><a name="INDEX-93"/>When there is a long delay before the
+expected result:</p>
+
+<dl>
+<dt><b>DNS </b></dt>
+<dd>
+<p>Test the same name with the <em class="emphasis">nslookup</em> command on
+the system that is slow (client or server). If
+<em class="emphasis">nslookup</em> is also slow, you have a DNS problem.
+If it's slower on a client, you might have too many
+protocols bound to the Ethernet card. Eliminate NetBEUI, which is
+infamously slow, and, optionally, Novell&mdash;assuming you
+don't need them. This is especially important on
+Windows 95, which is particularly sensitive to excess protocols.</p>
+</dd>
+
+
+
+<dt><b>Broadcast/ WINS</b></dt>
+<dd>
+<p>Test the client using <em class="emphasis">nmblookup</em>; if
+it's faster, you probably have the protocols problem
+as mentioned in the previous item.</p>
+</dd>
+
+
+
+<dt><b>NIS</b></dt>
+<dd>
+<p>Try <em class="emphasis">ypmatch</em>; if it's slow,
+report the problem to your network manager.</p>
+</dd>
+
+
+
+<dt><b>NIS+ </b></dt>
+<dd>
+<p>Try <em class="emphasis">nismatch</em>, similarly.</p>
+</dd>
+
+
+
+<dt><b>hosts and HOSTS</b></dt>
+<dd>
+<p>The <em class="emphasis">hosts</em> files, if of reasonable size, are
+always fast. You probably have the protocols problem mentioned
+previously under DNS.</p>
+</dd>
+
+
+
+<dt><b>lmhosts and LMHOSTS</b></dt>
+<dd>
+<p>This is not a name lookup problem; <em class="emphasis">LMHOSTS</em> files
+are as fast as <em class="emphasis">hosts</em> and
+<em class="filename">HOSTS</em> files.</p>
+</dd>
+
+</dl>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.7.5"/>
+
+<h3 class="head3">Localhost issues</h3>
+
+<p><a name="INDEX-94"/>When a localhost isn't
+127.0.0.1, try the following:</p>
+
+<dl>
+<dt><b>DNS</b></dt>
+<dd>
+<p>There is probably no record for <tt class="literal">localhost</tt>.
+<tt class="literal">A</tt> <tt class="literal">127.0.0.1</tt>. Arrange to add
+one, as well as a reverse entry,
+<tt class="literal">1.0.0.127.IN-ADDR.ARPA</tt> <tt class="literal">PTR</tt>
+<tt class="literal">127.0.0.1</tt>.</p>
+</dd>
+
+
+
+<dt><b>Broadcast/WINS</b></dt>
+<dd>
+<p>Not applicable.</p>
+</dd>
+
+
+
+<dt><b>NIS</b></dt>
+<dd>
+<p>If <tt class="literal">localhost</tt> isn't in the table,
+add it.</p>
+</dd>
+
+
+
+<dt><b>NIS+ </b></dt>
+<dd>
+<p>If <tt class="literal">localhost</tt> isn't in the table,
+add it.</p>
+</dd>
+
+
+
+<dt><b>hosts and HOSTS</b></dt>
+<dd>
+<p>Add a line that says <tt class="literal">127.0.0.1</tt>
+<tt class="literal">localhost</tt>.</p>
+</dd>
+
+
+
+<dt><b>LMHOSTS</b></dt>
+<dd>
+<p>Not applicable. <a name="INDEX-95"/><a name="INDEX-96"/></p>
+</dd>
+
+</dl>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-2.8"/>
+
+<h3 class="head2">Troubleshooting Network Addresses</h3>
+
+<p><a name="INDEX-97"/><a name="INDEX-98"/>A
+number of common problems are caused by incorrect routing of Internet
+addresses or by the incorrect assignment of addresses. This section
+helps you determine what your addresses are.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.8.1"/>
+
+<h3 class="head3">Netmasks</h3>
+
+<p>Using the <a name="INDEX-99"/>netmask, it is possible to
+determine which addresses can be reached directly (i.e., which are on
+the local network) and which addresses require forwarding packets
+through a router. If the netmask is wrong, the systems will make one
+of two mistakes. One is to route local packets via a router, which is
+an expensive waste of time&mdash;it might work reasonably fast, it
+might run slowly, or it might fail utterly. The second mistake is to
+fail to send packets from a remote system to the router, which will
+prevent them from being forwarded to the remote system.</p>
+
+<p>The netmask is a number like an IP address, with one-bits for the
+network part of an address and zero-bits for the host portion. It is
+used as a bitmask to mask off parts of the address inside the TCP/IP
+code. If the mask is 255.255.0.0, the first 2 bytes are the network
+part and the last 2 are the host part. More common is 255.255.255.0,
+in which the first 3 bytes are the network part and the last one is
+the host part.</p>
+
+<p>For example, let's say your IP address is
+192.168.0.10 and the Samba server is 192.168.236.86. If your netmask
+happens to be 255.255.255.0, the network part of the address is the
+first 3 bytes, and the host part is the last byte. In this case, the
+network parts are different, and the systems are on different
+networks:</p>
+
+<a name="ch12-37-fm2xml"/><table border="1">
+
+
+
+<tr>
+<th>
+<p>Network part</p>
+</th>
+<th>
+<p>Host part</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p>192 168 000</p>
+</td>
+<td>
+<p>10</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>192 168 235</p>
+</td>
+<td>
+<p>86</p>
+</td>
+</tr>
+
+</table>
+
+<p>If your netmask happens to be 255.255.0.0, the network part is just
+the first 2 bytes. In this case, the network parts match, and so the
+two systems are on the same network:</p>
+
+<a name="ch12-38-fm2xml"/><table border="1">
+
+
+
+<tr>
+<th>
+<p>Network part</p>
+</th>
+<th>
+<p>Host part</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p>192 168</p>
+</td>
+<td>
+<p>000 10</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>192 168</p>
+</td>
+<td>
+<p>236 86</p>
+</td>
+</tr>
+
+</table>
+
+<p>Make sure the netmask in use on each system matches the structure of
+your network. On every subnet, the netmask should be identical on
+each system.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.8.2"/>
+
+<h3 class="head3">Broadcast addresses</h3>
+
+<p>The <a name="INDEX-100"/>broadcast address is a normal address,
+with the hosts part all one-bits. It means &quot;all
+hosts on your network.&quot; You can compute it easily
+from your netmask and address: take the address and put one-bits in
+it for all the bits that are zero at the end of the netmask (the host
+part). The following table illustrates this:</p>
+
+<a name="ch12-39-fm2xml"/><table border="1">
+
+
+
+
+<tr>
+<th>
+</th>
+<th>
+<p>Network part</p>
+</th>
+<th>
+<p>Host part</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p>IP address</p>
+</td>
+<td>
+<p>192 168 236</p>
+</td>
+<td>
+<p>86</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Netmask</p>
+</td>
+<td>
+<p>255 255 255</p>
+</td>
+<td>
+<p>000</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Broadcast</p>
+</td>
+<td>
+<p>192 168 236</p>
+</td>
+<td>
+<p>255</p>
+</td>
+</tr>
+
+</table>
+
+<p>In this example, the broadcast address on the 192.168.236 network is
+192.168.236.255. There is also an old
+&quot;universal&quot; broadcast address,
+255.255.255.255. Routers are prohibited from forwarding these, but
+most systems on your local network will respond to broadcasts to this
+address.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.8.3"/>
+
+<h3 class="head3">Network address ranges</h3>
+
+<p>A <a name="INDEX-101"/>number of address ranges have been
+reserved for testing and for nonconnected networks; we use these for
+the examples in this book. If you don't have an
+address yet, feel free to use one of these to start. They include one
+class A network, 10.*.*.*, a range of class B network addresses,
+172.16.*.* through 172.31.*.*, and 254 class C networks, 192.168.1.*
+through 192.168.254.*. The domain <tt class="literal">example.com</tt> is
+also reserved for unconnected networks, explanatory examples, and
+books.</p>
+
+<p>If you're actually connecting to the Internet,
+you'll need to get an appropriate IP address and a
+domain name, probably through the same company that provides your
+connection.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.8.4"/>
+
+<h3 class="head3">Finding your network address</h3>
+
+<p><a name="INDEX-102"/>If you
+haven't recorded your IP address, you can learn it
+through the <em class="emphasis">ifconfig</em><a name="INDEX-103"/> command on Unix or the
+<em class="emphasis">ipconfig</em> <a name="INDEX-104"/>command on Windows. (Check your manual
+pages for any options required by your brand of Unix. For example,
+<tt class="literal">ifconfig</tt> <tt class="literal">-a</tt> works on Solaris.)
+You should see output similar to the following:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>ifconfig -a</b></tt> 
+le0: flags=63&lt;UP,BROADCAST,NOTRAILERS,RUNNING &gt; 
+      inet 192.168.236.11 netmask ffffff00 broadcast 192.168.236.255 
+lo0: flags=49&lt;&amp;lt&gt;UP,LOOPBACK,RUNNING&lt;&amp;gt&gt;         
+      inet 127.0.0.1 netmask ff000000</pre></blockquote>
+
+<p>One of the interfaces will be loopback (in our examples,
+<tt class="literal">lo0</tt>), and the other will be the regular IP
+interface. The flags should show that the interface is running, and
+Ethernet interfaces will also say they support broadcasts (PPP
+interfaces don't). The other places to look for IP
+addresses are <em class="filename">/etc/hosts</em> files, Windows
+<em class="emphasis">HOSTS</em> files, Windows
+<em class="emphasis">LMHOSTS</em> files, NIS, NIS+, and DNS. <a name="INDEX-105"/><a name="INDEX-106"/></p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-2.9"/>
+
+<h3 class="head2">Troubleshooting NetBIOS Names</h3>
+
+<p><a name="INDEX-107"/><a name="INDEX-108"/>Historically, SMB protocols have
+depended on the NetBIOS name system, also called the LAN Manager name
+system. This was a simple scheme where each system had a unique
+20-character name and broadcast it on the LAN for everyone to know.
+With TCP/IP, we tend to use names such as
+<tt class="literal">client.example.com</tt>, stored in
+<em class="filename">/etc/hosts</em> files through DNS or WINS.</p>
+
+<p>The usual mapping of domain names such as
+<tt class="literal">server.example.com</tt> to NetBIOS names simply uses
+the <tt class="literal">server</tt> part as the NetBIOS name and converts
+it to uppercase. Alas, this doesn't always work,
+especially if you have a system with a 21-character name; not
+everyone uses the same NetBIOS and DNS names. For example,
+<tt class="literal">corpvm1</tt> along with <tt class="literal">vm1.corp.com</tt>
+is not unusual.</p>
+
+<p>A system with a different NetBIOS name and domain name is confusing
+when you're troubleshooting; we recommend that you
+try to avoid this wherever possible. NetBIOS names are discoverable
+with <em class="emphasis">smbclient</em> :</p>
+
+<ul><li>
+<p>If you can list shares on your Samba server with
+<tt class="literal">smbclient</tt> <tt class="literal">-L</tt>
+<tt class="literal">short_name</tt>, the short name is the NetBIOS name.</p>
+</li><li>
+<p>If you get <tt class="literal">Get_Hostbyname</tt>:
+<tt class="literal">Unknown</tt> <tt class="literal">host</tt>
+<tt class="literal">name</tt>, there is probably a mismatch. Check in the
+<em class="filename">smb.conf</em> file to see if the NetBIOS name is
+explicitly set.</p>
+</li><li>
+<p>Try to list shares again, specifying <tt class="literal">-I</tt> and the IP
+address of the Samba server (e.g., <tt class="literal">smbclient</tt>
+<tt class="literal">-L</tt> <tt class="literal">server</tt> <tt class="literal">-I</tt>
+<tt class="literal">192.168.236.86</tt>). This overrides the name lookup
+and forces the packets to go to the IP address. If this works, there
+was a mismatch.</p>
+</li><li>
+<p>Try with <tt class="literal">-I</tt> and the full domain name of the server
+(e.g., <tt class="literal">smbclient</tt> <tt class="literal">-L</tt>
+<tt class="literal">server</tt> <tt class="literal">-I</tt>
+<tt class="literal">server.example.com</tt>). This tests the lookup of the
+domain name, using whatever scheme the Samba server uses (e.g., DNS).
+If it fails, you have a name service problem. You should reread the
+earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a>,
+after you finish troubleshooting the NetBIOS names.</p>
+</li><li>
+<p>Try with the <tt class="literal">-n</tt> (NetBIOS name) option, giving it
+the name you expect to work (e.g., <tt class="literal">smbclient</tt>
+<tt class="literal">-n</tt> <tt class="literal">server</tt> <tt class="literal">-L</tt>
+<tt class="literal">server-12</tt>), but without overriding the IP address
+through <tt class="literal">-I</tt>. If this works, the name you specified
+with <tt class="literal">-n</tt> is the actual NetBIOS name of the server.
+If you receive <tt class="literal">Get-Hostbyname</tt>:
+<tt class="literal">Unknown</tt> <tt class="literal">host</tt>
+<tt class="literal">SERVER</tt>, it's not the right server
+yet.</p>
+</li><li>
+<p>If nothing is working so far, repeat the tests specifying
+<tt class="literal">-U</tt> <em class="emphasis">username</em> and
+<tt class="literal">-W</tt> <em class="emphasis">workgroup</em>, with the
+username and workgroup in uppercase, to make sure
+you're not being derailed by a user or workgroup
+mismatch.</p>
+</li><li>
+<p>If still nothing works and you had evidence of a name service
+problem, troubleshoot the name service (see the earlier section,
+<a href="ch12.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a>) and then return to
+the NetBIOS name service. <a name="INDEX-109"/><a name="INDEX-110"/></p>
+</li></ul>
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-12-SECT-3"/>
+
+<h2 class="head1">Extra Resources</h2>
+
+<p>At some point during your work with Samba, you'll
+want to turn to online or printed resources for news, updates, and
+aid.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-3.1"/>
+
+<h3 class="head2">Documentation and FAQs</h3>
+
+<p>It's OK to read the <a name="INDEX-111"/><a name="INDEX-112"/>documentation. Really. Nobody can see you,
+and we won't tell. In fact, Samba ships with a large
+set of documentation files, and it is well worth the effort to at
+least browse through them, either in the distribution directory on
+your computer under <em class="filename">/docs</em> or online at the Samba
+web site: <a href="http://www.samba.org">http://www.samba.org</a>. The most current
+FAQ list, bug information, and distribution locations are located at
+the web site, with links to all the Samba manual pages and HOWTOs.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-3.2"/>
+
+<h3 class="head2">Samba Newsgroups</h3>
+
+<p><a name="INDEX-113"/>Usenet
+newsgroups have always been a great place to get advice on just about
+any topic. In the past few years, though, this vast pool of knowledge
+has developed something that has made it into an invaluable resource:
+a memory. Archival and search sites such as the one at
+<a name="INDEX-114"/>Google (<a href="http://groups.google.com/advanced_group_search">http://groups.google.com/advanced_group_search</a>)
+have made sifting through years of valuable solutions as simple as a
+few mouse clicks.</p>
+
+<p>The primary newsgroup for Samba is
+<em class="emphasis">comp.protocols.smb</em><a name="INDEX-115"/>. This should always be your first
+stop when there's a problem. More often than not,
+spending 5 minutes researching an error here will save hours of
+frustration while trying to debug something yourself.</p>
+
+<p>When searching a newsgroup, try to be as specific as possible, but
+not too wordy. Searching on actual error messages is best. If you
+don't find an answer immediately in the newsgroup,
+resist the temptation to post a request for help until
+you've done a bit more work on the problem. You
+might find that the answer is in a FAQ or one of the many
+documentation files that ship with Samba, or a solution might become
+evident when you run one of Samba's diagnostic
+tools. If nothing works, post a request in
+<em class="emphasis">comp.protocols.smb</em>, and be as specific as
+possible about what you have tried and what you are seeing. Include
+any error messages that appear. It might be days before you receive
+help, so be patient and keep trying things while you wait.</p>
+
+<a name="samba2-CHP-12-NOTE-161"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>Once you post a request for help, keep poking at the problem
+yourself. Most of us have had the experience of posting a Usenet
+article containing hundreds of lines of intricate detail, only to
+solve the problem an hour later after the article has blazed its way
+across several continents. The rule of thumb goes something like
+this: the more folks who have read your request, the simpler the
+solution. Usually this means that once everyone in the Unix community
+has seen your article, the solution will be something simple such as,
+&quot;Plug the power cord into the wall
+socket.&quot;</p>
+</blockquote>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-3.3"/>
+
+<h3 class="head2">Samba Mailing Lists</h3>
+
+<p>The following are <a name="INDEX-116"/>mailing lists for support with Samba. See
+the Samba home page, <a href="http://www.samba.org/">http://www.samba.org/</a>, for
+information on subscribing and unsubscribing to these mailing lists:</p>
+
+<dl>
+<dt><b>samba@samba.org</b></dt>
+<dd>
+<p>This is the primary mailing list for general questions and discussion
+regarding Samba.</p>
+</dd>
+
+
+
+<dt><b>samba-announce@samba.org</b></dt>
+<dd>
+<p>This list is for receiving news regarding Samba, such as
+announcements of new releases.</p>
+</dd>
+
+
+
+<dt><b>samba-cvs@samba.org</b></dt>
+<dd>
+<p>By subscribing to this list, you can automatically receive a message
+every time one of the Samba developers updates the Samba source code
+in the CVS repository. You might want to do this if you are waiting
+for a specific bug fix or feature to be applied. To avoid congesting
+your email inbox, we suggest using the digest feature, which
+consolidates messages into a smaller number of emails.</p>
+</dd>
+
+
+
+<dt><b>samba-docs@samba.org</b></dt>
+<dd>
+<p>This list is for discussing Samba documentation.</p>
+</dd>
+
+
+
+<dt><b>samba-vms@samba.org</b></dt>
+<dd>
+<p>This mailing list is for people who are running Samba on the VMS
+operating system.</p>
+</dd>
+
+
+
+<dt><b>samba-binaries@samba.org</b></dt>
+<dd>
+<p>This is a list for developers to use when discussing precompiled
+Samba distributions.</p>
+</dd>
+
+
+
+<dt><b>samba-technical@samba.org</b></dt>
+<dd>
+<p>This mailing list is for developer discussion of the Samba code.</p>
+</dd>
+
+</dl>
+
+<p>Searchable versions of the Samba mailing list archives can be found
+at <a href="http://marc.theaimsgroup.com">http://marc.theaimsgroup.com</a>.</p>
+
+<p>When posting messages to the Samba mailing lists, keep in mind that
+you are sending your message to a large audience. The notes in the
+previous section regarding Usenet postings also apply here. A
+well-formulated question or comment is more likely to be answered,
+and a poorly conceived message is <em class="emphasis">very</em> likely to
+be ignored!</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-3.4"/>
+
+<h3 class="head2">Further Reading</h3>
+
+<ol><li>
+<p>Hunt, Craig. <em class="emphasis">TCP/IP Network Administration</em>,
+Third Edition. Sebastopol, CA: O'Reilly
+&amp; Associates, 1997.</p>
+</li>
+<li>
+<p>Hunt, Craig, and Robert Bruce Thompson. <em class="emphasis">Windows NT TCP/IP
+Network Administration</em>. Sebastopol, CA:
+O'Reilly &amp; Associates, 1998.</p>
+</li>
+<li>
+<p>Albitz, Paul, and Cricket Liu. <em class="emphasis">DNS and Bind</em>,
+Fourth Edition. Sebastopol, CA: O'Reilly
+&amp; Associates, 1998.</p>
+</li>
+<li>
+<p>Stern, Hal. <em class="emphasis">Managing NFS and NIS</em>, Second
+Edition. Sebastopol, CA: O'Reilly &amp; Associates,
+1991.<a name="INDEX-117"/></p>
+</li></ol>
+
+</div>
+
+
+</div>
+
+<hr/><h4 class="head4"><a href="toc.html">TOC</a></h4></body></html>
diff --git a/docs/htmldocs/using_samba/figs/sam2_0101.gif b/docs/htmldocs/using_samba/figs/sam2_0101.gif
new file mode 100644
index 0000000000..195326a205
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0101.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0102.gif b/docs/htmldocs/using_samba/figs/sam2_0102.gif
new file mode 100644
index 0000000000..e453dbf023
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0102.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0103.gif b/docs/htmldocs/using_samba/figs/sam2_0103.gif
new file mode 100644
index 0000000000..ed50af69af
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0103.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0104.gif b/docs/htmldocs/using_samba/figs/sam2_0104.gif
new file mode 100644
index 0000000000..e903a0f22e
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0104.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0105.gif b/docs/htmldocs/using_samba/figs/sam2_0105.gif
new file mode 100644
index 0000000000..0fec77125d
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0105.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0106.gif b/docs/htmldocs/using_samba/figs/sam2_0106.gif
new file mode 100644
index 0000000000..32cbfdbee4
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0106.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0107.gif b/docs/htmldocs/using_samba/figs/sam2_0107.gif
new file mode 100644
index 0000000000..2d8b8e66b7
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0107.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0108.gif b/docs/htmldocs/using_samba/figs/sam2_0108.gif
new file mode 100644
index 0000000000..9d26856e38
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0108.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0109.gif b/docs/htmldocs/using_samba/figs/sam2_0109.gif
new file mode 100644
index 0000000000..2c7db9617a
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0109.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0110.gif b/docs/htmldocs/using_samba/figs/sam2_0110.gif
new file mode 100644
index 0000000000..2d7d50a702
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0110.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0111.gif b/docs/htmldocs/using_samba/figs/sam2_0111.gif
new file mode 100644
index 0000000000..f6be700fa5
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0111.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0112.gif b/docs/htmldocs/using_samba/figs/sam2_0112.gif
new file mode 100644
index 0000000000..4eddb82069
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0112.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0113.gif b/docs/htmldocs/using_samba/figs/sam2_0113.gif
new file mode 100644
index 0000000000..1886bbcb5a
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0113.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0114.gif b/docs/htmldocs/using_samba/figs/sam2_0114.gif
new file mode 100644
index 0000000000..75cf0a750a
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0114.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0201.gif b/docs/htmldocs/using_samba/figs/sam2_0201.gif
new file mode 100644
index 0000000000..7dc140530c
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0201.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0202.gif b/docs/htmldocs/using_samba/figs/sam2_0202.gif
new file mode 100644
index 0000000000..ccbaeed4fe
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0202.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0203.gif b/docs/htmldocs/using_samba/figs/sam2_0203.gif
new file mode 100644
index 0000000000..127705fd38
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0203.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0204.gif b/docs/htmldocs/using_samba/figs/sam2_0204.gif
new file mode 100644
index 0000000000..5359423fd5
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0204.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0301.gif b/docs/htmldocs/using_samba/figs/sam2_0301.gif
new file mode 100644
index 0000000000..30759463cf
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0301.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0302.gif b/docs/htmldocs/using_samba/figs/sam2_0302.gif
new file mode 100644
index 0000000000..5576573e83
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0302.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0303.gif b/docs/htmldocs/using_samba/figs/sam2_0303.gif
new file mode 100644
index 0000000000..76b8dd36bb
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0303.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0304.gif b/docs/htmldocs/using_samba/figs/sam2_0304.gif
new file mode 100644
index 0000000000..b309fc9968
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0304.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0305.gif b/docs/htmldocs/using_samba/figs/sam2_0305.gif
new file mode 100644
index 0000000000..5a9fd77443
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0305.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0306.gif b/docs/htmldocs/using_samba/figs/sam2_0306.gif
new file mode 100644
index 0000000000..47b15548f3
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0306.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0307.gif b/docs/htmldocs/using_samba/figs/sam2_0307.gif
new file mode 100644
index 0000000000..7874ccb889
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0307.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0308.gif b/docs/htmldocs/using_samba/figs/sam2_0308.gif
new file mode 100644
index 0000000000..23d4fccd65
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0308.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0309.gif b/docs/htmldocs/using_samba/figs/sam2_0309.gif
new file mode 100644
index 0000000000..2e27a2f407
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0309.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0310.gif b/docs/htmldocs/using_samba/figs/sam2_0310.gif
new file mode 100644
index 0000000000..846b228eff
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0310.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0311.gif b/docs/htmldocs/using_samba/figs/sam2_0311.gif
new file mode 100644
index 0000000000..acb82fa77b
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0311.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0312.gif b/docs/htmldocs/using_samba/figs/sam2_0312.gif
new file mode 100644
index 0000000000..2a96425312
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0312.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0313.gif b/docs/htmldocs/using_samba/figs/sam2_0313.gif
new file mode 100644
index 0000000000..4482a8b27b
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0313.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0314.gif b/docs/htmldocs/using_samba/figs/sam2_0314.gif
new file mode 100644
index 0000000000..02b8bcd2c7
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0314.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0315.gif b/docs/htmldocs/using_samba/figs/sam2_0315.gif
new file mode 100644
index 0000000000..bd747a23a9
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0315.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0316.gif b/docs/htmldocs/using_samba/figs/sam2_0316.gif
new file mode 100644
index 0000000000..a12e20e8b4
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0316.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0317.gif b/docs/htmldocs/using_samba/figs/sam2_0317.gif
new file mode 100644
index 0000000000..1957fc09e6
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0317.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0318.gif b/docs/htmldocs/using_samba/figs/sam2_0318.gif
new file mode 100644
index 0000000000..2c90ee6523
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0318.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0319.gif b/docs/htmldocs/using_samba/figs/sam2_0319.gif
new file mode 100644
index 0000000000..ceb8041299
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0319.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0320.gif b/docs/htmldocs/using_samba/figs/sam2_0320.gif
new file mode 100644
index 0000000000..766c0ec4ba
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0320.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0321.gif b/docs/htmldocs/using_samba/figs/sam2_0321.gif
new file mode 100644
index 0000000000..b1dac33f23
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0321.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0322.gif b/docs/htmldocs/using_samba/figs/sam2_0322.gif
new file mode 100644
index 0000000000..fa0c2a3ed2
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0322.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0323.gif b/docs/htmldocs/using_samba/figs/sam2_0323.gif
new file mode 100644
index 0000000000..9678a4b0da
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0323.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0324.gif b/docs/htmldocs/using_samba/figs/sam2_0324.gif
new file mode 100644
index 0000000000..f1fd719fc2
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0324.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0325.gif b/docs/htmldocs/using_samba/figs/sam2_0325.gif
new file mode 100644
index 0000000000..3887d36b94
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0325.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0326.gif b/docs/htmldocs/using_samba/figs/sam2_0326.gif
new file mode 100644
index 0000000000..26047eb48e
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0326.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0327.gif b/docs/htmldocs/using_samba/figs/sam2_0327.gif
new file mode 100644
index 0000000000..f8b661bce8
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0327.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0328.gif b/docs/htmldocs/using_samba/figs/sam2_0328.gif
new file mode 100644
index 0000000000..9f767a156e
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0328.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0329.gif b/docs/htmldocs/using_samba/figs/sam2_0329.gif
new file mode 100644
index 0000000000..4cfa231e86
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0329.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0330.gif b/docs/htmldocs/using_samba/figs/sam2_0330.gif
new file mode 100644
index 0000000000..4c90f3b8c7
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0330.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0331.gif b/docs/htmldocs/using_samba/figs/sam2_0331.gif
new file mode 100644
index 0000000000..bc1fc19721
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0331.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0332.gif b/docs/htmldocs/using_samba/figs/sam2_0332.gif
new file mode 100644
index 0000000000..a507e19018
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0332.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0333.gif b/docs/htmldocs/using_samba/figs/sam2_0333.gif
new file mode 100644
index 0000000000..6b1b2a7dd5
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0333.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0334.gif b/docs/htmldocs/using_samba/figs/sam2_0334.gif
new file mode 100644
index 0000000000..ff408ecd6c
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0334.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0335.gif b/docs/htmldocs/using_samba/figs/sam2_0335.gif
new file mode 100644
index 0000000000..fdf01219e1
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0335.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0336.gif b/docs/htmldocs/using_samba/figs/sam2_0336.gif
new file mode 100644
index 0000000000..a44851c340
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0336.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0337.gif b/docs/htmldocs/using_samba/figs/sam2_0337.gif
new file mode 100644
index 0000000000..219afbd147
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0337.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0338.gif b/docs/htmldocs/using_samba/figs/sam2_0338.gif
new file mode 100644
index 0000000000..8f1ba6e36f
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0338.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0339.gif b/docs/htmldocs/using_samba/figs/sam2_0339.gif
new file mode 100644
index 0000000000..f42c1b57ec
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0339.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0340.gif b/docs/htmldocs/using_samba/figs/sam2_0340.gif
new file mode 100644
index 0000000000..76c5a1b347
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0340.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0341.gif b/docs/htmldocs/using_samba/figs/sam2_0341.gif
new file mode 100644
index 0000000000..634b847d04
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0341.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0342.gif b/docs/htmldocs/using_samba/figs/sam2_0342.gif
new file mode 100644
index 0000000000..51284782a3
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0342.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0343.gif b/docs/htmldocs/using_samba/figs/sam2_0343.gif
new file mode 100644
index 0000000000..0618a841cf
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0343.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0344.gif b/docs/htmldocs/using_samba/figs/sam2_0344.gif
new file mode 100644
index 0000000000..7d40dbcdf1
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0344.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0345.gif b/docs/htmldocs/using_samba/figs/sam2_0345.gif
new file mode 100644
index 0000000000..0b36aa6da3
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0345.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0346.gif b/docs/htmldocs/using_samba/figs/sam2_0346.gif
new file mode 100644
index 0000000000..36c3999ad1
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0346.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0347.gif b/docs/htmldocs/using_samba/figs/sam2_0347.gif
new file mode 100644
index 0000000000..db6c3e10ce
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0347.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0348.gif b/docs/htmldocs/using_samba/figs/sam2_0348.gif
new file mode 100644
index 0000000000..16457a3421
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0348.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0349.gif b/docs/htmldocs/using_samba/figs/sam2_0349.gif
new file mode 100644
index 0000000000..6445cdd3bc
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0349.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0350.gif b/docs/htmldocs/using_samba/figs/sam2_0350.gif
new file mode 100644
index 0000000000..08ee35b8e7
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0350.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0351.gif b/docs/htmldocs/using_samba/figs/sam2_0351.gif
new file mode 100644
index 0000000000..b30b603818
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0351.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0352.gif b/docs/htmldocs/using_samba/figs/sam2_0352.gif
new file mode 100644
index 0000000000..bfab1e0031
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0352.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0353.gif b/docs/htmldocs/using_samba/figs/sam2_0353.gif
new file mode 100644
index 0000000000..4c1e84f37e
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0353.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0354.gif b/docs/htmldocs/using_samba/figs/sam2_0354.gif
new file mode 100644
index 0000000000..3519397705
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0354.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0355.gif b/docs/htmldocs/using_samba/figs/sam2_0355.gif
new file mode 100644
index 0000000000..8559956df8
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0355.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0356.gif b/docs/htmldocs/using_samba/figs/sam2_0356.gif
new file mode 100644
index 0000000000..9cffddf4b2
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0356.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0357.gif b/docs/htmldocs/using_samba/figs/sam2_0357.gif
new file mode 100644
index 0000000000..f1a7043858
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0357.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0358.gif b/docs/htmldocs/using_samba/figs/sam2_0358.gif
new file mode 100644
index 0000000000..58073c2d19
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0358.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0359.gif b/docs/htmldocs/using_samba/figs/sam2_0359.gif
new file mode 100644
index 0000000000..1fe90edca6
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0359.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0360.gif b/docs/htmldocs/using_samba/figs/sam2_0360.gif
new file mode 100644
index 0000000000..c306296f08
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0360.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0361.gif b/docs/htmldocs/using_samba/figs/sam2_0361.gif
new file mode 100644
index 0000000000..7b6cc3c878
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0361.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0401.gif b/docs/htmldocs/using_samba/figs/sam2_0401.gif
new file mode 100644
index 0000000000..68c4ec949e
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0401.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0402.gif b/docs/htmldocs/using_samba/figs/sam2_0402.gif
new file mode 100644
index 0000000000..817622adee
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0402.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0403.gif b/docs/htmldocs/using_samba/figs/sam2_0403.gif
new file mode 100644
index 0000000000..8d2bf580e6
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0403.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0404.gif b/docs/htmldocs/using_samba/figs/sam2_0404.gif
new file mode 100644
index 0000000000..5f93a6715c
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0404.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0405.gif b/docs/htmldocs/using_samba/figs/sam2_0405.gif
new file mode 100644
index 0000000000..67925c1db5
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0405.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0406.gif b/docs/htmldocs/using_samba/figs/sam2_0406.gif
new file mode 100644
index 0000000000..f6b3924711
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0406.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0407.gif b/docs/htmldocs/using_samba/figs/sam2_0407.gif
new file mode 100644
index 0000000000..486a629e9e
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0407.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0408.gif b/docs/htmldocs/using_samba/figs/sam2_0408.gif
new file mode 100644
index 0000000000..dbc31bb54d
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0408.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0409.gif b/docs/htmldocs/using_samba/figs/sam2_0409.gif
new file mode 100644
index 0000000000..b9d31f2a4d
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0409.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0410.gif b/docs/htmldocs/using_samba/figs/sam2_0410.gif
new file mode 100644
index 0000000000..83e4c9cb89
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0410.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0411.gif b/docs/htmldocs/using_samba/figs/sam2_0411.gif
new file mode 100644
index 0000000000..c6684d625c
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0411.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0412.gif b/docs/htmldocs/using_samba/figs/sam2_0412.gif
new file mode 100644
index 0000000000..4706a99f51
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0412.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0413.gif b/docs/htmldocs/using_samba/figs/sam2_0413.gif
new file mode 100644
index 0000000000..71bf8690f8
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0413.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0414.gif b/docs/htmldocs/using_samba/figs/sam2_0414.gif
new file mode 100644
index 0000000000..2056eb45bb
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0414.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0415.gif b/docs/htmldocs/using_samba/figs/sam2_0415.gif
new file mode 100644
index 0000000000..0c8eb01774
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0415.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0416.gif b/docs/htmldocs/using_samba/figs/sam2_0416.gif
new file mode 100644
index 0000000000..c2b2fecf3d
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0416.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0417.gif b/docs/htmldocs/using_samba/figs/sam2_0417.gif
new file mode 100644
index 0000000000..a84d217c1f
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0417.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0501.gif b/docs/htmldocs/using_samba/figs/sam2_0501.gif
new file mode 100644
index 0000000000..eda8e934d7
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0501.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0502.gif b/docs/htmldocs/using_samba/figs/sam2_0502.gif
new file mode 100644
index 0000000000..1f996e1b63
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0502.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0503.gif b/docs/htmldocs/using_samba/figs/sam2_0503.gif
new file mode 100644
index 0000000000..0d7e3654ec
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0503.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0504.gif b/docs/htmldocs/using_samba/figs/sam2_0504.gif
new file mode 100644
index 0000000000..9c60c26ef5
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0504.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0505.gif b/docs/htmldocs/using_samba/figs/sam2_0505.gif
new file mode 100644
index 0000000000..346409e3e6
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0505.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0506.gif b/docs/htmldocs/using_samba/figs/sam2_0506.gif
new file mode 100644
index 0000000000..78f5d54da2
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0506.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0507.gif b/docs/htmldocs/using_samba/figs/sam2_0507.gif
new file mode 100644
index 0000000000..e6ff6f14bd
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0507.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0508.gif b/docs/htmldocs/using_samba/figs/sam2_0508.gif
new file mode 100644
index 0000000000..28dcb6227a
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0508.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0601.gif b/docs/htmldocs/using_samba/figs/sam2_0601.gif
new file mode 100644
index 0000000000..006fa95580
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0601.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0602.gif b/docs/htmldocs/using_samba/figs/sam2_0602.gif
new file mode 100644
index 0000000000..598a7015dc
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0602.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0603.gif b/docs/htmldocs/using_samba/figs/sam2_0603.gif
new file mode 100644
index 0000000000..62a8054c6f
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0603.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0604.gif b/docs/htmldocs/using_samba/figs/sam2_0604.gif
new file mode 100644
index 0000000000..9327385eed
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0604.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0605.gif b/docs/htmldocs/using_samba/figs/sam2_0605.gif
new file mode 100644
index 0000000000..236badf15f
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0605.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0701.gif b/docs/htmldocs/using_samba/figs/sam2_0701.gif
new file mode 100644
index 0000000000..b0b16d458c
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0701.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0801.gif b/docs/htmldocs/using_samba/figs/sam2_0801.gif
new file mode 100644
index 0000000000..5f9d87b206
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0801.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0802.gif b/docs/htmldocs/using_samba/figs/sam2_0802.gif
new file mode 100644
index 0000000000..fde794c19a
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0802.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0803.gif b/docs/htmldocs/using_samba/figs/sam2_0803.gif
new file mode 100644
index 0000000000..13baa02ed4
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0803.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0804.gif b/docs/htmldocs/using_samba/figs/sam2_0804.gif
new file mode 100644
index 0000000000..fc42ebf685
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0804.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0805.gif b/docs/htmldocs/using_samba/figs/sam2_0805.gif
new file mode 100644
index 0000000000..015ca5df19
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0805.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0806.gif b/docs/htmldocs/using_samba/figs/sam2_0806.gif
new file mode 100644
index 0000000000..f11b8a18c9
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0806.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0807.gif b/docs/htmldocs/using_samba/figs/sam2_0807.gif
new file mode 100644
index 0000000000..1ffc3eac39
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0807.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0808.gif b/docs/htmldocs/using_samba/figs/sam2_0808.gif
new file mode 100644
index 0000000000..36839a754c
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0808.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0809.gif b/docs/htmldocs/using_samba/figs/sam2_0809.gif
new file mode 100644
index 0000000000..3145d367ce
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0809.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0810.gif b/docs/htmldocs/using_samba/figs/sam2_0810.gif
new file mode 100644
index 0000000000..cd76217d1f
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0810.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0811.gif b/docs/htmldocs/using_samba/figs/sam2_0811.gif
new file mode 100644
index 0000000000..e7add2a0e7
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0811.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0901.gif b/docs/htmldocs/using_samba/figs/sam2_0901.gif
new file mode 100644
index 0000000000..6ac1e9c966
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0901.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0902.gif b/docs/htmldocs/using_samba/figs/sam2_0902.gif
new file mode 100644
index 0000000000..f30bd1037d
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0902.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_0903.gif b/docs/htmldocs/using_samba/figs/sam2_0903.gif
new file mode 100644
index 0000000000..0a073278dd
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_0903.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_1001.gif b/docs/htmldocs/using_samba/figs/sam2_1001.gif
new file mode 100644
index 0000000000..491cbaf8eb
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_1001.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_1002.gif b/docs/htmldocs/using_samba/figs/sam2_1002.gif
new file mode 100644
index 0000000000..2b3177c433
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_1002.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_1003.gif b/docs/htmldocs/using_samba/figs/sam2_1003.gif
new file mode 100644
index 0000000000..39077e86ad
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_1003.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_1004.gif b/docs/htmldocs/using_samba/figs/sam2_1004.gif
new file mode 100644
index 0000000000..9e81522a65
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_1004.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_1005.gif b/docs/htmldocs/using_samba/figs/sam2_1005.gif
new file mode 100644
index 0000000000..5d9fe6f72a
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_1005.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_1006.gif b/docs/htmldocs/using_samba/figs/sam2_1006.gif
new file mode 100644
index 0000000000..34fcb1054b
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_1006.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_1101.gif b/docs/htmldocs/using_samba/figs/sam2_1101.gif
new file mode 100644
index 0000000000..0a8afebd6a
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_1101.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_1102.gif b/docs/htmldocs/using_samba/figs/sam2_1102.gif
new file mode 100644
index 0000000000..5bfc6b5521
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_1102.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_af01.gif b/docs/htmldocs/using_samba/figs/sam2_af01.gif
new file mode 100644
index 0000000000..290cc7f491
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_af01.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_af02.gif b/docs/htmldocs/using_samba/figs/sam2_af02.gif
new file mode 100644
index 0000000000..2bc59dab69
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_af02.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_af03.gif b/docs/htmldocs/using_samba/figs/sam2_af03.gif
new file mode 100644
index 0000000000..5bff6142f8
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_af03.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_af04.gif b/docs/htmldocs/using_samba/figs/sam2_af04.gif
new file mode 100644
index 0000000000..f1ee885f32
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_af04.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_af05.gif b/docs/htmldocs/using_samba/figs/sam2_af05.gif
new file mode 100644
index 0000000000..ef15448708
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_af05.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_af06.gif b/docs/htmldocs/using_samba/figs/sam2_af06.gif
new file mode 100644
index 0000000000..756a6b1c99
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_af06.gif
diff --git a/docs/htmldocs/using_samba/figs/sam2_af07.gif b/docs/htmldocs/using_samba/figs/sam2_af07.gif
new file mode 100644
index 0000000000..dfe2199484
--- /dev/null
+++ b/docs/htmldocs/using_samba/figs/sam2_af07.gif
diff --git a/docs/htmldocs/using_samba/inx.html b/docs/htmldocs/using_samba/inx.html
new file mode 100644
index 0000000000..cc01eeb56c
--- /dev/null
+++ b/docs/htmldocs/using_samba/inx.html
@@ -0,0 +1,1814 @@
+<html>
+<body bgcolor="#ffffff">
+
+<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
+hspace="10" align="left" />
+
+<h2>Index</h2>
+
+<A HREF="#Symbols">[&nbsp;Symbols&nbsp;]</A>, 
+<A HREF="#Numbers">[&nbsp;Numbers&nbsp;]</A>, 
+<A HREF="#A">[&nbsp;A&nbsp;]</A>, 
+<A HREF="#B">[&nbsp;B&nbsp;]</A>, 
+<A HREF="#C">[&nbsp;C&nbsp;]</A>, 
+<A HREF="#D">[&nbsp;D&nbsp;]</A>, 
+<A HREF="#E">[&nbsp;E&nbsp;]</A>, 
+<A HREF="#F">[&nbsp;F&nbsp;]</A>, 
+<A HREF="#G">[&nbsp;G&nbsp;]</A>, 
+<A HREF="#H">[&nbsp;H&nbsp;]</A>, 
+<A HREF="#I">[&nbsp;I&nbsp;]</A>, 
+<A HREF="#K">[&nbsp;K&nbsp;]</A>, 
+<A HREF="#L">[&nbsp;L&nbsp;]</A>, 
+<A HREF="#M">[&nbsp;M&nbsp;]</A>, 
+<A HREF="#N">[&nbsp;N&nbsp;]</A>, 
+<A HREF="#O">[&nbsp;O&nbsp;]</A>, 
+<A HREF="#P">[&nbsp;P&nbsp;]</A>, 
+<A HREF="#Q">[&nbsp;Q&nbsp;]</A>, 
+<A HREF="#R">[&nbsp;R&nbsp;]</A>, 
+<A HREF="#S">[&nbsp;S&nbsp;]</A>, 
+<A HREF="#T">[&nbsp;T&nbsp;]</A>, 
+<A HREF="#U">[&nbsp;U&nbsp;]</A>, 
+<A HREF="#V">[&nbsp;V&nbsp;]</A>, 
+<A HREF="#W">[&nbsp;W&nbsp;]</A>, 
+<A HREF="#X">[&nbsp;X&nbsp;]</A> 
+
+
+<P><A NAME="Symbols"><B>Symbols</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>_ _MSBROWSE _ _ resource entry, 16, 229
+<BR>. (period)
+<BR> &nbsp; &nbsp; &nbsp;   NetBIOS names and, 14
+<BR> &nbsp; &nbsp; &nbsp;   (see also dot files)
+<BR>%$ variable, 192
+<P><A NAME="Numbers"><B>Numbers</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>127.0.0.1 (localhost), 73
+<BR> &nbsp; &nbsp; &nbsp;   bind interfaces only option, 208
+<P><A NAME="A"><B>A</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>%a variable, 143, 192
+<BR> &nbsp; &nbsp; &nbsp;   variable substitution, 191
+<BR>abort shutdown script option (smb.conf file), 401
+<BR>Access Control Entries (ACEs), 31, 253
+<BR>Access Control Lists (see ACLs)
+<BR>access control options, 287-288
+<BR>access, controlling (see ACLs; controlling access to shares)
+<BR>accounts (see computer accounts, adding; users)
+<BR>ACLs, 30
+<BR> &nbsp; &nbsp; &nbsp;   configuration options, 260-262
+<BR> &nbsp; &nbsp; &nbsp;   inheriting, 416
+<BR> &nbsp; &nbsp; &nbsp;   installing Samba with support for, 495
+<BR> &nbsp; &nbsp; &nbsp;   mapping to Unix permissions, 426
+<BR> &nbsp; &nbsp; &nbsp;   POSIX.1e, 259
+<BR> &nbsp; &nbsp; &nbsp;   support in Samba 2.2, 37
+<BR> &nbsp; &nbsp; &nbsp;   Unix, 259
+<BR> &nbsp; &nbsp; &nbsp;   versus Unix file permissions, 31
+<BR> &nbsp; &nbsp; &nbsp;   Windows NT/2000/XP, 165, 253-262
+<BR>Active Directory
+<BR> &nbsp; &nbsp; &nbsp;   Samba 2.2, 34, 121
+<BR> &nbsp; &nbsp; &nbsp;   Samba 3.0, 34
+<BR> &nbsp; &nbsp; &nbsp;   server, specifying, 402
+<BR> &nbsp; &nbsp; &nbsp;   time synchronization and, 340
+<BR>adapters, 69
+<BR>add machine script option (smb.conf file), 402
+<BR>add printer command option (smb.conf file), 401
+<BR>add share command option (smb.conf file), 402
+<BR>add user script option (smb.conf file), 159, 402
+<BR>admin users option (smb.conf file), 285, 287, 402
+<BR>admin users (see root accounts)
+<BR>administrator (see domain administrator)
+<BR>ads server option (smb.conf file), 402
+<BR>AFS (Andrew Filesystem), installing Samba with support for, 495
+<BR>Albitz, Paul, 383
+<BR>algorithmic rid base option (smb.conf file), 402
+<BR>allow hosts option (smb.conf file), 403
+<BR>allow trusted domains option (smb.conf file), 403
+<BR>analogX Atomic TimeSync, 340
+<BR>announce as option (smb.conf file), 234, 403
+<BR>announce version option (smb.conf file), 235, 403
+<BR>anonymous
+<BR> &nbsp; &nbsp; &nbsp;   restricting access, 434
+<BR> &nbsp; &nbsp; &nbsp;   (see also guest access)
+<BR>ANSI C compiler required by Samba source, 44
+<BR>auth methods option (smb.conf file), 403
+<BR>authentication
+<BR> &nbsp; &nbsp; &nbsp;   client, 290-296
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      setting method of, 436
+<BR> &nbsp; &nbsp; &nbsp;   defined, 30
+<BR> &nbsp; &nbsp; &nbsp;   enabling Samba as WINS server, configuration file example, 395
+<BR> &nbsp; &nbsp; &nbsp;   files, specifying where Samba keeps, 497
+<BR> &nbsp; &nbsp; &nbsp;   methods, specifying, 403
+<BR> &nbsp; &nbsp; &nbsp;   overview, 31
+<BR> &nbsp; &nbsp; &nbsp;   pass-through, 33
+<BR> &nbsp; &nbsp; &nbsp;   Samba security levels, 290
+<BR> &nbsp; &nbsp; &nbsp;   Samba's default user-level versus Windows, 74
+<BR> &nbsp; &nbsp; &nbsp;   Windows 95/98/Me, 28
+<BR> &nbsp; &nbsp; &nbsp;   with winbind, 307-319
+<BR> &nbsp; &nbsp; &nbsp;   (see also passwords)
+<BR>auto services option (smb.conf file), 233, 235, 403
+<BR>automounting shares, 495
+<BR>available option (smb.conf file), 403
+<P><A NAME="B"><B>B</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>backends (CUPS modules), 332
+<BR>backup browsers, 27, 226
+<BR>backup domain controllers (BDCs), 31
+<BR> &nbsp; &nbsp; &nbsp;   Samba 2.2's inability to work with, 122
+<BR> &nbsp; &nbsp; &nbsp;   (see also primary domain controllers)
+<BR>backups, creating and restoring using smbclient, 172-174
+<BR>.bak files, 251
+<BR>.bat files, 138
+<BR>bind interfaces only option (smb.conf file), 208, 403
+<BR>bindings, 69
+<BR> &nbsp; &nbsp; &nbsp;   Windows 2000, 100
+<BR> &nbsp; &nbsp; &nbsp;   Windows 95/98/Me, 80
+<BR> &nbsp; &nbsp; &nbsp;   Windows NT, 93
+<BR> &nbsp; &nbsp; &nbsp;   Windows XP, 110
+<BR>--bindir (configure script option), 48
+<BR>bitmasks, 176
+<BR> &nbsp; &nbsp; &nbsp;   CIDR format, 208
+<BR>block size option (smb.conf file), 404
+<BR>blocking locks option (smb.conf file), 404
+<BR>b-node (NetBios node type), 13
+<BR>broadcast
+<BR> &nbsp; &nbsp; &nbsp;   name resolution, 71
+<BR> &nbsp; &nbsp; &nbsp;   versus NBNS name registration, 11
+<BR>broadcast address, 389
+<BR>broadcasting, 12
+<BR>browsable option (smb.conf file), 233, 235, 284, 404
+<BR>browse list option (smb.conf file), 235, 404
+<BR>browse lists, 27, 224
+<BR> &nbsp; &nbsp; &nbsp;   invisible shares, 233
+<BR> &nbsp; &nbsp; &nbsp;   printer names, 419
+<BR> &nbsp; &nbsp; &nbsp;   specifying list of shares, 431
+<BR> &nbsp; &nbsp; &nbsp;   specifying shares in, 403, 404
+<BR> &nbsp; &nbsp; &nbsp;   specifying the directory where Samba keeps, 497
+<BR> &nbsp; &nbsp; &nbsp;   synchronizing with all domain master browsers, 411
+<BR>browse master (see local master browser)
+<BR>browse server (see local master browser)
+<BR>browseable option (smb.conf file) (see browsable option (smb.conf file))
+<BR>browser elections, 28, 226-229, 419
+<BR>browsers
+<BR> &nbsp; &nbsp; &nbsp;   backup (see backup browsers)
+<BR> &nbsp; &nbsp; &nbsp;   domain master browser (see domain master browser)
+<BR> &nbsp; &nbsp; &nbsp;   local master (see local master browser)
+<BR>browsing, 216, 224-239
+<BR> &nbsp; &nbsp; &nbsp;   a list of computers and shared resources, defined, 26
+<BR> &nbsp; &nbsp; &nbsp;   configuring Samba for, 229
+<BR> &nbsp; &nbsp; &nbsp;   cross-subnet, 231
+<BR> &nbsp; &nbsp; &nbsp;   in a Windows network, 224-229
+<BR> &nbsp; &nbsp; &nbsp;   invisible shares, 233
+<BR> &nbsp; &nbsp; &nbsp;   options, 233-239
+<BR> &nbsp; &nbsp; &nbsp;   overview, 26-28
+<BR> &nbsp; &nbsp; &nbsp;   server from the client, 382
+<BR> &nbsp; &nbsp; &nbsp;   shared resource of a specific computer, 26
+<BR> &nbsp; &nbsp; &nbsp;   troubleshooting problems, 377-383
+<BR>Browsing and Windows 95 Networking and CIFS/E Browser Protocol, 229
+<BR>BROWSING.txt and BROWSING-Config.txt, 229
+<BR>BSD Unix
+<BR> &nbsp; &nbsp; &nbsp;   automatically starting Samba daemons, 61
+<BR> &nbsp; &nbsp; &nbsp;   printers, 330-331
+<P><A NAME="C"><B>C</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>caching policy, client-side, 406
+<BR>case sensitive option (smb.conf file), 265, 404
+<BR>case sensitivity, 262-267
+<BR> &nbsp; &nbsp; &nbsp;   how Samba handles, 264
+<BR> &nbsp; &nbsp; &nbsp;   preserving case of filename, 431
+<BR>casesignames option (smb.conf file), 404
+<BR>change notification, 354
+<BR>change notify timeout option (smb.conf file), 354, 405
+<BR>change share command option (smb.conf file), 405
+<BR>character set option (smb.conf file), 344, 405
+<BR>character sets, translating, 405
+<BR>checking (message from configure script), 48
+<BR>CIDR format bitmask, 208
+<BR>CIFS, 21
+<BR> &nbsp; &nbsp; &nbsp;   Unix extensions, 37, 442
+<BR> &nbsp; &nbsp; &nbsp;   (see also SMB)
+<BR>CIFS Technical Reference, 20
+<BR>client code page option (smb.conf file), 344, 405
+<BR>clustered environment, Samba in, 437
+<BR> &nbsp; &nbsp; &nbsp;   (see also multihomed system; multiple subnets), 437
+<BR>.cmd files, 138
+<BR>code page directory option (smb.conf file), 405
+<BR>code pages, 344
+<BR>coding system option (smb.conf file), 345, 405
+<BR>command-line options, parsing, 495
+<BR>comment option (smb.conf file), 203, 406
+<BR>Common Internet File System (see CIFS)
+<BR>compiling Samba, 49-52
+<BR>components, Windows, 69
+<BR>comp.protocols.smb newsgroup, 392
+<BR>computer accounts, adding, 126
+<BR>computer names
+<BR> &nbsp; &nbsp; &nbsp;   name resolution (see name resolution)
+<BR> &nbsp; &nbsp; &nbsp;   Windows 2000, 103
+<BR> &nbsp; &nbsp; &nbsp;   Windows 95/98/Me, 81
+<BR> &nbsp; &nbsp; &nbsp;   Windows NT, 93
+<BR> &nbsp; &nbsp; &nbsp;   Windows XP, 113
+<BR>computers, adding to domains, 402
+<BR>Concurrent Versions System (CVS), 491
+<BR>config file option (smb.conf file), 196, 406
+<BR>config.log file, 49
+<BR>config.pol file, 155
+<BR>config.status file, 51
+<BR>configuration file
+<BR> &nbsp; &nbsp; &nbsp;   Samba's main (see smb.conf file)
+<BR> &nbsp; &nbsp; &nbsp;   selecting new, 406
+<BR> &nbsp; &nbsp; &nbsp;   variables (see smb.conf file, variables)
+<BR> &nbsp; &nbsp; &nbsp;   (see also configuring Samba)
+<BR>configuration management tool (see CVS)
+<BR>configuration value types, 448-449
+<BR>configure script, 46
+<BR> &nbsp; &nbsp; &nbsp;   options, 493-499
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --bindir, 48
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --datadir, 48
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --eprefix, 48
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --include dir, 48
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --infodir, 48
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --libdir, 48
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --libexec dir, 48
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --mandir, 48
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --prefix, 48
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --sbindir, 48
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      with feature, 47
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-acl-support, 495
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-afs, 495
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-automount, 495
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-codepagedir, 495
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-configdir, 495
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-dce-dfs, 495
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-fhs, 495
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-included-popt, 495
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-krb4, 495
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-krb5, 495
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-ldapsam, 496
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-libiconv, 496
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-libsmbclient, 496
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-lockdir, 496
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-logfilebase, 496
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-manpages-langs, 496
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-msdfs, 47, 496
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-nisplus-home, 496
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-nisplussam, 496
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      without feature, 47
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-pam, 497
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-pam_smbpass, 497
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-piddir, 497
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-privatedir, 497
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-profiling-data, 497
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-quotas, 497
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-readline, 497
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-sendfile-support, 497
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-smbmount, 47, 498
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-smbwrapper, 47, 498
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-spinlocks, 498
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-ssl, 498
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-sslinc, 498
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-ssllib, 498
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-swatdir, 498
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-syslog, 498
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-tdbsam, 498
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-utmp, 498
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      --with-winbind, 499
+<BR> &nbsp; &nbsp; &nbsp;   sample execution, 48
+<BR>configuring Samba, 46-49
+<BR> &nbsp; &nbsp; &nbsp;   configuration file (see smb.conf file)
+<BR> &nbsp; &nbsp; &nbsp;   for browsing, 229
+<BR> &nbsp; &nbsp; &nbsp;   for installation (see configure script)
+<BR> &nbsp; &nbsp; &nbsp;   for roaming profiles, 143-147
+<BR> &nbsp; &nbsp; &nbsp;   identifying options used in previous installations, 51
+<BR> &nbsp; &nbsp; &nbsp;   troubleshooting problems (see troubleshooting Samba, fault tree)
+<BR>connection scripts, 274-277
+<BR> &nbsp; &nbsp; &nbsp;   monitoring directory contents, 275
+<BR> &nbsp; &nbsp; &nbsp;   options, 275-277
+<BR>connections
+<BR> &nbsp; &nbsp; &nbsp;   denying, 409
+<BR> &nbsp; &nbsp; &nbsp;   specifying time limits for unused, 407
+<BR>controlling access to shares, 285-288
+<BR>copy option (smb.conf file), 197, 406
+<BR>Core and Core Plus, 20
+<BR>create mask option (smb.conf file), 248, 250, 406
+<BR>create mode option (smb.conf file), 284, 406
+<BR>creating (message from configure script), 48
+<BR>creation masks, 247-250
+<BR>csc policy option (smb.conf file), 406
+<BR>CVS (Concurrent Versions System), 491
+<P><A NAME="D"><B>D</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>%d variable, 192
+<BR>daemons (see inetd daemon; nmbd daemon; smbd daemon; xinetd daemon)
+<BR>Darwin, automatically starting Samba daemons, 64
+<BR>.dat files
+<BR> &nbsp; &nbsp; &nbsp;   changing to .man files, 150
+<BR> &nbsp; &nbsp; &nbsp;   NTUSER.DAT, 141
+<BR> &nbsp; &nbsp; &nbsp;   USER.DAT, 141
+<BR>--datadir (configure script option), 48
+<BR>datagram primitives, 17
+<BR>datagram services, defined, 10
+<BR>datagram services (NBT)
+<BR> &nbsp; &nbsp; &nbsp;   defined, 16
+<BR> &nbsp; &nbsp; &nbsp;   tips, 18
+<BR>deadtime option (smb.conf file), 349, 407
+<BR>debug hires timestamp option (smb.conf file), 407
+<BR>debug pid option (smb.conf file), 407
+<BR>debug timestamp option (smb.conf file), 214, 407
+<BR>debug uid option (smb.conf file), 407
+<BR>debuglevel option (smb.conf file), 407
+<BR>default case option (smb.conf file), 264, 265, 408
+<BR>default device mode, setting, 408
+<BR>default devmode option (smb.conf file), 408
+<BR>default option (smb.conf file), 407
+<BR>default service option (smb.conf file), 236, 408
+<BR>defending the hostname, 12
+<BR>delete printer command option (smb.conf file), 408
+<BR>delete readonly option (smb.conf file), 250, 251, 408
+<BR>delete share command option (smb.conf file), 408
+<BR>delete user script option (smb.conf file), 159, 409
+<BR>delete veto files option (smb.conf file), 241, 245, 409
+<BR>deny hosts option (smb.conf file), 409
+<BR>dfree command option (smb.conf file), 350, 409
+<BR>Dfs (Microsoft's Distributed filesystem), 277-280
+<BR> &nbsp; &nbsp; &nbsp;   configuring Samba as Dfs server, 278-279
+<BR> &nbsp; &nbsp; &nbsp;   installing Samba with support for, 496
+<BR> &nbsp; &nbsp; &nbsp;   providing services, 415
+<BR> &nbsp; &nbsp; &nbsp;   support in Samba 2.2, 36
+<BR> &nbsp; &nbsp; &nbsp;   Windows clients, 278
+<BR>DHCP and IP addresses, 70
+<BR>DIAGNOSIS.txt, 359
+<BR>dig command (Unix), 73
+<BR>Digital Pathworks clients, 353
+<BR>directories
+<BR> &nbsp; &nbsp; &nbsp;   caching for performance, 414
+<BR> &nbsp; &nbsp; &nbsp;   connecting to drive letter, 138
+<BR> &nbsp; &nbsp; &nbsp;   creating on the Samba server, 125
+<BR> &nbsp; &nbsp; &nbsp;   deleting when vetoed files are present, 241, 409
+<BR> &nbsp; &nbsp; &nbsp;   home, setting, 420
+<BR> &nbsp; &nbsp; &nbsp;   monitoring contents, 275
+<BR> &nbsp; &nbsp; &nbsp;   setting maximum allowable permissions, 409
+<BR> &nbsp; &nbsp; &nbsp;   setting paths, 409
+<BR>directory mask option (smb.conf file), 249, 251, 409
+<BR>directory mode option (smb.conf file), 284, 410
+<BR>directory option (smb.conf file), 409
+<BR>directory permissions, 416
+<BR> &nbsp; &nbsp; &nbsp;   options, 250-253
+<BR>directory recursion, 171
+<BR>directory security mask option (smb.conf file), 261, 262, 410
+<BR>disable spools option (smb.conf file), 410
+<BR>disk services, example of sharing, 4-7
+<BR>disk share configuration, 201-203
+<BR>disk-quota support, 497
+<BR>Distributed Computing Environment Distributed Filesystem (DCE/DFS), 495
+<BR>Distributed filesystem (see Dfs)
+<BR>dmask option, 176
+<BR>DNS, 70
+<BR> &nbsp; &nbsp; &nbsp;   configuration
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      Windows 2000, 101
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      Windows 95/98/Me, 79
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      Windows NT, 92
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      Windows XP, 111
+<BR> &nbsp; &nbsp; &nbsp;   NetBIOS names
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      translating between DNS names and, 182
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      versus hostnames versus, 14
+<BR> &nbsp; &nbsp; &nbsp;   overview, 73
+<BR> &nbsp; &nbsp; &nbsp;   servers, name resolution and, 217
+<BR>DNS proxy, configuring on WINS server, 220
+<BR>dns proxy option (smb.conf file), 220, 223, 410
+<BR>documentation, Samba, 45, 391
+<BR>domain admin group option (smb.conf file), 160, 410
+<BR>domain administrator, 126, 410
+<BR>Domain Admins group, 410
+<BR>domain controllers, 30
+<BR> &nbsp; &nbsp; &nbsp;   backup (see backup domain controllers)
+<BR> &nbsp; &nbsp; &nbsp;   primary (see primary domain controllers)
+<BR>Domain Guest group, 410
+<BR>domain guest group option (smb.conf file), 410
+<BR>domain logons
+<BR> &nbsp; &nbsp; &nbsp;   configuring Windows clients for, 128-137
+<BR> &nbsp; &nbsp; &nbsp;   Windows 2000, 133-135
+<BR> &nbsp; &nbsp; &nbsp;   Windows 95/98/Me, 128-131
+<BR> &nbsp; &nbsp; &nbsp;   Windows complains that you are already logged on, 129
+<BR> &nbsp; &nbsp; &nbsp;   Windows NT, 131-133
+<BR> &nbsp; &nbsp; &nbsp;   Windows XP Professional, 135-137
+<BR>domain logons option (smb.conf file), 159, 410
+<BR>domain master browser, 35, 226
+<BR> &nbsp; &nbsp; &nbsp;   configuring Samba as both local master browser and, 124
+<BR> &nbsp; &nbsp; &nbsp;   forcing Samba to be, 237, 411
+<BR> &nbsp; &nbsp; &nbsp;   problems with, 35
+<BR> &nbsp; &nbsp; &nbsp;   Samba as, 230
+<BR> &nbsp; &nbsp; &nbsp;   synchronizing browse lists with all, 411
+<BR> &nbsp; &nbsp; &nbsp;   verifying Samba as, 231
+<BR>domain master option (smb.conf file), 159, 237, 411
+<BR>domain member server, 34
+<BR> &nbsp; &nbsp; &nbsp;   Samba as, 156-157
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      smb.conf file example, 400
+<BR>domain membership, 126
+<BR>Domain Name System (see DNS)
+<BR>domain-level security, 291, 296
+<BR>domains
+<BR> &nbsp; &nbsp; &nbsp;   adding computers to, 402
+<BR> &nbsp; &nbsp; &nbsp;   advantages of, 120
+<BR> &nbsp; &nbsp; &nbsp;   more information on how to set up, 122
+<BR> &nbsp; &nbsp; &nbsp;   trust relationships, 33
+<BR> &nbsp; &nbsp; &nbsp;   trusted, 403
+<BR> &nbsp; &nbsp; &nbsp;   (see also Windows NT domain options)
+<BR>dont descend option (smb.conf file), 241, 243, 411
+<BR>dos filemode option (smb.conf file), 411
+<BR>dos filetime resolution option (smb.conf file), 342, 411
+<BR>dos filetimes option (smb.conf file), 341, 411
+<BR>dos2unix command, 170
+<BR>dot files, 240
+<BR> &nbsp; &nbsp; &nbsp;   hiding, 414
+<BR> &nbsp; &nbsp; &nbsp;   (see also hiding files)
+<BR>drive letter, connecting a directory to, 6, 138
+<P><A NAME="E"><B>E</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>emacs text editor, 139
+<BR>encrypt passwords option (smb.conf file), 304, 411
+<BR>encrypted passwords
+<BR> &nbsp; &nbsp; &nbsp;   disabling, 298
+<BR> &nbsp; &nbsp; &nbsp;   managing, 483
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      (see also smbpasswd program)
+<BR> &nbsp; &nbsp; &nbsp;   smb.conf file and, 55
+<BR> &nbsp; &nbsp; &nbsp;   (see also passwords)
+<BR>enhanced browsing option (smb.conf file), 411
+<BR>enumports command option (smb.conf file), 412
+<BR>environment variables, forcing Samba to read list of, 437
+<BR>--eprefix (configure script option), 48
+<BR>error messages from configure script, 48
+<BR>/etc/fstab file, warning about editing, 177
+<BR>/etc/group, 283
+<BR>/etc/hosts file, 70
+<BR>/etc/nsswitch.conf file, 71
+<BR>/etc/passwd file, creating entries manually, 127
+<BR>/etc/printcap.local file, 330
+<BR>/etc/resolv.conf file, 73, 220
+<BR>Ethereal (SMB sniffer), 20, 361
+<BR>exec option (smb.conf file), 412
+<BR>executable file permission bit, 248
+<BR>ext2/ext3 filesystem, 37
+<P><A NAME="F"><B>F</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>fake directory create times option (smb.conf file), 342, 412
+<BR>fake oplocks option (smb.conf file), 273, 412
+<BR>FAQs, Samba, 391
+<BR>fault tree, troubleshooting Samba, 362-391
+<BR>file locking (see locks and oplocks)
+<BR>file permissions
+<BR> &nbsp; &nbsp; &nbsp;   executable bit, 248
+<BR> &nbsp; &nbsp; &nbsp;   on MS-DOS and Unix, 245-253
+<BR> &nbsp; &nbsp; &nbsp;   options, 250-253
+<BR> &nbsp; &nbsp; &nbsp;   setting in Windows NT/2000/XP, 165
+<BR> &nbsp; &nbsp; &nbsp;   setting maximum allowable, 406
+<BR> &nbsp; &nbsp; &nbsp;   Unix permission bits summary, 247
+<BR> &nbsp; &nbsp; &nbsp;   Unix permissions versus ACLs, 31
+<BR> &nbsp; &nbsp; &nbsp;   versus ACLs, 31
+<BR>file transfer using smbclient, 170
+<BR>filenames
+<BR> &nbsp; &nbsp; &nbsp;   conventions, 262
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      (see also name mangling)
+<BR> &nbsp; &nbsp; &nbsp;   representing and resolving in Samba, 264
+<BR>Filesystem Hierarchy Standard, 495
+<BR>filesystem options, 243-245
+<BR>findsmb program, 40, 455
+<BR>firewall configuration, 60
+<BR>fmask option (sbmount), 176
+<BR>follow symlinks option (smb.conf file), 242, 243, 412
+<BR>force create mode option (smb.conf file), 251, 412
+<BR>force directory mode option (smb.conf file), 251, 413
+<BR>force directory security mode option (smb.conf file), 262, 413
+<BR>force group option (smb.conf file), 249, 251, 413
+<BR>force security mode option (smb.conf file), 261, 413
+<BR>force unknown acl user option (smb.conf file), 413
+<BR>force user option (smb.conf file), 249, 251, 413
+<BR>Frisch, �leen, 325
+<BR>fstab file, warning about editing, 177
+<BR>fstype option (smb.conf file), 350, 413
+<P><A NAME="G"><B>G</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>%G variable, 192
+<BR>%g variable, 192
+<BR>gcc binaries, 44
+<BR>get command, 170
+<BR>getwd cache option (smb.conf file), 243, 414
+<BR>[global] section (smb.conf file), 193
+<BR>GNU configure script (see configure script)
+<BR>GNU Free Documentation License, 511-518
+<BR>Google, 392
+<BR>group ID (GID), 31
+<BR>group option (smb.conf file), 414
+<BR>grouppol.inf file, 153
+<BR>groups
+<BR> &nbsp; &nbsp; &nbsp;   additional information, 16
+<BR> &nbsp; &nbsp; &nbsp;   overriding a user's normal group membership, 413
+<BR> &nbsp; &nbsp; &nbsp;   setting a group share in smb.conf file, 283
+<BR> &nbsp; &nbsp; &nbsp;   system group file, 283
+<BR> &nbsp; &nbsp; &nbsp;   (see also workgroups; SMB, groups)
+<BR>guest access, 286
+<BR>guest account option (smb.conf file), 286, 288, 414
+<BR>guest ok option (smb.conf file), 286, 414
+<BR>guest only option (smb.conf file), 288, 414
+<P><A NAME="H"><B>H</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>%H variable, 192, 283
+<BR>%h variable, 192
+<BR>hide dot files option (smb.conf file), 240, 244, 414
+<BR>hide files option (smb.conf file), 241, 244, 414
+<BR>hide local users option (smb.conf file), 415
+<BR>hide unreadable option (smb.conf file), 415
+<BR>hiding files, 240-242
+<BR>h-node (NetBios node type), 13
+<BR>home directory, setting, 420
+<BR>homedir map option (smb.conf file), 281, 415
+<BR>[homes] share (smb.conf file), 125, 194, 233, 284
+<BR> &nbsp; &nbsp; &nbsp;   peculiarities with, 284
+<BR>host msdfs option (smb.conf file), 280, 415
+<BR>hostname, defending, 12
+<BR>hosts allow option (smb.conf file), 204-207, 415
+<BR>hosts deny option (smb.conf file), 204-207, 415
+<BR>hosts equiv option (smb.conf file), 307, 415
+<BR>HOSTS file, 70, 74
+<BR>hosts.sam file, 74
+<BR>Hunt, Craig, 87
+<P><A NAME="I"><B>I</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>%I variable, 192
+<BR>iconv( ) function, 496
+<BR>ifconfig command, 390
+<BR>Implementing Policies and Profiles for Windows NT 4.0, 141
+<BR>--include dir (configure script option), 48
+<BR>include option (smb.conf file), 193, 197, 416
+<BR>inetd daemon, 53
+<BR> &nbsp; &nbsp; &nbsp;   starting smbd and nmbd daemons, 66
+<BR>--infodir (configure script option), 48
+<BR>inherit acls option (smb.conf file), 416
+<BR>inherit permissions option (smb.conf file), 253, 416
+<BR>.ini files, 187
+<BR>installation directories for Samba, 50
+<BR>installing Samba, 49-52
+<BR> &nbsp; &nbsp; &nbsp;   on a Unix system, 42-67
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      ANSI C compiler required by Samba source, 44
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      binary versus source, 43
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      bundled versions, 42-45
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      configuration (see configure script)
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      source, overview of steps, 44
+<BR> &nbsp; &nbsp; &nbsp;   troubleshooting problems (see troubleshooting Samba, fault tree)
+<BR>interfaces list, 403
+<BR>interfaces option (smb.conf file), 207, 416
+<BR>internationalization, 343-346
+<BR> &nbsp; &nbsp; &nbsp;   features of Samba 2.2, 456
+<BR> &nbsp; &nbsp; &nbsp;   installing Samba with support for, 495
+<BR>invalid users option (smb.conf file), 284, 285, 287, 416
+<BR>invalid users, specifying list of, 285
+<BR>IP addresses, 70
+<BR> &nbsp; &nbsp; &nbsp;   127.0.0.1 (localhost), 73
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      bind interfaces only option, 208
+<BR> &nbsp; &nbsp; &nbsp;   translating between NetBIOS names and, 182
+<BR> &nbsp; &nbsp; &nbsp;   Windows 2000, 100
+<BR> &nbsp; &nbsp; &nbsp;   Windows 95/98/Me networks, 78
+<BR> &nbsp; &nbsp; &nbsp;   Windows NT, 90
+<BR> &nbsp; &nbsp; &nbsp;   Windows XP, 111
+<BR>IPC$ password, 75
+<BR>ipconfig /all command (Windows NT/2000/XP), 13
+<BR>ipconfig command, 390
+<P><A NAME="K"><B>K</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>keepalive option (smb.conf file), 351, 416
+<BR>Kerberos authentication, 38
+<BR> &nbsp; &nbsp; &nbsp;   installing Samba with support for, 495
+<BR> &nbsp; &nbsp; &nbsp;   Samba 2.2 and, 121
+<BR> &nbsp; &nbsp; &nbsp;   time synchronization and, 340
+<BR>kernel oplocks option (smb.conf file), 272, 417
+<P><A NAME="L"><B>L</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>%L variable, 140, 144, 192
+<BR>LAN Manager host announcements, 236
+<BR>LAN Manager versions 1.0, 2.0, and 2.1, 20
+<BR>lanman auth option (smb.conf file), 417
+<BR>large readwrite option (smb.conf file), 417
+<BR>LDAP, 34, 38
+<BR> &nbsp; &nbsp; &nbsp;   installing Samba with support for, 496
+<BR> &nbsp; &nbsp; &nbsp;   Samba 2.2 and, 121
+<BR>ldap admin dn option (smb.conf file), 417
+<BR>ldap filter option (smb.conf file), 417
+<BR>ldap port option (smb.conf file), 417
+<BR>ldap server option (smb.conf file), 418
+<BR>ldap ssl option (smb.conf file), 418
+<BR>ldap suffix option (smb.conf file), 418
+<BR>level2 oplocks option (smb.conf file), 272, 418
+<BR>--libdir (configure script option), 48
+<BR>--libexec dir (configure script option), 48
+<BR>libnss_winbind.so library, 309
+<BR>Linux-PAM System Administrator's Guide, 314
+<BR>Liu, Cricket, 383
+<BR>lm announce option (smb.conf file), 236, 418
+<BR>lm interval option (smb.conf file), 237, 418
+<BR>LMHOSTS file, 72
+<BR> &nbsp; &nbsp; &nbsp;   name resolution and, 218
+<BR> &nbsp; &nbsp; &nbsp;   Windows 2000, 102
+<BR> &nbsp; &nbsp; &nbsp;   Windows 95/98/Me, 80
+<BR> &nbsp; &nbsp; &nbsp;   Windows NT, 92
+<BR> &nbsp; &nbsp; &nbsp;   Windows XP, 112
+<BR>load balancing and Dfs, 277, 279
+<BR>load printers option (smb.conf file), 336, 419
+<BR>local master browser, 27, 224
+<BR> &nbsp; &nbsp; &nbsp;   configuring Samba as both domain master browser and, 124
+<BR>local master option (smb.conf file), 230, 236, 419
+<BR>local profiles, 141
+<BR>localhost address (see 127.0.0.1 (localhost))
+<BR>lock dir option (smb.conf file), 419
+<BR>lock directory option (smb.conf file), 274, 419
+<BR>lock spin count option (smb.conf file), 419
+<BR>lock spin time option (smb.conf file), 419
+<BR>locking files (see locks and oplocks)
+<BR>locking option (smb.conf file), 271, 419
+<BR>locks and oplocks, 268-274
+<BR> &nbsp; &nbsp; &nbsp;   advanced tuning parameter, 428
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      release an oplock, 427
+<BR> &nbsp; &nbsp; &nbsp;   configuration options, 270-274
+<BR> &nbsp; &nbsp; &nbsp;   oplock failure, 269
+<BR> &nbsp; &nbsp; &nbsp;   opportunistic locking process, 268
+<BR> &nbsp; &nbsp; &nbsp;   setting file locking, 419
+<BR> &nbsp; &nbsp; &nbsp;   specifying directory where Samba keeps lock files, 496
+<BR> &nbsp; &nbsp; &nbsp;   spin locks, 498
+<BR> &nbsp; &nbsp; &nbsp;   Unix and oplocks, 270
+<BR>log file option (smb.conf file), 213, 356, 419
+<BR>log files, 67
+<BR> &nbsp; &nbsp; &nbsp;   changing timestamps, 407
+<BR> &nbsp; &nbsp; &nbsp;   example, 210
+<BR> &nbsp; &nbsp; &nbsp;   levels of logging, 356-358
+<BR> &nbsp; &nbsp; &nbsp;   nmbd, 231
+<BR> &nbsp; &nbsp; &nbsp;   sample output of levels 2 and 3, 356
+<BR> &nbsp; &nbsp; &nbsp;   setting location of, 419
+<BR> &nbsp; &nbsp; &nbsp;   setting maximum size, 423
+<BR> &nbsp; &nbsp; &nbsp;   specifying the directory where Samba keeps, 496
+<BR> &nbsp; &nbsp; &nbsp;   troubleshooting with, 356-359
+<BR> &nbsp; &nbsp; &nbsp;   (see also logging)
+<BR>log level option (smb.conf file), 213, 420
+<BR>logging
+<BR> &nbsp; &nbsp; &nbsp;   activating and deactivating, 358
+<BR> &nbsp; &nbsp; &nbsp;   adding process ID, 407
+<BR> &nbsp; &nbsp; &nbsp;   configuration options, 210-215
+<BR> &nbsp; &nbsp; &nbsp;   debugging particular user, 407
+<BR> &nbsp; &nbsp; &nbsp;   (see also log files)
+<BR>login parameters, setting, 24
+<BR>logon drive option (smb.conf file), 151, 420
+<BR>logon home line (smb.conf file), 144
+<BR>logon home option (smb.conf file), 152, 420
+<BR>logon path line (smb.conf file), 144
+<BR>logon path option (smb.conf file), 151, 420
+<BR>logon path, supporting roaming profiles for Windows NT/2000/XP clients, 124
+<BR>logon script option (smb.conf file), 151, 420
+<BR>logon scripts, 120, 137-140
+<BR> &nbsp; &nbsp; &nbsp;   checking the format, 139
+<BR> &nbsp; &nbsp; &nbsp;   creating, 138-140
+<BR> &nbsp; &nbsp; &nbsp;   more information regarding, 140
+<BR> &nbsp; &nbsp; &nbsp;   options, 150
+<BR> &nbsp; &nbsp; &nbsp;   using variables inside, 139
+<BR>logon.bat, 138
+<BR>log.smb file, 67
+<BR>lpadmin command (Unix), 333
+<BR>lppause command option (smb.conf file), 336, 420
+<BR>lppause command (Unix), 323
+<BR>lpq cache time option (smb.conf file), 335, 420
+<BR>lpq command option (smb.conf file), 336, 421
+<BR>lpq command (Unix), 323
+<BR>lpr command (Unix), 322
+<BR>lpresume command option (smb.conf file), 336, 421
+<BR>lpresume command (Unix), 323
+<BR>lprm command option (smb.conf file), 336, 421
+<BR>lprm command (Unix), 323
+<P><A NAME="M"><B>M</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>%M variable, 192
+<BR>%m variable, 140, 143, 192
+<BR>Mac OS X
+<BR> &nbsp; &nbsp; &nbsp;   automatically starting Samba daemons, 64
+<BR> &nbsp; &nbsp; &nbsp;   configuration details, 506-509
+<BR> &nbsp; &nbsp; &nbsp;   enabling SMB printer sharing, 325
+<BR> &nbsp; &nbsp; &nbsp;   monitoring services, 505
+<BR> &nbsp; &nbsp; &nbsp;   Password Server, 504
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      activating, 504
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      enabling, 505
+<BR> &nbsp; &nbsp; &nbsp;   smbutil and mount_smbfs, 184-186
+<BR>Mac OS X Server
+<BR> &nbsp; &nbsp; &nbsp;   configuration settings, 508
+<BR> &nbsp; &nbsp; &nbsp;   configuring and activating services, 503
+<BR> &nbsp; &nbsp; &nbsp;   running Samba on, 500-510
+<BR> &nbsp; &nbsp; &nbsp;   sharing files, 501
+<BR> &nbsp; &nbsp; &nbsp;   sharing printers, 501
+<BR>Mac OS X Server Administrator's Guide, 500
+<BR>machine password timeout option (smb.conf file), 160, 421
+<BR>magic output option (smb.conf file), 343, 421
+<BR>magic script option (smb.conf file), 343, 421
+<BR>magic scripts, 342
+<BR>mailing lists, Samba, 392
+<BR> &nbsp; &nbsp; &nbsp;   archives, 45
+<BR>make install command (Unix), 50
+<BR> &nbsp; &nbsp; &nbsp;   upgrading installations, 52
+<BR>make revert command (Unix), 50
+<BR>make utility (Unix), 49
+<BR>makefile, generating for Samba configuration, 46
+<BR>make_smbcodepage program, 40, 456
+<BR>make_unicodemap program, 40, 456
+<BR>.man files, changing from .dat files, 150
+<BR>man pages (see manual pages)
+<BR>managing connections to shares (see connection scripts)
+<BR>mandatory profiles, 149
+<BR> &nbsp; &nbsp; &nbsp;   changing from roaming profiles, 150
+<BR>--mandir (configure script option), 48
+<BR>mangle case option (smb.conf file), 267, 421
+<BR>mangled map option (smb.conf file), 267, 422
+<BR>mangled names option (smb.conf file), 266, 422
+<BR>mangled stack option (smb.conf file), 267, 422
+<BR>mangling char option (smb.conf file), 267, 422
+<BR>mangling method option (smb.conf file), 422
+<BR>MANPATH environment variable, 52
+<BR>manual pages, 52
+<BR> &nbsp; &nbsp; &nbsp;   in different languages, 496
+<BR>map archive option (smb.conf file), 247, 252, 422
+<BR>map hidden option (smb.conf file), 247, 252, 422
+<BR>map system option (smb.conf file), 247, 252, 422
+<BR>map to guest option (smb.conf file), 423
+<BR>mapping a free-form client username to a Unix username, 289
+<BR>mapping a network drive (see drive letter, connecting a directory to)
+<BR>master browser (see local master browser)
+<BR>max connections option (smb.conf file), 288, 423
+<BR>max disk size option (smb.conf file), 351, 423
+<BR>max log size option (smb.conf file), 213, 423
+<BR>max mux option (smb.conf file), 351, 423
+<BR>max open files option (smb.conf file), 423
+<BR>max open files (smb.conf file), 351
+<BR>max print jobs option (smb.conf file), 424
+<BR>max protocol option (smb.conf file), 424
+<BR>max smbd processes option (smb.conf file), 424
+<BR>max ttl option (smb.conf file), 224, 424
+<BR>max wins ttl option (smb.conf file), 224, 424
+<BR>max xmit option (smb.conf file), 352, 424
+<BR>message command option (smb.conf file), 348, 424
+<BR>messenger service, 346-348
+<BR>mget command, 170
+<BR>Microsoft Distributed filesystem (see Dfs)
+<BR>min passwd length option (smb.conf file), 425
+<BR>min password length option (smb.conf file), 425
+<BR>min print space option (smb.conf file), 338, 425
+<BR>min protocol option (smb.conf file), 425
+<BR>min wins ttl option (smb.conf file), 224, 425
+<BR>m-node (NetBios node type), 13
+<BR>mount_smbfs program, 161, 182
+<BR> &nbsp; &nbsp; &nbsp;   options, 183
+<BR>mput command, 170
+<BR>msdfs root option (smb.conf file), 280, 425
+<BR>MS-DOS file permissions, 245-253
+<BR>MSN Messenger, 346-348
+<BR>multihomed system
+<BR> &nbsp; &nbsp; &nbsp;   running Samba on, 204
+<BR> &nbsp; &nbsp; &nbsp;   (see also clustered environment, Samba in; multiple subnets)
+<BR>multiple subnets
+<BR> &nbsp; &nbsp; &nbsp;   cross-subnet browsing, 232
+<BR> &nbsp; &nbsp; &nbsp;   with Samba servers, 232
+<BR> &nbsp; &nbsp; &nbsp;   (see also clustered environment, Samba in; multihomed system)
+<BR>My Network Places, 26
+<BR> &nbsp; &nbsp; &nbsp;   (see also Network Neighborhood)
+<P><A NAME="N"><B>N</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>%N variable, 192
+<BR>name mangling, 262-267
+<BR> &nbsp; &nbsp; &nbsp;   how Samba mangles a long filename into a 8.3 filename, 263
+<BR> &nbsp; &nbsp; &nbsp;   options, 265-267, 421
+<BR>name registration, 11-13
+<BR>name resolution, 11-13, 70, 216-224
+<BR> &nbsp; &nbsp; &nbsp;   broadcast method, 71
+<BR> &nbsp; &nbsp; &nbsp;   configuring in Samba, 219
+<BR> &nbsp; &nbsp; &nbsp;   methods, 217
+<BR> &nbsp; &nbsp; &nbsp;   using broadcast packets, 217
+<BR>name resolve order option (smb.conf file), 219, 223, 425
+<BR>name services
+<BR> &nbsp; &nbsp; &nbsp;   defined, 10
+<BR> &nbsp; &nbsp; &nbsp;   identifying what's in use, 383
+<BR> &nbsp; &nbsp; &nbsp;   switching, 71
+<BR> &nbsp; &nbsp; &nbsp;   troubleshooting, 383-388
+<BR>name-resolution configuration options, 221-224
+<BR>NBNS name registration
+<BR> &nbsp; &nbsp; &nbsp;   versus broadcast, 11
+<BR>NBT, 10, 69
+<BR> &nbsp; &nbsp; &nbsp;   services, 16
+<BR>NBT Standard, 10
+<BR>nbtstat utility, 228
+<BR> &nbsp; &nbsp; &nbsp;   examples, 14, 15
+<BR>net program, 40, 457-462
+<BR>net time command, 138, 339
+<BR>net use command, 138, 144
+<BR> &nbsp; &nbsp; &nbsp;   testing connections with, 374
+<BR>net view program, 225
+<BR> &nbsp; &nbsp; &nbsp;   testing client browsing, 381
+<BR>NetBEUI protocol, 10
+<BR> &nbsp; &nbsp; &nbsp;   running at same time as NetBIOS over TCP/IP, 69
+<BR>NetBIOS
+<BR> &nbsp; &nbsp; &nbsp;   group resource types, 16
+<BR> &nbsp; &nbsp; &nbsp;   names
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      translating between IP address or DNS names and, 182
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      troubleshooting, 390
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      versus DNS hostnames, 14
+<BR> &nbsp; &nbsp; &nbsp;   node types, 13
+<BR> &nbsp; &nbsp; &nbsp;   overview, 9
+<BR> &nbsp; &nbsp; &nbsp;   resource names and types, 14
+<BR> &nbsp; &nbsp; &nbsp;   session, establishing, 22
+<BR> &nbsp; &nbsp; &nbsp;   unique resource types, 15
+<BR> &nbsp; &nbsp; &nbsp;   Windows 95/98/Me, 80
+<BR>netbios aliases option (smb.conf file), 209, 426
+<BR>netbios name option (smb.conf file), 200, 426
+<BR>NetBIOS over TCP/IP (see NBT)
+<BR>netbios scope option (smb.conf file), 426
+<BR>[netlogon] share (smb.conf file), 125, 138, 233
+<BR>netmask, using to troubleshoot, 388
+<BR>network adapters, 69
+<BR>network addresses
+<BR> &nbsp; &nbsp; &nbsp;   finding your specific address, 390
+<BR> &nbsp; &nbsp; &nbsp;   troubleshooting, 388-390
+<BR>Network Information Service (see NIS)
+<BR>Network Neighborhood, 27
+<BR> &nbsp; &nbsp; &nbsp;   (see also My Network Places)
+<BR>Network Time Protocol (NTP), 340
+<BR>network traffic, monitoring (see tcpdump program)
+<BR>networking
+<BR> &nbsp; &nbsp; &nbsp;   components
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      Windows 2000, 99
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      Windows XP, 109
+<BR> &nbsp; &nbsp; &nbsp;   concepts, Windows (see Windows, networking concepts)
+<BR> &nbsp; &nbsp; &nbsp;   options, 204-208
+<BR>new features
+<BR> &nbsp; &nbsp; &nbsp;   in Samba 2.2, 36
+<BR> &nbsp; &nbsp; &nbsp;   in Samba 3.0, 38
+<BR>news, Samba, 45
+<BR>newsgroups, Samba, 391
+<BR>NFS, installing Samba with support for, 495
+<BR>NIS+
+<BR> &nbsp; &nbsp; &nbsp;   installing Samba with support for, 496
+<BR> &nbsp; &nbsp; &nbsp;   server, installing Samba with support for locating, 496
+<BR>nis homedir option (smb.conf file), 281, 426
+<BR>NIS (Network Information Service), 71, 280
+<BR> &nbsp; &nbsp; &nbsp;   configuration options, 280
+<BR> &nbsp; &nbsp; &nbsp;   server, 30
+<BR>nmake command, 412
+<BR>nmap command (Unix), 73
+<BR>nmbd daemon, 3, 39, 61, 453
+<BR> &nbsp; &nbsp; &nbsp;   starting automatically, 61-65
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      BSD Unix, 61
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      Darwin and Mac OS X, 64
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      System V Unix, 61
+<BR> &nbsp; &nbsp; &nbsp;   starting from inetd, 66
+<BR> &nbsp; &nbsp; &nbsp;   starting manually, 61
+<BR> &nbsp; &nbsp; &nbsp;   testing, 66
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      automatic startup, 65
+<BR> &nbsp; &nbsp; &nbsp;   time service, 442
+<BR>nmbd log file, 231
+<BR>nmblookup program, 40, 229, 231, 462
+<BR> &nbsp; &nbsp; &nbsp;   testing clients, 380
+<BR> &nbsp; &nbsp; &nbsp;   testing network, 381
+<BR> &nbsp; &nbsp; &nbsp;   testing servers, 379
+<BR>nobody account, 286
+<BR>node types, 13
+<BR>non unix account range option (smb.conf file), 426
+<BR>nslookup command (Unix), 73
+<BR>nsmb.conf file, 181
+<BR>.nsmbrc files, 181
+<BR>nsswitch, configuring, 309
+<BR>nsswitch.conf file, 71
+<BR>nt acl support option (smb.conf file), 260, 426
+<BR>NT LAN Manager 1.0, 21
+<BR>nt pipe support option (smb.conf file), 352, 426
+<BR>nt smb support option (smb.conf file), 352, 427
+<BR>nt status support option (smb.conf file), 427
+<BR>ntconfig.pol file, 155
+<BR>NT-specific SMB IPC$ pipes, 352
+<BR>NTUSER.DAT file, 141
+<BR>null passwords option (smb.conf file), 306, 427
+<BR>number of address ranges, 389
+
+<P><A NAME="O"><B>O</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>obey pam restrictions option (smb.conf file), 427
+<BR>od command, 139
+<BR>.old files, 50
+<BR>ole locking compatibility (smb.conf file), 352
+<BR>only guest option (smb.conf file), 427
+<BR>only user option (smb.conf file), 293, 427
+<BR>Open Directory Password Server, 504
+<BR>oplock break wait time option (smb.conf file), 427
+<BR>oplock contention limit option (smb.conf file), 428
+<BR>oplocks option (smb.conf file), 272, 428
+<BR>opportunistic locking (see locks and oplocks)
+<BR>os level option (smb.conf file), 230, 238, 428
+<BR>os2 driver map option (smb.conf file), 428
+<BR>overwriting files (see locks and oplocks)
+
+<P><A NAME="P"><B>P</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>%P variable, 192
+<BR>%p variable, 192
+<BR>padc command, 359
+<BR>pam password change option (smb.conf file), 428
+<BR>PAM (Pluggable Authentication Modules), 38
+<BR> &nbsp; &nbsp; &nbsp;   configuring, 313-317
+<BR>pam_stack.so module, 316
+<BR>pam_winbind.so module, 316
+<BR>panic action option (smb.conf file), 352, 428
+<BR>par command, 359
+<BR>passdb backend option (smb.conf file), 429
+<BR>pass-through authentication, 33
+<BR>passwd chat debug option (smb.conf file), 305, 429
+<BR>passwd chat option (smb.conf file), 301, 305, 429
+<BR>PASSWD environment variable, 167
+<BR>passwd file, creating entries manually, 127
+<BR>passwd program option (smb.conf file), 305, 429
+<BR>password chat response characters, 302
+<BR>password chat send characters, 302
+<BR>password level option (smb.conf file), 305, 429
+<BR>Password Server (Mac OS X), 504
+<BR> &nbsp; &nbsp; &nbsp;   activating, 504
+<BR> &nbsp; &nbsp; &nbsp;   enabling, 505
+<BR>password server option (smb.conf file), 160, 295, 429
+<BR>passwords, 74, 296-307
+<BR> &nbsp; &nbsp; &nbsp;   adding to smb.conf file, 75
+<BR> &nbsp; &nbsp; &nbsp;   configuration options, 303-307
+<BR> &nbsp; &nbsp; &nbsp;   disabling encrypted, 298
+<BR> &nbsp; &nbsp; &nbsp;   encrypted (see encrypted passwords)
+<BR> &nbsp; &nbsp; &nbsp;   IPC$, 75
+<BR> &nbsp; &nbsp; &nbsp;   limiting length of, 425
+<BR> &nbsp; &nbsp; &nbsp;   plain-text versus encrypted, 74
+<BR> &nbsp; &nbsp; &nbsp;   setting on Windows 95/98/Me, 83
+<BR> &nbsp; &nbsp; &nbsp;   setting servers that validate, 429
+<BR> &nbsp; &nbsp; &nbsp;   synchronization, 300-303
+<BR> &nbsp; &nbsp; &nbsp;   Windows versus Unix, 29
+<BR> &nbsp; &nbsp; &nbsp;   (see also authentication)
+<BR>PATH environment variable, 52
+<BR>path option (smb.conf file), 202, 430
+<BR>pdbedit program, 40, 464
+<BR>PDC emulator, 121
+<BR>PDCs (see primary domain controllers)
+<BR>Pearce, Eric, 16, 160
+<BR>performance, caching directories, 414
+<BR>period (.)
+<BR> &nbsp; &nbsp; &nbsp;   NetBIOS names and, 14
+<BR> &nbsp; &nbsp; &nbsp;   (see also dot files)
+<BR>permissions
+<BR> &nbsp; &nbsp; &nbsp;   mapping to Windows NT ACLs, 426
+<BR> &nbsp; &nbsp; &nbsp;   (see also file permissions; directory permissions)
+<BR>pid directory option (smb.conf file), 430
+<BR>PIDs, adding to log lines, 407
+<BR>ping, troubleshooting with, 363-367
+<BR>Pluggable Authentication Modules (see PAM)
+<BR>p-node (NetBios node type), 13
+<BR>point-to-point communication, 12
+<BR>policies, defined, 120
+<BR>port names, customized, 412
+<BR>POSIX ACL support, 416
+<BR>posix locking option (smb.conf file), 272, 430
+<BR>POSIX.1e ACLs, 259
+<BR>postexec option (smb.conf file), 277, 430
+<BR>postscript option (smb.conf file), 335, 430
+<BR>preexec close option (smb.conf file), 277, 430
+<BR>preexec option (smb.conf file), 274, 276, 430
+<BR>preferred master option (smb.conf file), 237, 431
+<BR>preferred master parameter (smb.conf file), 230
+<BR>--prefix (configure script option), 48
+<BR>preload option (smb.conf file), 235, 431
+<BR>preserve case option (smb.conf file), 264, 266, 431
+<BR>preventing file overwrites (see locks and oplocks)
+<BR>primary domain controllers (PDCs), 31, 226
+<BR> &nbsp; &nbsp; &nbsp;   handling authentication (see winbind)
+<BR> &nbsp; &nbsp; &nbsp;   modifying smb.conf file, 122-125
+<BR> &nbsp; &nbsp; &nbsp;   Samba as, 121-126
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      smb.conf file example, 397-399
+<BR>primary WINS server, 32
+<BR> &nbsp; &nbsp; &nbsp;   synchronization problems with Samba 2.2, 33
+<BR>print command option (smb.conf file), 322, 336, 431
+<BR>print commands, 321
+<BR>print jobs
+<BR> &nbsp; &nbsp; &nbsp;   deleting, 421
+<BR> &nbsp; &nbsp; &nbsp;   limiting number of, 424
+<BR> &nbsp; &nbsp; &nbsp;   pausing, 420
+<BR> &nbsp; &nbsp; &nbsp;   resuming, 421
+<BR> &nbsp; &nbsp; &nbsp;   sending over Samba, 321
+<BR>print ok option (smb.conf file), 433
+<BR>printable option (smb.conf file), 323, 335, 431
+<BR>printcap file, 419
+<BR> &nbsp; &nbsp; &nbsp;   example, 336
+<BR>printcap name option (smb.conf file), 338, 431
+<BR>printcap option (smb.conf file), 338
+<BR>printcap.local file, 330
+<BR>printer admin option (smb.conf file), 432
+<BR>printer driver file option (smb.conf file), 432
+<BR>printer driver location option (smb.conf file), 432
+<BR>printer driver option (smb.conf file), 432
+<BR>printer name option (smb.conf file), 335, 432
+<BR>printer option (smb.conf file), 335, 432
+<BR>printer status, setting command for, 421
+<BR>printers
+<BR> &nbsp; &nbsp; &nbsp;   adding new to system, 401
+<BR> &nbsp; &nbsp; &nbsp;   BSD, 330-331
+<BR> &nbsp; &nbsp; &nbsp;   CUPS, 332
+<BR> &nbsp; &nbsp; &nbsp;   example of sharing, 8
+<BR> &nbsp; &nbsp; &nbsp;   names in browse lists, 419
+<BR> &nbsp; &nbsp; &nbsp;   removing from system, 408
+<BR> &nbsp; &nbsp; &nbsp;   sending files using smbclient, 325
+<BR> &nbsp; &nbsp; &nbsp;   setting default device mode, 408
+<BR> &nbsp; &nbsp; &nbsp;   setting up from Windows, 8
+<BR> &nbsp; &nbsp; &nbsp;   sharing, 320
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      on Mac OS X, 501
+<BR> &nbsp; &nbsp; &nbsp;   System V, 331
+<BR> &nbsp; &nbsp; &nbsp;   (see also printing)
+<BR>[printers] share (smb.conf file), 195, 324
+<BR> &nbsp; &nbsp; &nbsp;   example for a Linux system, 324
+<BR>printing, 320-338
+<BR> &nbsp; &nbsp; &nbsp;   adding a Unix printer, 330-333
+<BR> &nbsp; &nbsp; &nbsp;   common problem with Samba printer configuration, 325
+<BR> &nbsp; &nbsp; &nbsp;   CUPS-compatible, 486
+<BR> &nbsp; &nbsp; &nbsp;   debugging printers, 325
+<BR> &nbsp; &nbsp; &nbsp;   Mac OS X environment, 325
+<BR> &nbsp; &nbsp; &nbsp;   network, 320
+<BR> &nbsp; &nbsp; &nbsp;   options, 333-338
+<BR> &nbsp; &nbsp; &nbsp;   setting up and testing a Windows client, 326
+<BR> &nbsp; &nbsp; &nbsp;   shares
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      example, 322
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      important information about, 323
+<BR> &nbsp; &nbsp; &nbsp;   system types, 334
+<BR> &nbsp; &nbsp; &nbsp;   testing the configuration, 325
+<BR> &nbsp; &nbsp; &nbsp;   to Windows from Unix, 327-338
+<BR> &nbsp; &nbsp; &nbsp;   variables, 322
+<BR> &nbsp; &nbsp; &nbsp;   (see also printers)
+<BR>printing option (smb.conf file), 334, 432
+<BR>private directory option (smb.conf file), 433
+<BR>process IDs, adding to log lines, 407
+<BR>processes, viewing in Unix, 8
+<BR>[profiles] share (smb.conf file), 125
+<BR>prompt command, 171
+<BR>protocol option (smb.conf file), 433
+<BR>ps command (Unix), 8
+<BR> &nbsp; &nbsp; &nbsp;   looking for daemon processes with, 368
+<BR>public option (smb.conf file), 433
+<BR>put command, 170
+<BR>.pwl files, 29
+<P><A NAME="Q"><B>Q</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>queuepause command option (smb.conf file), 338, 433
+<BR>queueresume command option (smb.conf file), 338, 433
+<P><A NAME="R"><B>R</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>%R variable, 192
+<BR>read bmpx option (smb.conf file), 433
+<BR>read list option (smb.conf file), 286, 288, 433
+<BR>read only option (smb.conf file), 203, 434
+<BR>read raw option (smb.conf file), 434
+<BR>read size option (smb.conf file), 434
+<BR>readline( ) support, 497
+<BR>read-only access, specifying users, 433
+<BR>realm option (smb.conf file), 434
+<BR>reconfiguring Samba, 52
+<BR>recurse command, 171
+<BR>registry files, 141
+<BR> &nbsp; &nbsp; &nbsp;   settings and passwords, 74
+<BR>relative identifier (RID), 30
+<BR>remote announce option (smb.conf file), 232, 238, 434
+<BR>remote browse sync option (smb.conf file), 238, 434
+<BR>remote logons (see roaming profiles)
+<BR>resolv.conf file, 73, 220
+<BR>resource names and types (NetBIOS), 14
+<BR>restrict anonymous option (smb.conf file), 434
+<BR>roaming profiles, 120, 140-152
+<BR> &nbsp; &nbsp; &nbsp;   changing to mandatory profiles, 150
+<BR> &nbsp; &nbsp; &nbsp;   configuring
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      Samba for, 143-147
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      Windows 95/98/Me for, 147
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      Windows NT/2000/XP for, 148
+<BR> &nbsp; &nbsp; &nbsp;   defining a logon path for Windows NT/2000/XP clients, 124
+<BR> &nbsp; &nbsp; &nbsp;   definitive documentation, 141
+<BR> &nbsp; &nbsp; &nbsp;   how they work, 141
+<BR> &nbsp; &nbsp; &nbsp;   options, 150
+<BR> &nbsp; &nbsp; &nbsp;   possible problems, 142
+<BR> &nbsp; &nbsp; &nbsp;   restricting users from editing their own, 149
+<BR> &nbsp; &nbsp; &nbsp;   setting path to directory (Windows NT/2000/XP), 420
+<BR> &nbsp; &nbsp; &nbsp;   smb.conf file, 138
+<BR> &nbsp; &nbsp; &nbsp;   Temporary Internet Files folder, 143
+<BR> &nbsp; &nbsp; &nbsp;   time synchronization, 339
+<BR> &nbsp; &nbsp; &nbsp;   users logged onto multiple clients, 142
+<BR> &nbsp; &nbsp; &nbsp;   warning, 141
+<BR> &nbsp; &nbsp; &nbsp;   (see also mandatory profiles)
+<BR>root access, 285
+<BR>root accounts
+<BR> &nbsp; &nbsp; &nbsp;   adding root user to Samba's password database, 126
+<BR> &nbsp; &nbsp; &nbsp;   (see also domain administrator)
+<BR> &nbsp; &nbsp; &nbsp;   specifying users with root permissions, 402
+<BR>root dir option (smb.conf file), 435
+<BR>root directory option (smb.conf file), 435
+<BR>root option (smb.conf file), 435
+<BR>root postexec option (smb.conf file), 277, 435
+<BR>root preexec close option (smb.conf file), 276, 435
+<BR>root preexec option (smb.conf file), 275, 276, 435
+<BR>roving profiles (see roaming profiles)
+<BR>rpcclient commands, 467-470
+<BR>rpcclient program, 40, 465
+<BR>rpm command (Unix), 43
+<P><A NAME="S"><B>S</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>%S variable, 192
+<BR>SAM (Security Account Manager), 30
+<BR> &nbsp; &nbsp; &nbsp;   database, 126
+<BR>Samba
+<BR> &nbsp; &nbsp; &nbsp;   advantages of using, 3
+<BR> &nbsp; &nbsp; &nbsp;   allowing outside applications to access Samba features, 496
+<BR> &nbsp; &nbsp; &nbsp;   compiling (see compiling Samba)
+<BR> &nbsp; &nbsp; &nbsp;   configuration file (see smb.conf file)
+<BR> &nbsp; &nbsp; &nbsp;   configuring (see configuring Samba)
+<BR> &nbsp; &nbsp; &nbsp;   defined, 2
+<BR> &nbsp; &nbsp; &nbsp;   distribution, overview, 39
+<BR> &nbsp; &nbsp; &nbsp;   as domain member server, 34
+<BR> &nbsp; &nbsp; &nbsp;   downloading, 45
+<BR> &nbsp; &nbsp; &nbsp;   examples
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      sharing a printer, 8
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      sharing disk service, 4-7
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      simple network, 4
+<BR> &nbsp; &nbsp; &nbsp;   in a clustered environment, 437
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      (see also multihomed system; multiple subnets), 437
+<BR> &nbsp; &nbsp; &nbsp;   installing (see installing Samba)
+<BR> &nbsp; &nbsp; &nbsp;   manual pages, 52
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      in different languages, 496
+<BR> &nbsp; &nbsp; &nbsp;   obtaining, 41
+<BR> &nbsp; &nbsp; &nbsp;   overview, 1-41
+<BR> &nbsp; &nbsp; &nbsp;   running on a multihomed system, 204
+<BR> &nbsp; &nbsp; &nbsp;   troubleshooting (see troubleshooting Samba)
+<BR> &nbsp; &nbsp; &nbsp;   upgrading installations, 51
+<BR> &nbsp; &nbsp; &nbsp;   variables (see smb.conf file, variables)
+<BR> &nbsp; &nbsp; &nbsp;   web site, 41
+<BR>Samba 2.2
+<BR> &nbsp; &nbsp; &nbsp;   in a domain hosted by native mode Windows 2000 server, 34
+<BR> &nbsp; &nbsp; &nbsp;   issues with Active Directory, 34, 121
+<BR> &nbsp; &nbsp; &nbsp;   new features, 36
+<BR>Samba 3.0
+<BR> &nbsp; &nbsp; &nbsp;   new features, 38
+<BR> &nbsp; &nbsp; &nbsp;   obsolete options
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      blocksize, 404
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      character set, 405
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      client code page, 405
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      code page directory, 405
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      coding system, 405
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      domain guest group, 410
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      force unknown acl user, 413
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      ldap admin dn, 417
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      ldap filter, 417
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      ldap port, 417
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      ldap server, 418
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      ldap ssl, 418
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      ldap suffix, 418
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      nt smb support, 427
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      related to SSL, 438-440
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      status, 440
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      unix extensions, 442
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      userhosts, 443
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      valid chars, 444
+<BR> &nbsp; &nbsp; &nbsp;   roles, 38
+<BR>Samba server
+<BR> &nbsp; &nbsp; &nbsp;   adding to workgroup, configuration file example, 396
+<BR> &nbsp; &nbsp; &nbsp;   connecting from
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      Windows 2000, 107
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      Windows 95/98/Me, 84
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      Windows NT, 96
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      Windows XP, 116
+<BR> &nbsp; &nbsp; &nbsp;   connection listings (see smbstatus program)
+<BR> &nbsp; &nbsp; &nbsp;   creating directories on, 125
+<BR> &nbsp; &nbsp; &nbsp;   restarting, 126
+<BR> &nbsp; &nbsp; &nbsp;   sending a print job, 321
+<BR> &nbsp; &nbsp; &nbsp;   services, 2
+<BR>Samba Web Administration Tool (see SWAT)
+<BR>Samba-BDC-HOWTO.html, 122
+<BR>Samba-PDC-HOWTO.html, 122
+<BR>Samba's NT LM 0.12, 21
+<BR>SASL (Simple Authentication and Security Layer) standard, 504
+<BR>--sbindir (configure script option), 48
+<BR>scope ID (SMB packet), 16
+<BR>search paths, setting, 52
+<BR>secrets.tdb file, 156
+<BR>security
+<BR> &nbsp; &nbsp; &nbsp;   Samba security levels
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      domain (see domain-level security)
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      server (see server-level security)
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      share (see share-level security)
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      user (see user-level security)
+<BR> &nbsp; &nbsp; &nbsp;   user-level for Windows 95/98/Me, 129
+<BR> &nbsp; &nbsp; &nbsp;   (see also authentication)
+<BR>Security Access Token (SAT), 31
+<BR>Security Account Manager (SAM), 30
+<BR>security identifiers (SIDs), 30
+<BR>security issues
+<BR> &nbsp; &nbsp; &nbsp;   creating entries for /etc/passwd and smbpasswd manually, 127
+<BR> &nbsp; &nbsp; &nbsp;   disabling oplocks in smb.conf file, 58
+<BR>security mask option (smb.conf file), 261, 436
+<BR>security models, Unix versus Windows, 253
+<BR>security option (smb.conf file), 291, 436
+<BR>sendfile( ) system call, 497
+<BR>server announcements, 229
+<BR>Server Message Block (SMB) protocol (see SMB)
+<BR>server string option (smb.conf file), 200, 436
+<BR>server-level security, 291, 295
+<BR>session parameters, setting, 24
+<BR>session primitives, 17
+<BR>session service, defined, 10
+<BR>session services (NBT)
+<BR> &nbsp; &nbsp; &nbsp;   defined, 16
+<BR> &nbsp; &nbsp; &nbsp;   tips, 18
+<BR>set directory option (smb.conf file), 353, 436
+<BR>share modes option (smb.conf file), 436
+<BR>share-level security, 290
+<BR> &nbsp; &nbsp; &nbsp;   options, 293
+<BR> &nbsp; &nbsp; &nbsp;   versus user-level security, 162
+<BR>shares
+<BR> &nbsp; &nbsp; &nbsp;   adding new, 402
+<BR> &nbsp; &nbsp; &nbsp;   allowing and denying, 415
+<BR> &nbsp; &nbsp; &nbsp;   copying configurations, 406
+<BR> &nbsp; &nbsp; &nbsp;   deleting, 408
+<BR> &nbsp; &nbsp; &nbsp;   denying access to, 403
+<BR> &nbsp; &nbsp; &nbsp;   invisible, 233
+<BR> &nbsp; &nbsp; &nbsp;   managing connections to (see connection scripts)
+<BR> &nbsp; &nbsp; &nbsp;   modifying, 405
+<BR> &nbsp; &nbsp; &nbsp;   printers, setting default device mode, 408
+<BR> &nbsp; &nbsp; &nbsp;   sections in smb.conf file, 125
+<BR> &nbsp; &nbsp; &nbsp;   setting maximum number, 423
+<BR> &nbsp; &nbsp; &nbsp;   specifying in browse lists, 403, 404, 431
+<BR> &nbsp; &nbsp; &nbsp;   specifying systems that may connect to, 403
+<BR>sharing
+<BR> &nbsp; &nbsp; &nbsp;   disk services example, 4-7
+<BR> &nbsp; &nbsp; &nbsp;   files
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      Mac OS X, 501
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      Windows 95/98/Me, 162
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      Windows NT/2000/XP, 163, 165
+<BR> &nbsp; &nbsp; &nbsp;   printers (see printers, sharing)
+<BR>Sharpe, Richard, 19
+<BR>short preserve case option (smb.conf file), 264, 266, 436
+<BR>show add printer wizard option (smb.conf file), 437
+<BR>shutdown script option (smb.conf file), 437
+<BR>SIDs (security identifiers), 30
+<BR>SMB, 2
+<BR> &nbsp; &nbsp; &nbsp;   CIFS and, 21
+<BR> &nbsp; &nbsp; &nbsp;   clients, 21
+<BR> &nbsp; &nbsp; &nbsp;   command format, 19
+<BR> &nbsp; &nbsp; &nbsp;   connections, troubleshooting, 371-377
+<BR> &nbsp; &nbsp; &nbsp;   groups, 15
+<BR> &nbsp; &nbsp; &nbsp;   header fields, 19
+<BR> &nbsp; &nbsp; &nbsp;   header format, 19
+<BR> &nbsp; &nbsp; &nbsp;   message format, 19
+<BR> &nbsp; &nbsp; &nbsp;   network, overview, 9-18
+<BR> &nbsp; &nbsp; &nbsp;   online summary, 19
+<BR> &nbsp; &nbsp; &nbsp;   packets, 16
+<BR> &nbsp; &nbsp; &nbsp;   protocol
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      additional information, 20
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      negotiating a protocol variant, 22
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      overview, 18-26
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      versions, 20
+<BR> &nbsp; &nbsp; &nbsp;   servers, 21
+<BR> &nbsp; &nbsp; &nbsp;   simple connection, 22
+<BR>smb passwd file option (smb.conf file), 306, 437
+<BR>SMB sniffer (Ethereal), 20
+<BR>smbcacls program, 40, 470
+<BR>smbclient commands, 168
+<BR>smbclient program, 40, 67, 161, 165-174, 472-478
+<BR> &nbsp; &nbsp; &nbsp;   authenticating with, 167
+<BR> &nbsp; &nbsp; &nbsp;   compared to smbfs and smbsh, 165
+<BR> &nbsp; &nbsp; &nbsp;   creating and restoring backups, 172-174
+<BR> &nbsp; &nbsp; &nbsp;   file transfer, 170
+<BR> &nbsp; &nbsp; &nbsp;   interactive session, 168-171
+<BR> &nbsp; &nbsp; &nbsp;   listing services, 165
+<BR> &nbsp; &nbsp; &nbsp;   programming with, 171
+<BR> &nbsp; &nbsp; &nbsp;   security and, 168
+<BR> &nbsp; &nbsp; &nbsp;   sending a file to the printer, 325
+<BR> &nbsp; &nbsp; &nbsp;   testing
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      browsing, 377
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      connections with, 373
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      locally with, 372
+<BR>smb.conf file, 187-215
+<BR> &nbsp; &nbsp; &nbsp;   adding user passwords, 75
+<BR> &nbsp; &nbsp; &nbsp;   bracketed names, 188
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      (see also shares, sections in smb.conf file)
+<BR> &nbsp; &nbsp; &nbsp;   capitalization, 189
+<BR> &nbsp; &nbsp; &nbsp;   comments, 190
+<BR> &nbsp; &nbsp; &nbsp;   configuring winbind, 309
+<BR> &nbsp; &nbsp; &nbsp;   creating and modifying (see SWAT)
+<BR> &nbsp; &nbsp; &nbsp;   disabling oplocks, 58
+<BR> &nbsp; &nbsp; &nbsp;   encrypted passwords and, 55
+<BR> &nbsp; &nbsp; &nbsp;   examples, 187
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      configuring Samba to use another WINS server, 396
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      disk share, 201-203
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      enabling Samba as WINS server, 395
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      server configuration file, 198-201
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      setting Samba as domain member server, 400
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      setting Samba as PDC, 397-399
+<BR> &nbsp; &nbsp; &nbsp;   file structure, 188-191
+<BR> &nbsp; &nbsp; &nbsp;   getting started, 54-60
+<BR> &nbsp; &nbsp; &nbsp;   [global] section, 193
+<BR> &nbsp; &nbsp; &nbsp;   include option, 193
+<BR> &nbsp; &nbsp; &nbsp;   line continuation, 189
+<BR> &nbsp; &nbsp; &nbsp;   location from bundled installation, 42
+<BR> &nbsp; &nbsp; &nbsp;   logon scripts (see logon scripts)
+<BR> &nbsp; &nbsp; &nbsp;   Mac OS X, 509
+<BR> &nbsp; &nbsp; &nbsp;   making significant changes, 190
+<BR> &nbsp; &nbsp; &nbsp;   modifying Samba to be a PDC, 122-125
+<BR> &nbsp; &nbsp; &nbsp;   modifying Samba to be domain member server, 157
+<BR> &nbsp; &nbsp; &nbsp;   name resolution, 219
+<BR> &nbsp; &nbsp; &nbsp;   options, 188, 195-198
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      access control, 287-288
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      ACLs, 260-262
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      browsing, 233-239
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      connection scripts, 275-277
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      disk share, 202
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      dot files, 240
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      file and directory permissions, 250-253
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      filesystem, 243-245
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      internationalization, 343-346
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      locks and oplocks, 270-274
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      logging, 210-215
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      name mangling, 265-267
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      name resolution, 221-224
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      networking, 204-208
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      NIS, 280
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      password, 303-307
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      printing, 333-338
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      server, 199
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      time synchronization, 341-342
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      virtual servers, 209
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      winbind, 317-319
+<BR> &nbsp; &nbsp; &nbsp;   [printers] section, 195
+<BR> &nbsp; &nbsp; &nbsp;   roaming profiles, 138
+<BR> &nbsp; &nbsp; &nbsp;   runtime changes, 190
+<BR> &nbsp; &nbsp; &nbsp;   shares, 125, 194
+<BR> &nbsp; &nbsp; &nbsp;   smbmount program and, 174
+<BR> &nbsp; &nbsp; &nbsp;   smbsh and, 179
+<BR> &nbsp; &nbsp; &nbsp;   testing, 59
+<BR> &nbsp; &nbsp; &nbsp;   variables, 191-193
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      example of use, 193
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      table, 192
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      used at runtime, 140
+<BR> &nbsp; &nbsp; &nbsp;   WINS support, 71
+<BR>smbcontrol program, 40, 478
+<BR>smbd daemon, 3, 39, 61, 451
+<BR> &nbsp; &nbsp; &nbsp;   checking with telnet, 369
+<BR> &nbsp; &nbsp; &nbsp;   starting automatically, 61-65
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      BSD Unix, 61
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      Darwin and Mac OS X, 64
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      System V Unix, 61
+<BR> &nbsp; &nbsp; &nbsp;   starting from inetd, 66
+<BR> &nbsp; &nbsp; &nbsp;   starting manually, 61
+<BR> &nbsp; &nbsp; &nbsp;   testing, 66
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      automatic startup, 65
+<BR>smbfs filesystem, 161, 174-178
+<BR> &nbsp; &nbsp; &nbsp;   compared to smbclient, 165
+<BR> &nbsp; &nbsp; &nbsp;   installing Samba with support for, 498
+<BR> &nbsp; &nbsp; &nbsp;   mounting automatically, 177
+<BR>smbgroupedit program, 40, 479
+<BR>smbmnt program, 40, 174, 480
+<BR>smbmount program, 40, 175, 481
+<BR> &nbsp; &nbsp; &nbsp;   installing Samba with support for, 498
+<BR> &nbsp; &nbsp; &nbsp;   options, 178
+<BR> &nbsp; &nbsp; &nbsp;   smb.conf file, 174
+<BR>SMBnegprot request, 23
+<BR>smbpasswd file, 126, 299-300
+<BR> &nbsp; &nbsp; &nbsp;   creating entries manually, 127
+<BR>smbpasswd program, 41, 55, 483
+<BR>smbprint program, 330
+<BR>smbprint.sysv, 330
+<BR>SMBSesssetupX command, 24
+<BR>smbsh program, 41, 161, 179, 485
+<BR> &nbsp; &nbsp; &nbsp;   compared to smbclient, 165
+<BR> &nbsp; &nbsp; &nbsp;   installing Samba with support for, 498
+<BR> &nbsp; &nbsp; &nbsp;   interactive session, 179
+<BR> &nbsp; &nbsp; &nbsp;   smb.conf file, 179
+<BR>smbspool, 330
+<BR>smbspool program, 41, 486
+<BR>smbspool utility, 332
+<BR>smbstatus program, 8, 41, 487
+<BR>smbtar program, 41, 487
+<BR>SMBtconX message, 25
+<BR>smbumount program, 41, 488
+<BR>smbutil program, 161, 181
+<BR> &nbsp; &nbsp; &nbsp;   options, 183
+<BR> &nbsp; &nbsp; &nbsp;   testing print configuration, 326
+<BR>smbwrapper library, 179, 498
+<BR>socket address option (smb.conf file), 437
+<BR>socket options option (smb.conf file), 437
+<BR>source environment option (smb.conf file), 437
+<BR>source/config.status file, 51
+<BR>spin locks, 498
+<BR>SSL
+<BR> &nbsp; &nbsp; &nbsp;   installing Samba to support, 498
+<BR> &nbsp; &nbsp; &nbsp;   options, 438-440
+<BR>ssl CA certDir option (smb.conf file), 438
+<BR>ssl CA certFile option (smb.conf file), 438
+<BR>ssl ciphers option (smb.conf file), 438
+<BR>ssl client cert option (smb.conf file), 438
+<BR>ssl client key option (smb.conf file), 438
+<BR>ssl compatibility option (smb.conf file), 439
+<BR>ssl hosts option (smb.conf file), 439
+<BR>ssl hosts resign option (smb.conf file), 439
+<BR>ssl option (smb.conf file), 438
+<BR>ssl require clientcert option (smb.conf file), 439
+<BR>ssl require servercert option (smb.conf file), 439
+<BR>ssl server cert option (smb.conf file), 439
+<BR>ssl server key option (smb.conf file), 440
+<BR>ssl version option (smb.conf file), 440
+<BR>stat cache option (smb.conf file), 354, 440
+<BR>stat cache size option (smb.conf file), 354, 440
+<BR>status option (smb.conf file), 440
+<BR>status (smb.conf file), 353
+<BR>Stern, Hal, 383
+<BR>strace command, 359
+<BR>strict allocate option (smb.conf file), 440
+<BR>strict locking option (smb.conf file), 271, 441
+<BR>strict sync option (smb.conf file), 353, 441
+<BR>strip dot option (smb.conf file), 353, 441
+<BR>subnets, workgroups spanning multiple, 34
+<BR>superuser (root) access, 285
+<BR>SWAT
+<BR> &nbsp; &nbsp; &nbsp;   enabling, 52
+<BR> &nbsp; &nbsp; &nbsp;   login, 56
+<BR> &nbsp; &nbsp; &nbsp;   specifying where to install files for, 498
+<BR> &nbsp; &nbsp; &nbsp;   using, 56-58
+<BR>symbolic links, 242
+<BR> &nbsp; &nbsp; &nbsp;   creating before clients are added to network, 147
+<BR> &nbsp; &nbsp; &nbsp;   in file shares, 412
+<BR>symlinks option (smb.conf file), 242
+<BR>sync always option (smb.conf file), 353, 441
+<BR>synchronization, password (see passwords, synchronization)
+<BR>synchronization problems with WINS servers in Samba, 33, 71
+<BR>syslog, 211
+<BR> &nbsp; &nbsp; &nbsp;   error logging, installing Samba to support, 498
+<BR>syslog only option (smb.conf file), 215, 441
+<BR>syslog option (smb.conf file), 214, 441
+<BR>syslog.conf file, 212
+<BR>system group file, 283
+<BR>system policies, 152-156
+<BR> &nbsp; &nbsp; &nbsp;   Windows Me, 155
+<BR>System Policy Editor, 152-156
+<BR>System V Unix
+<BR> &nbsp; &nbsp; &nbsp;   automatically starting Samba daemons, 61
+<BR> &nbsp; &nbsp; &nbsp;   printers, 331
+
+<P><A NAME="T"><B>T</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>%T variable, 192
+<BR>TCP, troubleshooting, 367
+<BR>tcpdump program, 360
+<BR> &nbsp; &nbsp; &nbsp;   download, 22
+<BR> &nbsp; &nbsp; &nbsp;   example, 22
+<BR>TCP/IP
+<BR> &nbsp; &nbsp; &nbsp;   adding to Windows 95/98/Me network, 76
+<BR> &nbsp; &nbsp; &nbsp;   configuring for Windows 2000, 100
+<BR> &nbsp; &nbsp; &nbsp;   configuring for Windows 95/98/Me, 78
+<BR> &nbsp; &nbsp; &nbsp;   configuring for Windows NT, 89
+<BR> &nbsp; &nbsp; &nbsp;   configuring for Windows XP, 110
+<BR> &nbsp; &nbsp; &nbsp;   Windows NT, 88
+<BR>telnet, checking smbd with, 369
+<BR>template homedir option (smb.conf file), 314, 319, 441
+<BR>template shell option (smb.conf file), 314, 319, 442
+<BR>Temporary Internet Files folder, 143
+<BR>test utilities, troubleshooting with, 359-362
+<BR>testing Samba (see testparm program; troubleshooting Samba)
+<BR>testparm program, 41, 59, 125, 489
+<BR> &nbsp; &nbsp; &nbsp;   testing daemons with, 370
+<BR>testprns program, 41, 489
+<BR>Thompson, Robert Bruce, 87
+<BR>time offset option (smb.conf file), 341, 442
+<BR>time server option (smb.conf file), 341, 442
+<BR>time service, 340
+<BR> &nbsp; &nbsp; &nbsp;   configuring in Samba for network use, 124
+<BR>time synchronization, 339-342
+<BR>time to live (TTL), 424, 425
+<BR>timestamp logs option (smb.conf file), 214, 442
+<BR>timestamps
+<BR> &nbsp; &nbsp; &nbsp;   changing in logs, 407
+<BR> &nbsp; &nbsp; &nbsp;   importance of, 142
+<BR>time-synchronization options, 341-342
+<BR>total print jobs option (smb.conf file), 442
+<BR>trace command, 359
+<BR>translating between IP addresses or DNS names and NetBIOS names, 182
+<BR>tree identifier (TID), defined, 22
+<BR>Tridgell, Andrew, 2, 360
+<BR>troubleshooting Samba, 355-393
+<BR> &nbsp; &nbsp; &nbsp;   browsing, 377-383
+<BR> &nbsp; &nbsp; &nbsp;   fault tree, 362-391
+<BR> &nbsp; &nbsp; &nbsp;   hostnames, 384
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      long and short, 386
+<BR> &nbsp; &nbsp; &nbsp;   localhost issues, 388
+<BR> &nbsp; &nbsp; &nbsp;   low-level IP, 362-367
+<BR> &nbsp; &nbsp; &nbsp;   name services, 383-388
+<BR> &nbsp; &nbsp; &nbsp;   NetBIOS names, 390
+<BR> &nbsp; &nbsp; &nbsp;   network addresses, 388-390
+<BR> &nbsp; &nbsp; &nbsp;   server daemons, 368-371
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      checking smbd with telnet, 369
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      looking for daemon processes with ps, 368
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      looking for daemons bound to ports, 369
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      testing daemons with testparm, 370
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      tracking daemon startup, 368
+<BR> &nbsp; &nbsp; &nbsp;   SMB connections, 371-377
+<BR> &nbsp; &nbsp; &nbsp;   TCP, 367
+<BR> &nbsp; &nbsp; &nbsp;   testing
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      browsing the server from the client, 382
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      browsing with smbclient, 377
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      client browsing with net view, 381
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      clients with nmblookup, 380
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      connections with net use, 374
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      connections with ping, 364
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      connections with smbclient, 373
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      connections with Windows Explorer, 376
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      locally with smbclient, 372
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      name services with ping, 363
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      network software with ping, 363
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      network with nmblookup, 381
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      networking hardware with ping, 364
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      servers with nmblookup, 379
+<BR> &nbsp; &nbsp; &nbsp;   tools, 355
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      log files, 356-359
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      ping, 363-367
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      test utilities, 359-362
+<BR> &nbsp; &nbsp; &nbsp;   unusual delays, 387
+<BR>truss command, 359
+<BR>trust relationships, 33
+<BR>trusted domains, 403
+<BR>tusc command, 359
+<BR>tutorials, Samba, 45
+<P><A NAME="U"><B>U</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>%U variable, 192, 283
+<BR>%u variable, 140, 144, 192, 283
+<BR>umasks, 247
+<BR>UNC (Universal Naming Convention) defined, 6
+<BR>Unicode, 456
+<BR>uniform resource locators (see URLs)
+<BR>Unix
+<BR> &nbsp; &nbsp; &nbsp;   ACLs, 259
+<BR> &nbsp; &nbsp; &nbsp;   CIFS extensions, 37
+<BR> &nbsp; &nbsp; &nbsp;   configuring clients to access shared resources, 161-186
+<BR> &nbsp; &nbsp; &nbsp;   file permissions, 245-253
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      versus ACLs, 31
+<BR> &nbsp; &nbsp; &nbsp;   permission bits summary, 247
+<BR> &nbsp; &nbsp; &nbsp;   viewing processes, 8
+<BR>unix extensions option (smb.conf file), 442
+<BR>unix password sync option (smb.conf file), 300, 304, 442
+<BR>unix2dos program, 139, 170
+<BR>update encrypted option (smb.conf file), 306, 443
+<BR>upgrading Samba, 50, 51
+<BR>URLs, defined, 6
+<BR>use client driver option (smb.conf file), 443
+<BR>use mmap option (smb.conf file), 443
+<BR>use rhosts option (smb.conf file), 307, 443
+<BR>use sendfile option (smb.conf file), 443
+<BR>user accounting, 498
+<BR>USER environment variable, 167
+<BR>user ID (UID), 31
+<BR>user option (smb.conf file), 443
+<BR>USER.DAT file, 141
+<BR>user-level security, 290, 294
+<BR> &nbsp; &nbsp; &nbsp;   for Windows 95/98/Me, 129
+<BR> &nbsp; &nbsp; &nbsp;   versus share-level security, 162
+<BR>username level option (smb.conf file), 290, 444
+<BR>username map option (smb.conf file), 289, 444
+<BR>username option (smb.conf file), 293, 443
+<BR>users
+<BR> &nbsp; &nbsp; &nbsp;   account files in Windows, 29
+<BR> &nbsp; &nbsp; &nbsp;   adding new, 402
+<BR> &nbsp; &nbsp; &nbsp;   adding to
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      Windows 2000, 104
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      Windows 95/98/Me, 83
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      Windows NT, 95
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      Windows XP, 115
+<BR> &nbsp; &nbsp; &nbsp;   debugging particular, 407
+<BR> &nbsp; &nbsp; &nbsp;   deleting account automatically, 409
+<BR> &nbsp; &nbsp; &nbsp;   group membership, overriding, 413
+<BR> &nbsp; &nbsp; &nbsp;   multiple, adding in Unix, 284-285
+<BR> &nbsp; &nbsp; &nbsp;   single, adding in Unix, 282-284
+<BR> &nbsp; &nbsp; &nbsp;   specifying read-only access, 433
+<BR>users option (smb.conf file), 444
+<BR>/usr/local/etc/nsmb.conf file, 181
+<BR>utmp directory option (smb.conf file), 444
+<BR>utmp file, 498
+<BR>utmp option (smb.conf file), 444
+<P><A NAME="V"><B>V</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>%v variable, 192
+<BR>valid chars option (smb.conf file), 346, 444
+<BR>valid users option (smb.conf file), 282, 287, 444
+<BR>variables used at runtime in smb.conf file (see smb.conf file, variables)
+<BR>veto files option (smb.conf file), 241, 244, 445
+<BR>veto oplock files option (smb.conf file), 269, 270, 273, 445
+<BR>vetoing files, 240-242
+<BR>vfs object option (smb.conf file), 445
+<BR>vfs options option (smb.conf file), 445
+<BR>vi text editor, 139
+<BR>vim text editor, 139
+<BR>virtual servers, 208
+<BR> &nbsp; &nbsp; &nbsp;   configuration options, 209
+<BR>volume option (smb.conf file), 203, 445
+<BR>VPN (virtual private network), 498
+
+<P><A NAME="W"><B>W</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>wbinfo program, 41, 489
+<BR>wide links option (smb.conf file), 242, 244, 445
+<BR>winbind, 37
+<BR> &nbsp; &nbsp; &nbsp;   authentication with, 307-319
+<BR> &nbsp; &nbsp; &nbsp;   configuration options, 317-319
+<BR> &nbsp; &nbsp; &nbsp;   configuring in smb.conf file, 309
+<BR> &nbsp; &nbsp; &nbsp;   installing, 308
+<BR> &nbsp; &nbsp; &nbsp;   installing Samba to support, 499
+<BR> &nbsp; &nbsp; &nbsp;   RID mapping file, 310
+<BR> &nbsp; &nbsp; &nbsp;   verifying it's working properly, 310-313
+<BR>winbind cache time option (smb.conf file), 319, 445
+<BR>winbind enum groups option (smb.conf file), 446
+<BR>winbind enum users option (smb.conf file), 445
+<BR>winbind gid option (smb.conf file), 318, 446
+<BR>winbind separator option (smb.conf file), 317, 446
+<BR>winbind uid option (smb.conf file), 318, 446
+<BR>winbindd daemon, 39, 41, 454
+<BR>Windows
+<BR> &nbsp; &nbsp; &nbsp;   components, 69
+<BR> &nbsp; &nbsp; &nbsp;   configuring clients to access shared resources, 68-119
+<BR> &nbsp; &nbsp; &nbsp;   domain with a local master and local backup browser (diagram), 33
+<BR> &nbsp; &nbsp; &nbsp;   .ini files, 187
+<BR> &nbsp; &nbsp; &nbsp;   networking concepts, 68-76
+<BR> &nbsp; &nbsp; &nbsp;   operating systems and password format defaults, 296
+<BR> &nbsp; &nbsp; &nbsp;   printers, setting up, 8
+<BR> &nbsp; &nbsp; &nbsp;   registry settings and passwords, 74
+<BR> &nbsp; &nbsp; &nbsp;   user account files, 29
+<BR>Windows 2000
+<BR> &nbsp; &nbsp; &nbsp;   ACLs, 253-262
+<BR> &nbsp; &nbsp; &nbsp;   adding users, 104
+<BR> &nbsp; &nbsp; &nbsp;   bindings, 100
+<BR> &nbsp; &nbsp; &nbsp;   client connecting to Samba server, 107
+<BR> &nbsp; &nbsp; &nbsp;   computer names, 103
+<BR> &nbsp; &nbsp; &nbsp;   configuring for roaming profiles, 148
+<BR> &nbsp; &nbsp; &nbsp;   configuring TCP/IP, 100
+<BR> &nbsp; &nbsp; &nbsp;   DNS configuration, 101
+<BR> &nbsp; &nbsp; &nbsp;   domain logons, 133-135
+<BR> &nbsp; &nbsp; &nbsp;   identify node type, ipconfig /all command, 13
+<BR> &nbsp; &nbsp; &nbsp;   IP addresses, 100
+<BR> &nbsp; &nbsp; &nbsp;   LMHOSTS file, 102
+<BR> &nbsp; &nbsp; &nbsp;   networking components, 99
+<BR> &nbsp; &nbsp; &nbsp;   registry file, 141
+<BR> &nbsp; &nbsp; &nbsp;   security model (see ACLs)
+<BR> &nbsp; &nbsp; &nbsp;   servers
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      operating in native mode, 34
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      PDC emulation mode, 34
+<BR> &nbsp; &nbsp; &nbsp;   setting path to directory of roaming profiles, 420
+<BR> &nbsp; &nbsp; &nbsp;   setting up, 98-108
+<BR> &nbsp; &nbsp; &nbsp;   sharing files, 163
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      setting permissions, 165
+<BR> &nbsp; &nbsp; &nbsp;   WINS server, 101
+<BR> &nbsp; &nbsp; &nbsp;   workgroups, 103
+<BR>Windows 95/98/Me
+<BR> &nbsp; &nbsp; &nbsp;   accessing Samba server, 84
+<BR> &nbsp; &nbsp; &nbsp;   adding TCP/IP, 76
+<BR> &nbsp; &nbsp; &nbsp;   authentication, 28
+<BR> &nbsp; &nbsp; &nbsp;   bindings, 80
+<BR> &nbsp; &nbsp; &nbsp;   configuring for roaming profiles, 147
+<BR> &nbsp; &nbsp; &nbsp;   configuring TCP/IP, 78
+<BR> &nbsp; &nbsp; &nbsp;   DNS configuration, 79
+<BR> &nbsp; &nbsp; &nbsp;   domain logons, 128-131
+<BR> &nbsp; &nbsp; &nbsp;   identify node type, 13
+<BR> &nbsp; &nbsp; &nbsp;   IP addresses, 78
+<BR> &nbsp; &nbsp; &nbsp;   LMHOSTS file, 80
+<BR> &nbsp; &nbsp; &nbsp;   NetBIOS, 80
+<BR> &nbsp; &nbsp; &nbsp;   registry file, 141
+<BR> &nbsp; &nbsp; &nbsp;   security model, 253
+<BR> &nbsp; &nbsp; &nbsp;   setting computer name, 81
+<BR> &nbsp; &nbsp; &nbsp;   setting up, 76-87
+<BR> &nbsp; &nbsp; &nbsp;   setting workgroup, 81
+<BR> &nbsp; &nbsp; &nbsp;   sharing files, 162
+<BR> &nbsp; &nbsp; &nbsp;   system policies, 155
+<BR> &nbsp; &nbsp; &nbsp;   user-level security for, 129
+<BR> &nbsp; &nbsp; &nbsp;   username and password, 83
+<BR> &nbsp; &nbsp; &nbsp;   WINS configuration, 78
+<BR> &nbsp; &nbsp; &nbsp;   (see also Windows)
+<BR>Windows Explorer, testing connections with, 376
+<BR>Windows Internet Name Service (see WINS)
+<BR>Windows Internet Naming Service (WINS) Architecture and Capacity Planning, 218
+<BR>Windows Messenger Service, 346-348
+<BR>Windows NT
+<BR> &nbsp; &nbsp; &nbsp;   ACLs, 253-262
+<BR> &nbsp; &nbsp; &nbsp;   adding a user, 95
+<BR> &nbsp; &nbsp; &nbsp;   basic configuration, 87
+<BR> &nbsp; &nbsp; &nbsp;   bindings, 93
+<BR> &nbsp; &nbsp; &nbsp;   computer names, 93
+<BR> &nbsp; &nbsp; &nbsp;   configuring for roaming profiles, 148
+<BR> &nbsp; &nbsp; &nbsp;   configuring TCP/IP, 89
+<BR> &nbsp; &nbsp; &nbsp;   connecting to a Samba server, 96
+<BR> &nbsp; &nbsp; &nbsp;   DNS configuration, 92
+<BR> &nbsp; &nbsp; &nbsp;   domains, 120-160
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      logons, 131-133
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      overview, 29-34
+<BR> &nbsp; &nbsp; &nbsp;   identify node type, ipconfig /all command, 13
+<BR> &nbsp; &nbsp; &nbsp;   installing Workstation service, 89
+<BR> &nbsp; &nbsp; &nbsp;   IP addresses, 90
+<BR> &nbsp; &nbsp; &nbsp;   LMHOSTS file, 92
+<BR> &nbsp; &nbsp; &nbsp;   registry file, 141
+<BR> &nbsp; &nbsp; &nbsp;   security model, 30
+<BR> &nbsp; &nbsp; &nbsp;   security model (see ACLs)
+<BR> &nbsp; &nbsp; &nbsp;   setting path to directory of roaming profiles, 420
+<BR> &nbsp; &nbsp; &nbsp;   setting up, 87-98
+<BR> &nbsp; &nbsp; &nbsp;   sharing files, 163
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      setting permissions, 165
+<BR> &nbsp; &nbsp; &nbsp;   TCP/IP installing, 88
+<BR> &nbsp; &nbsp; &nbsp;   WINS server, 90
+<BR> &nbsp; &nbsp; &nbsp;   workgroups, 93
+<BR>Windows NT domain options, 158
+<BR>Windows Time Service, 340
+<BR>Windows Workgroups (see workgroups)
+<BR>Windows XP
+<BR> &nbsp; &nbsp; &nbsp;   ACLs, 253-262
+<BR> &nbsp; &nbsp; &nbsp;   adding users, 115
+<BR> &nbsp; &nbsp; &nbsp;   bindings, 110
+<BR> &nbsp; &nbsp; &nbsp;   computer names, 113
+<BR> &nbsp; &nbsp; &nbsp;   configuring for roaming profiles, 148
+<BR> &nbsp; &nbsp; &nbsp;   configuring TCP/IP, 110
+<BR> &nbsp; &nbsp; &nbsp;   connecting to Samba server, 116
+<BR> &nbsp; &nbsp; &nbsp;   DNS configuration, 111
+<BR> &nbsp; &nbsp; &nbsp;   domain logons, 135-137
+<BR> &nbsp; &nbsp; &nbsp;   Home version, problems in a domain environment, 135
+<BR> &nbsp; &nbsp; &nbsp;   identify node type, ipconfig /all command, 13
+<BR> &nbsp; &nbsp; &nbsp;   IP addresses, 111
+<BR> &nbsp; &nbsp; &nbsp;   LMHOSTS file, 112
+<BR> &nbsp; &nbsp; &nbsp;   networking components, 109
+<BR> &nbsp; &nbsp; &nbsp;   registry file, 141
+<BR> &nbsp; &nbsp; &nbsp;   security model (see ACLs)
+<BR> &nbsp; &nbsp; &nbsp;   setting path to directory of roaming profiles, 420
+<BR> &nbsp; &nbsp; &nbsp;   setting up, 109-119
+<BR> &nbsp; &nbsp; &nbsp;   sharing files, 163
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      setting permissions, 165
+<BR> &nbsp; &nbsp; &nbsp;   WINS server, 112
+<BR> &nbsp; &nbsp; &nbsp;   workgroups, 113
+<BR>winipcfg command (Windows 95/98/Me), 13
+<BR>WinPopup tool, 346
+<BR>.win_profile directory, 144
+<BR> &nbsp; &nbsp; &nbsp;   example, 145
+<BR>WINS, 32
+<BR> &nbsp; &nbsp; &nbsp;   client and a server interaction, 218
+<BR> &nbsp; &nbsp; &nbsp;   configuration, Windows 95/98/Me, 78
+<BR> &nbsp; &nbsp; &nbsp;   proxy, configuring, 221
+<BR> &nbsp; &nbsp; &nbsp;   replication, 38
+<BR> &nbsp; &nbsp; &nbsp;   support, smb.conf file, 71
+<BR>wins hook option (smb.conf file), 223, 446
+<BR>wins proxy option (smb.conf file), 221, 222, 446
+<BR>wins server option (smb.conf file), 220, 222, 446
+<BR>WINS servers
+<BR> &nbsp; &nbsp; &nbsp;   configuring a DNS proxy, 220
+<BR> &nbsp; &nbsp; &nbsp;   configuring Samba to use another, 220
+<BR> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;      configuration file example, 396
+<BR> &nbsp; &nbsp; &nbsp;   enabling Samba as, configuration file example, 395
+<BR> &nbsp; &nbsp; &nbsp;   multiple, 32
+<BR> &nbsp; &nbsp; &nbsp;   primary (see primary WINS server)
+<BR> &nbsp; &nbsp; &nbsp;   setting Samba as, 220
+<BR> &nbsp; &nbsp; &nbsp;   synchronization problems in Samba, 71
+<BR> &nbsp; &nbsp; &nbsp;   Windows 2000, 101
+<BR> &nbsp; &nbsp; &nbsp;   Windows NT, 90
+<BR> &nbsp; &nbsp; &nbsp;   Windows XP, 112
+<BR>wins support option (smb.conf file), 222, 447
+<BR>wins support parameter (smb.conf file), 220
+<BR>with feature option, configuring Samba, 47
+<BR>--with-acl-support (configure script option), 495
+<BR>--with-afs (configure script option), 495
+<BR>--with-automount (configure script option), 495
+<BR>--with-codepagedir (configure script option), 495
+<BR>--with-configdir (configure script option), 495
+<BR>--with-dce-dfs (configure script option), 495
+<BR>--with-fhs (configure script option), 495
+<BR>--with-included-popt (configure script option), 495
+<BR>--with-krb4 (configure script option), 495
+<BR>--with-krb5 (configure script option), 495
+<BR>--with-ldapsam (configure script option), 496
+<BR>--with-libiconv (configure script option), 496
+<BR>--with-libsmbclient (configure script option), 496
+<BR>--with-lockdir (configure script option), 496
+<BR>--with-logfilebase (configure script option), 496
+<BR>--with-manpages-langs (configure script option), 496
+<BR>--with-msdfs (configure script option), 47, 496
+<BR>--with-nisplus-home (configure script option), 496
+<BR>--with-nisplussam (configure script option), 496
+<BR>without feature option, configuring Samba, 47
+<BR>--with-pam (configure script option), 497
+<BR>--with-pam_smbpass (configure script option), 497
+<BR>--with-piddir (configure script option), 497
+<BR>--with-privatedir (configure script option), 497
+<BR>--with-profiling-data (configure script option), 497
+<BR>--with-quotas (configure script option), 497
+<BR>--with-readline (configure script option), 497
+<BR>--with-sendfile-support (configure script option), 497
+<BR>--with-smbmount (configure script option), 47, 498
+<BR>--with-smbwrapper (configure script option), 47, 498
+<BR>--with-spinlocks (configure script option), 498
+<BR>--with-ssl (configure script option), 498
+<BR>--with-sslinc (configure script option), 498
+<BR>--with-ssllib (configure script option), 498
+<BR>--with-swatdir (configure script option), 498
+<BR>--with-syslog (configure script option), 498
+<BR>--with-tdbsam (configure script option), 498
+<BR>--with-utmp (configure script option), 498
+<BR>--with-winbind (configure script option), 499
+<BR>workgroup option (smb.conf file), 447
+<BR>workgroup parameter (smb.conf file), 200
+<BR>workgroups, 26-29
+<BR> &nbsp; &nbsp; &nbsp;   adding first Samba server to, 396
+<BR> &nbsp; &nbsp; &nbsp;   defined, 15
+<BR> &nbsp; &nbsp; &nbsp;   problems related to, 29
+<BR> &nbsp; &nbsp; &nbsp;   spanning multiple subnets, 34
+<BR> &nbsp; &nbsp; &nbsp;   Windows 2000, 103
+<BR> &nbsp; &nbsp; &nbsp;   Windows 95/98/Me, 81
+<BR> &nbsp; &nbsp; &nbsp;   Windows NT, 93
+<BR> &nbsp; &nbsp; &nbsp;   Windows XP, 113
+<BR>Workstation service, installing on Windows NT, 89
+<BR>writable option (smb.conf file), 203, 447
+<BR>write cache size option (smb.conf file), 447
+<BR>write list option (smb.conf file), 286, 288, 447
+<BR>write ok option (smb.conf file), 203, 447
+<BR>write raw option (smb.conf file), 448
+<BR>writeable option (smb.conf file), 203, 447
+<P><A NAME="X"><B>X</B><A HREF="inx.html">[&nbsp;Top&nbsp;]</A>
+<BR>XFS filesystem, 37
+<BR>xinetd daemon, 53
+
+<hr/><h4 class="head4"><a href="toc.html">TOC</a></h4>
+
+</body></html>
diff --git a/docs/htmldocs/using_samba/samba2_s.gif b/docs/htmldocs/using_samba/samba2_s.gif
new file mode 100644
index 0000000000..23d7e5ee64
--- /dev/null
+++ b/docs/htmldocs/using_samba/samba2_s.gif
diff --git a/docs/htmldocs/using_samba/samba2_xs.gif b/docs/htmldocs/using_samba/samba2_xs.gif
new file mode 100644
index 0000000000..e489480df6
--- /dev/null
+++ b/docs/htmldocs/using_samba/samba2_xs.gif
diff --git a/docs/htmldocs/using_samba/toc.html b/docs/htmldocs/using_samba/toc.html
new file mode 100644
index 0000000000..54d5c3f55f
--- /dev/null
+++ b/docs/htmldocs/using_samba/toc.html
@@ -0,0 +1,138 @@
+<html>
+<body bgcolor="#ffffff">
+
+<table border="0" cellpadding="4" cellspacing="4">
+<tr>
+<td>
+<img src="samba2_s.gif" border="0" height="190" width="145" alt="Using Samba, 
+2nd Edition" />
+</td>
+<td>
+<h2>Using Samba, 2nd Edition</h2>
+By Jay Ts, Robert Eckstein, and David Collier-Brown<br />
+2nd Edition, February 2003 <br />
+O'Reilly &amp; Associates, ISBN: 0-596-00256-4<br />
+<a href="http://www.oreilly.com/catalog/samba2/"><b>www.oreilly.com/catalog/samba2/</b></a>
+</td>
+</tr>
+</table>
+
+<blockquote>
+<h2>Table of Contents</h2>
+
+<P><B><a href="ch00.html">Preface</a></B>
+
+<P><B><a href="ch01.html">1. Learning the Samba</a></B>
+<BR> &nbsp; &nbsp; &nbsp;What Is Samba? 
+<BR> &nbsp; &nbsp; &nbsp;What Can Samba Do for Me? 
+<BR> &nbsp; &nbsp; &nbsp;Getting Familiar with an SMB Network 
+<BR> &nbsp; &nbsp; &nbsp;An Introduction to the SMB Protocol 
+<BR> &nbsp; &nbsp; &nbsp;Windows Workgroups and Domains 
+<BR> &nbsp; &nbsp; &nbsp;What's New in Samba 2.2? 
+<BR> &nbsp; &nbsp; &nbsp;What's New in Samba 3.0? 
+<BR> &nbsp; &nbsp; &nbsp;What Can Samba Do? 
+<BR> &nbsp; &nbsp; &nbsp;An Overview of the Samba Distribution 
+<BR> &nbsp; &nbsp; &nbsp;How Can I Get Samba? 
+
+<P><B><a href="ch02.html">2. Installing Samba on a Unix System</a></B>
+<BR> &nbsp; &nbsp; &nbsp;Bundled Versions 
+<BR> &nbsp; &nbsp; &nbsp;Downloading the Samba Distribution 
+<BR> &nbsp; &nbsp; &nbsp;Configuring Samba 
+<BR> &nbsp; &nbsp; &nbsp;Compiling and Installing Samba 
+<BR> &nbsp; &nbsp; &nbsp;Enabling SWAT 
+<BR> &nbsp; &nbsp; &nbsp;A Basic Samba Configuration File 
+<BR> &nbsp; &nbsp; &nbsp;Firewall Configuration 
+<BR> &nbsp; &nbsp; &nbsp;Starting the Samba Daemons 
+<BR> &nbsp; &nbsp; &nbsp;Testing the Samba Daemons 
+
+<P><B><a href="ch03.html">3. Configuring Windows Clients</a></B>
+<BR> &nbsp; &nbsp; &nbsp;Windows Networking Concepts 
+<BR> &nbsp; &nbsp; &nbsp;Setting Up Windows 95/98/Me Computers 
+<BR> &nbsp; &nbsp; &nbsp;Setting Up Windows NT 4.0 Computers 
+<BR> &nbsp; &nbsp; &nbsp;Setting Up Windows 2000 Computers 
+<BR> &nbsp; &nbsp; &nbsp;Setting Up Windows XP Computers 
+
+<P><B><a href="ch04.html">4. Windows NT Domains</a></B>
+<BR> &nbsp; &nbsp; &nbsp;Samba as the Primary Domain Controller 
+<BR> &nbsp; &nbsp; &nbsp;Adding Computer Accounts 
+<BR> &nbsp; &nbsp; &nbsp;Configuring Windows Clients for Domain Logons 
+<BR> &nbsp; &nbsp; &nbsp;Logon Scripts 
+<BR> &nbsp; &nbsp; &nbsp;Roaming Profiles 
+<BR> &nbsp; &nbsp; &nbsp;System Policies 
+<BR> &nbsp; &nbsp; &nbsp;Samba as a Domain Member Server 
+<BR> &nbsp; &nbsp; &nbsp;Windows NT Domain Options 
+
+<P><B><a href="ch05.html">5. Unix Clients</a></B>
+<BR> &nbsp; &nbsp; &nbsp;Sharing Files on Windows 95/98/Me 
+<BR> &nbsp; &nbsp; &nbsp;Sharing Files on Windows NT/2000/XP 
+<BR> &nbsp; &nbsp; &nbsp;smbclient 
+<BR> &nbsp; &nbsp; &nbsp;smbfs 
+<BR> &nbsp; &nbsp; &nbsp;smbsh 
+<BR> &nbsp; &nbsp; &nbsp;smbutil and mount_smbfs 
+
+<P><B><a href="ch06.html">6. The Samba Configuration File</a></B>
+<BR> &nbsp; &nbsp; &nbsp;The Samba Configuration File 
+<BR> &nbsp; &nbsp; &nbsp;Special Sections 
+<BR> &nbsp; &nbsp; &nbsp;Configuration Options 
+<BR> &nbsp; &nbsp; &nbsp;Server Configuration 
+<BR> &nbsp; &nbsp; &nbsp;Disk Share Configuration 
+<BR> &nbsp; &nbsp; &nbsp;Networking Options with Samba 
+<BR> &nbsp; &nbsp; &nbsp;Virtual Servers 
+<BR> &nbsp; &nbsp; &nbsp;Logging Configuration Options 
+
+<P><B><a href="ch07.html">7. Name Resolution and Browsing</a></B>
+<BR> &nbsp; &nbsp; &nbsp;Name Resolution 
+<BR> &nbsp; &nbsp; &nbsp;Browsing 
+
+<P><B><a href="ch08.html">8. Advanced Disk Shares</a></B>
+<BR> &nbsp; &nbsp; &nbsp;Filesystem Differences 
+<BR> &nbsp; &nbsp; &nbsp;File Permissions and Attributes on MS-DOS and Unix 
+<BR> &nbsp; &nbsp; &nbsp;Windows NT/2000/XP ACLs 
+<BR> &nbsp; &nbsp; &nbsp;Name Mangling and Case 
+<BR> &nbsp; &nbsp; &nbsp;Locks and Oplocks 
+<BR> &nbsp; &nbsp; &nbsp;Connection Scripts 
+<BR> &nbsp; &nbsp; &nbsp;Microsoft Distributed Filesystems 
+<BR> &nbsp; &nbsp; &nbsp;Working with NIS 
+
+<P><B><a href="ch09.html">9. Users and Security</a></B>
+<BR> &nbsp; &nbsp; &nbsp;Users and Groups 
+<BR> &nbsp; &nbsp; &nbsp;Controlling Access to Shares 
+<BR> &nbsp; &nbsp; &nbsp;Authentication of Clients 
+<BR> &nbsp; &nbsp; &nbsp;Passwords 
+<BR> &nbsp; &nbsp; &nbsp;Authentication with winbind 
+
+<P><B><a href="ch10.html">10. Printing</a></B>
+<BR> &nbsp; &nbsp; &nbsp;Sending Print Jobs to Samba 
+<BR> &nbsp; &nbsp; &nbsp;Printing to Windows Printers 
+
+<P><B><a href="ch11.html">11. Additional Samba Information</a></B>
+<BR> &nbsp; &nbsp; &nbsp;Time Synchronization 
+<BR> &nbsp; &nbsp; &nbsp;Magic Scripts 
+<BR> &nbsp; &nbsp; &nbsp;Internationalization 
+<BR> &nbsp; &nbsp; &nbsp;Windows Messenger Service 
+<BR> &nbsp; &nbsp; &nbsp;Miscellaneous Options 
+
+<P><B><a href="ch12.html">12. Troubleshooting Samba</a></B>
+<BR> &nbsp; &nbsp; &nbsp;The Tool Box 
+<BR> &nbsp; &nbsp; &nbsp;The Fault Tree 
+<BR> &nbsp; &nbsp; &nbsp;Extra Resources 
+
+<P><B><a href="appa.html">Appendix A. Example Configuration Files</a></B>
+
+<P><B><a href="appb.html">Appendix B. Samba Configuration Option Quick Reference</a></B>
+
+<P><B><a href="appc.html">Appendix C. Summary of Samba Daemons and Commands</a></B>
+
+<P><B><a href="appd.html">Appendix D. Downloading Samba with CVS</a></B>
+
+<P><B><a href="appe.html">Appendix E. Configure Options</a></B>
+
+<P><B><a href="appf.html">Appendix F. Running Samba on Mac OS X Server</a></B>
+
+<P><B><a href="appg.html">Appendix G. GNU Free Documentation License</a></B>
+
+<P><B><a href="inx.html">Index</a></B>
+</blockquote>
+
+</body>
+</html>
author	bubulle <bubulle@alioth.debian.org>	2010-04-06 18:12:47 +0000
committer	bubulle <bubulle@alioth.debian.org>	2010-04-06 18:12:47 +0000
commit	c038a4e9c09ba4ac77d885ac0afee418f41b8891 (patch)
tree	f5b2444727ff995f46dabbbf94863e9926501444 /docs/htmldocs/using_samba
parent	9e2f5a6ab663f7a111832217c527508c75ddae8a (diff)
download	samba-c038a4e9c09ba4ac77d885ac0afee418f41b8891.tar.gz