diff options
Diffstat (limited to 'docs/htmldocs/manpages/smb.conf.5.html')
| -rw-r--r-- | docs/htmldocs/manpages/smb.conf.5.html | 4980 |
1 files changed, 4980 insertions, 0 deletions
diff --git a/docs/htmldocs/manpages/smb.conf.5.html b/docs/htmldocs/manpages/smb.conf.5.html new file mode 100644 index 0000000000..0803bdb453 --- /dev/null +++ b/docs/htmldocs/manpages/smb.conf.5.html @@ -0,0 +1,4980 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>smb.conf</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.71.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="smb.conf.5"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>smb.conf — The configuration file for the Samba suite</p></div><div class="refsect1" lang="en"><a name="id291806"></a><h2>SYNOPSIS</h2><p> + The <code class="filename">smb.conf</code> file is a configuration file for the Samba suite. <code class="filename">smb.conf</code> contains runtime configuration information for the Samba programs. The + <code class="filename">smb.conf</code> file is designed to be configured and administered by the + <a href="swat.8.html"><span class="citerefentry"><span class="refentrytitle">swat</span>(8)</span></a> program. The + complete description of the file format and possible parameters held within are here for reference purposes. + </p></div><div class="refsect1" lang="en"><a name="FILEFORMATSECT"></a><h2>FILE FORMAT</h2><p> + The file consists of sections and parameters. A section begins with the name of the section in square brackets + and continues until the next section begins. Sections contain parameters of the form: +</p><pre class="programlisting"> +<em class="replaceable"><code>name</code></em> = <em class="replaceable"><code>value </code></em> +</pre><p> + </p><p> + The file is line-based - that is, each newline-terminated line represents either a comment, a section name or + a parameter. + </p><p>Section and parameter names are not case sensitive.</p><p> + Only the first equals sign in a parameter is significant. Whitespace before or after the first equals sign is + discarded. Leading, trailing and internal whitespace in section and parameter names is irrelevant. Leading + and trailing whitespace in a parameter value is discarded. Internal whitespace within a parameter value is + retained verbatim. + </p><p> + Any line beginning with a semicolon (“<span class="quote">;</span>”) or a hash (“<span class="quote">#</span>”) + character is ignored, as are lines containing only whitespace. + </p><p> + Any line ending in a “<span class="quote"><code class="literal">\</code></span>” is continued on the next line in the customary UNIX fashion. + </p><p> + The values following the equals sign in parameters are all either a string (no quotes needed) or a boolean, + which may be given as yes/no, 0/1 or true/false. Case is not significant in boolean values, but is preserved + in string values. Some items such as create masks are numeric. + </p></div><div class="refsect1" lang="en"><a name="id259596"></a><h2>SECTION DESCRIPTIONS</h2><p> + Each section in the configuration file (except for the [global] section) describes a shared resource (known as + a “<span class="quote">share</span>”). The section name is the name of the shared resource and the parameters within the + section define the shares attributes. + </p><p> + There are three special sections, [global], [homes] and [printers], which are described under + <span class="emphasis"><em>special sections</em></span>. The following notes apply to ordinary section descriptions. + </p><p> + A share consists of a directory to which access is being given plus a description of the access rights + which are granted to the user of the service. Some housekeeping options are also specifiable. + </p><p> + Sections are either file share services (used by the client as an extension of their native file systems) + or printable services (used by the client to access print services on the host running the server). + </p><p> + Sections may be designated <span class="emphasis"><em>guest</em></span> services, in which case no password is required to + access them. A specified UNIX <span class="emphasis"><em>guest account</em></span> is used to define access privileges in this + case. + </p><p> + Sections other than guest services will require a password to access them. The client provides the + username. As older clients only provide passwords and not usernames, you may specify a list of usernames to + check against the password using the <code class="literal">user =</code> option in the share definition. For modern clients + such as Windows 95/98/ME/NT/2000, this should not be necessary. + </p><p> + The access rights granted by the server are masked by the access rights granted to the specified or guest + UNIX user by the host system. The server does not grant more access than the host system grants. + </p><p> + The following sample section defines a file space share. The user has write access to the path <code class="filename">/home/bar</code>. The share is accessed via the share name <code class="literal">foo</code>: +</p><pre class="programlisting"> + <em class="parameter"><code>[foo]</code></em> + <a class="indexterm" name="id259433"></a>path = /home/bar + <a class="indexterm" name="id260355"></a>read only = no +</pre><p> + </p><p> + The following sample section defines a printable share. The share is read-only, but printable. That is, + the only write access permitted is via calls to open, write to and close a spool file. The <span class="emphasis"><em>guest + ok</em></span> parameter means access will be permitted as the default guest user (specified elsewhere): +</p><pre class="programlisting"> + <em class="parameter"><code>[aprinter]</code></em> + <a class="indexterm" name="id260383"></a>path = /usr/spool/public + <a class="indexterm" name="id260390"></a>read only = yes + <a class="indexterm" name="id260397"></a>printable = yes + <a class="indexterm" name="id260404"></a>guest ok = yes +</pre><p> + </p></div><div class="refsect1" lang="en"><a name="id260415"></a><h2>SPECIAL SECTIONS</h2><div class="refsect2" lang="en"><a name="id260420"></a><h3>The [global] section</h3><p> + Parameters in this section apply to the server as a whole, or are defaults for sections that do not + specifically define certain items. See the notes under PARAMETERS for more information. + </p></div><div class="refsect2" lang="en"><a name="HOMESECT"></a><h3>The [homes] section</h3><p> + If a section called [homes] is included in the configuration file, services connecting clients + to their home directories can be created on the fly by the server. + </p><p> + When the connection request is made, the existing sections are scanned. If a match is found, it is + used. If no match is found, the requested section name is treated as a username and looked up in the local + password file. If the name exists and the correct password has been given, a share is created by cloning the + [homes] section. + </p><p> + Some modifications are then made to the newly created share: + </p><div class="itemizedlist"><ul type="disc"><li><p> + The share name is changed from homes to the located username. + </p></li><li><p> + If no path was given, the path is set to the user's home directory. + </p></li></ul></div><p> + If you decide to use a <span class="emphasis"><em>path =</em></span> line in your [homes] section, it may be useful + to use the %S macro. For example: +</p><pre class="programlisting"> +<strong class="userinput"><code>path = /data/pchome/%S</code></strong> +</pre><p> + is useful if you have different home directories for your PCs than for UNIX access. + </p><p> + This is a fast and simple way to give a large number of clients access to their home directories with a minimum + of fuss. + </p><p> + A similar process occurs if the requested section name is “<span class="quote">homes</span>”, except that the share + name is not changed to that of the requesting user. This method of using the [homes] section works well if + different users share a client PC. + </p><p> + The [homes] section can specify all the parameters a normal service section can specify, though some make more sense + than others. The following is a typical and suitable [homes] section: +</p><pre class="programlisting"> +<em class="parameter"><code>[homes]</code></em> +<a class="indexterm" name="id260157"></a>read only = no +</pre><p> + </p><p> + An important point is that if guest access is specified in the [homes] section, all home directories will be + visible to all clients <span class="emphasis"><em>without a password</em></span>. In the very unlikely event that this is actually + desirable, it is wise to also specify <span class="emphasis"><em>read only access</em></span>. + </p><p> + The <span class="emphasis"><em>browseable</em></span> flag for auto home directories will be inherited from the global browseable + flag, not the [homes] browseable flag. This is useful as it means setting <span class="emphasis"><em>browseable = no</em></span> in + the [homes] section will hide the [homes] share but make any auto home directories visible. + </p></div><div class="refsect2" lang="en"><a name="PRINTERSSECT"></a><h3>The [printers] section</h3><p> + This section works like [homes], but for printers. + </p><p> + If a [printers] section occurs in the configuration file, users are able to connect to any printer + specified in the local host's printcap file. + </p><p> + When a connection request is made, the existing sections are scanned. If a match is found, it is used. + If no match is found, but a [homes] section exists, it is used as described above. Otherwise, the requested + section name is treated as a printer name and the appropriate printcap file is scanned to see if the requested + section name is a valid printer share name. If a match is found, a new printer share is created by cloning the + [printers] section. + </p><p> + A few modifications are then made to the newly created share: + </p><div class="itemizedlist"><ul type="disc"><li><p>The share name is set to the located printer name</p></li><li><p>If no printer name was given, the printer name is set to the located printer name</p></li><li><p>If the share does not permit guest access and no username was given, the username is set + to the located printer name.</p></li></ul></div><p> + The [printers] service MUST be printable - if you specify otherwise, the server will refuse + to load the configuration file. + </p><p> + Typically the path specified is that of a world-writeable spool directory with the sticky bit set on + it. A typical [printers] entry looks like this: +</p><pre class="programlisting"> +<em class="parameter"><code>[printers]</code></em> +<a class="indexterm" name="id300481"></a>path = /usr/spool/public +<a class="indexterm" name="id300488"></a>guest ok = yes +<a class="indexterm" name="id300495"></a>printable = yes +</pre><p> + </p><p> + All aliases given for a printer in the printcap file are legitimate printer names as far as the server is concerned. + If your printing subsystem doesn't work like that, you will have to set up a pseudo-printcap. This is a file + consisting of one or more lines like this: +</p><pre class="programlisting"> +alias|alias|alias|alias... +</pre><p> + </p><p> + Each alias should be an acceptable printer name for your printing subsystem. In the [global] section, + specify the new file as your printcap. The server will only recognize names found in your pseudo-printcap, + which of course can contain whatever aliases you like. The same technique could be used simply to limit access + to a subset of your local printers. + </p><p> + An alias, by the way, is defined as any component of the first entry of a printcap record. Records are separated by newlines, + components (if there are more than one) are separated by vertical bar symbols (<code class="literal">|</code>). + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + On SYSV systems which use lpstat to determine what printers are defined on the system you may be able to use + <code class="literal">printcap name = lpstat</code> to automatically obtain a list of printers. See the + <code class="literal">printcap name</code> option for more details. + </p></div></div></div><div class="refsect1" lang="en"><a name="id300553"></a><h2>USERSHARES</h2><p>Starting with Samba version 3.0.23 the capability for non-root users to add, modify, and delete + their own share definitions has been added. This capability is called <span class="emphasis"><em>usershares</em></span> and + is controlled by a set of parameters in the [global] section of the smb.conf. + The relevant parameters are : + </p><div class="variablelist"><dl><dt><span class="term">usershare allow guests</span></dt><dd><p>Controls if usershares can permit guest access.</p></dd><dt><span class="term">usershare max shares</span></dt><dd><p>Maximum number of user defined shares allowed.</p></dd><dt><span class="term">usershare owner only</span></dt><dd><p>If set only directories owned by the sharing user can be shared.</p></dd><dt><span class="term">usershare path</span></dt><dd><p>Points to the directory containing the user defined share definitions. + The filesystem permissions on this directory control who can create user defined shares.</p></dd><dt><span class="term">usershare prefix allow list</span></dt><dd><p>Comma-separated list of absolute pathnames restricting what directories + can be shared. Only directories below the pathnames in this list are permitted.</p></dd><dt><span class="term">usershare prefix deny list</span></dt><dd><p>Comma-separated list of absolute pathnames restricting what directories + can be shared. Directories below the pathnames in this list are prohibited.</p></dd><dt><span class="term">usershare template share</span></dt><dd><p>Names a pre-existing share used as a template for creating new usershares. + All other share parameters not specified in the user defined share definition + are copied from this named share.</p></dd></dl></div><p>To allow members of the UNIX group <code class="literal">foo</code> to create user defined + shares, create the directory to contain the share definitions as follows: + </p><p>Become root:</p><pre class="programlisting"> +mkdir /usr/local/samba/lib/usershares +chgrp foo /usr/local/samba/lib/usershares +chmod 1770 /usr/local/samba/lib/usershares +</pre><p>Then add the parameters + +</p><pre class="programlisting"> + <a class="indexterm" name="id300682"></a>usershare path = /usr/local/samba/lib/usershares + <a class="indexterm" name="id300690"></a>usershare max shares = 10 # (or the desired number of shares) +</pre><p> + + to the global + section of your <code class="filename">smb.conf</code>. Members of the group foo may then manipulate the user defined shares + using the following commands.</p><div class="variablelist"><dl><dt><span class="term">net usershare add sharename path [comment] [acl] [guest_ok=[y|n]]</span></dt><dd><p>To create or modify (overwrite) a user defined share.</p></dd><dt><span class="term">net usershare delete sharename</span></dt><dd><p>To delete a user defined share.</p></dd><dt><span class="term">net usershare list wildcard-sharename</span></dt><dd><p>To list user defined shares.</p></dd><dt><span class="term">net usershare info wildcard-sharename</span></dt><dd><p>To print information about user defined shares.</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id300757"></a><h2>PARAMETERS</h2><p>Parameters define the specific attributes of sections.</p><p> + Some parameters are specific to the [global] section (e.g., <span class="emphasis"><em>security</em></span>). Some parameters + are usable in all sections (e.g., <span class="emphasis"><em>create mask</em></span>). All others are permissible only in normal + sections. For the purposes of the following descriptions the [homes] and [printers] sections will be + considered normal. The letter <span class="emphasis"><em>G</em></span> in parentheses indicates that a parameter is specific to + the [global] section. The letter <span class="emphasis"><em>S</em></span> indicates that a parameter can be specified in a + service specific section. All <span class="emphasis"><em>S</em></span> parameters can also be specified in the [global] section + - in which case they will define the default behavior for all services. + </p><p> + Parameters are arranged here in alphabetical order - this may not create best bedfellows, but at least you can + find them! Where there are synonyms, the preferred synonym is described, others refer to the preferred + synonym. + </p></div><div class="refsect1" lang="en"><a name="id300798"></a><h2>VARIABLE SUBSTITUTIONS</h2><p> + Many of the strings that are settable in the config file can take substitutions. For example the option + “<span class="quote">path = /tmp/%u</span>” is interpreted as “<span class="quote">path = /tmp/john</span>” if the user connected with the + username john. + </p><p> + These substitutions are mostly noted in the descriptions below, but there are some general substitutions + which apply whenever they might be relevant. These are: + </p><div class="variablelist"><dl><dt><span class="term">%U</span></dt><dd><p>session username (the username that the client wanted, not + necessarily the same as the one they got).</p></dd><dt><span class="term">%G</span></dt><dd><p>primary group name of %U.</p></dd><dt><span class="term">%h</span></dt><dd><p>the Internet hostname that Samba is running on.</p></dd><dt><span class="term">%m</span></dt><dd><p>the NetBIOS name of the client machine (very useful).</p><p>This parameter is not available when Samba listens on port 445, as clients no longer + send this information. If you use this macro in an include statement on a domain that has + a Samba domain controller be sure to set in the [global] section <em class="parameter"><code>smb ports = + 139</code></em>. This will cause Samba to not listen on port 445 and will permit include + functionality to function as it did with Samba 2.x. + </p></dd><dt><span class="term">%L</span></dt><dd><p>the NetBIOS name of the server. This allows you to change your config based on what + the client calls you. Your server can have a “<span class="quote">dual personality</span>”. + </p></dd><dt><span class="term">%M</span></dt><dd><p>the Internet name of the client machine. + </p></dd><dt><span class="term">%R</span></dt><dd><p>the selected protocol level after protocol negotiation. It can be one of CORE, COREPLUS, + LANMAN1, LANMAN2 or NT1.</p></dd><dt><span class="term">%d</span></dt><dd><p>the process id of the current server + process.</p></dd><dt><span class="term">%a</span></dt><dd><p>the architecture of the remote + machine. It currently recognizes Samba (<code class="constant">Samba</code>), + the Linux CIFS file system (<code class="constant">CIFSFS</code>), OS/2, (<code class="constant">OS2</code>), + Windows for Workgroups (<code class="constant">WfWg</code>), Windows 9x/ME + (<code class="constant">Win95</code>), Windows NT (<code class="constant">WinNT</code>), + Windows 2000 (<code class="constant">Win2K</code>), Windows XP (<code class="constant">WinXP</code>), + and Windows 2003 (<code class="constant">Win2K3</code>). Anything else will be known as + <code class="constant">UNKNOWN</code>.</p></dd><dt><span class="term">%I</span></dt><dd><p>the IP address of the client machine.</p></dd><dt><span class="term">%i</span></dt><dd><p>the local IP address to which a client connected.</p></dd><dt><span class="term">%T</span></dt><dd><p>the current date and time.</p></dd><dt><span class="term">%D</span></dt><dd><p>name of the domain or workgroup of the current user.</p></dd><dt><span class="term">%w</span></dt><dd><p>the winbind separator.</p></dd><dt><span class="term">%$(<em class="replaceable"><code>envvar</code></em>)</span></dt><dd><p>the value of the environment variable + <em class="replaceable"><code>envar</code></em>.</p></dd></dl></div><p> + The following substitutes apply only to some configuration options (only those that are + used when a connection has been established): + </p><div class="variablelist"><dl><dt><span class="term">%S</span></dt><dd><p>the name of the current service, if any.</p></dd><dt><span class="term">%P</span></dt><dd><p>the root directory of the current service, if any.</p></dd><dt><span class="term">%u</span></dt><dd><p>username of the current service, if any.</p></dd><dt><span class="term">%g</span></dt><dd><p>primary group name of %u.</p></dd><dt><span class="term">%H</span></dt><dd><p>the home directory of the user given by %u.</p></dd><dt><span class="term">%N</span></dt><dd><p> + the name of your NIS home directory server. This is obtained from your NIS auto.map entry. + If you have not compiled Samba with the <span class="emphasis"><em>--with-automount</em></span> option, this + value will be the same as %L.</p></dd><dt><span class="term">%p</span></dt><dd><p> + the path of the service's home directory, obtained from your NIS auto.map entry. The NIS + auto.map entry is split up as <code class="literal">%N:%p</code>.</p></dd></dl></div><p> + There are some quite creative things that can be done with these substitutions and other + <code class="filename">smb.conf</code> options. + </p></div><div class="refsect1" lang="en"><a name="NAMEMANGLINGSECT"></a><h2>NAME MANGLING</h2><p> + Samba supports <code class="literal">name mangling</code> so that DOS and Windows clients can use files that don't + conform to the 8.3 format. It can also be set to adjust the case of 8.3 format filenames. + </p><p> + There are several options that control the way mangling is performed, and they are grouped here rather + than listed separately. For the defaults look at the output of the testparm program. + </p><p> + These options can be set separately for each service. + </p><p> + The options are: + </p><div class="variablelist"><dl><dt><span class="term">case sensitive = yes/no/auto</span></dt><dd><p> + controls whether filenames are case sensitive. If they aren't, Samba must do a filename search and match on + passed names. The default setting of auto allows clients that support case sensitive filenames (Linux CIFSVFS + and smbclient 3.0.5 and above currently) to tell the Samba server on a per-packet basis that they wish to + access the file system in a case-sensitive manner (to support UNIX case sensitive semantics). No Windows or + DOS system supports case-sensitive filename so setting this option to auto is that same as setting it to no + for them. Default <span class="emphasis"><em>auto</em></span>. + </p></dd><dt><span class="term">default case = upper/lower</span></dt><dd><p> + controls what the default case is for new filenames (ie. files that don't currently exist in the filesystem). + Default <span class="emphasis"><em>lower</em></span>. IMPORTANT NOTE: This option will be used to modify the case of + <span class="emphasis"><em>all</em></span> incoming client filenames, not just new filenames if the options <a class="indexterm" name="id301239"></a>case sensitive = yes, <a class="indexterm" name="id301246"></a>preserve case = No, + <a class="indexterm" name="id301253"></a>short preserve case = No are set. This change is needed as part of the + optimisations for directories containing large numbers of files. + </p></dd><dt><span class="term">preserve case = yes/no</span></dt><dd><p> + controls whether new files (ie. files that don't currently exist in the filesystem) are created with the case + that the client passes, or if they are forced to be the <code class="literal">default</code> case. Default + <span class="emphasis"><em>yes</em></span>. + </p></dd><dt><span class="term">short preserve case = yes/no</span></dt><dd><p> + controls if new files (ie. files that don't currently exist in the filesystem) which conform to 8.3 syntax, + that is all in upper case and of suitable length, are created upper case, or if they are forced to be the + <code class="literal">default</code> case. This option can be used with <code class="literal">preserve case = yes</code> to permit + long filenames to retain their case, while short names are lowercased. Default <span class="emphasis"><em>yes</em></span>. + </p></dd></dl></div><p> + By default, Samba 3.0 has the same semantics as a Windows NT server, in that it is case insensitive + but case preserving. As a special case for directories with large numbers of files, if the case + options are set as follows, "case sensitive = yes", "case preserve = no", "short preserve case = no" + then the "default case" option will be applied and will modify all filenames sent from the client + when accessing this share. + </p></div><div class="refsect1" lang="en"><a name="VALIDATIONSECT"></a><h2>NOTE ABOUT USERNAME/PASSWORD VALIDATION</h2><p> + There are a number of ways in which a user can connect to a service. The server uses the following steps + in determining if it will allow a connection to a specified service. If all the steps fail, the connection + request is rejected. However, if one of the steps succeeds, the following steps are not checked. + </p><p> + If the service is marked “<span class="quote">guest only = yes</span>” and the server is running with share-level + security (“<span class="quote">security = share</span>”, steps 1 to 5 are skipped. + </p><div class="orderedlist"><ol type="1"><li><p> + If the client has passed a username/password pair and that username/password pair is validated by the UNIX + system's password programs, the connection is made as that username. This includes the + <code class="literal">\\server\service</code>%<em class="replaceable"><code>username</code></em> method of passing a username. + </p></li><li><p> + If the client has previously registered a username with the system and now supplies a correct password for that + username, the connection is allowed. + </p></li><li><p> + The client's NetBIOS name and any previously used usernames are checked against the supplied password. If + they match, the connection is allowed as the corresponding user. + </p></li><li><p> + If the client has previously validated a username/password pair with the server and the client has passed + the validation token, that username is used. + </p></li><li><p> + If a <code class="literal">user = </code> field is given in the <code class="filename">smb.conf</code> file for the + service and the client has supplied a password, and that password matches (according to the UNIX system's + password checking) with one of the usernames from the <code class="literal">user =</code> field, the connection is made as + the username in the <code class="literal">user =</code> line. If one of the usernames in the <code class="literal">user =</code> list + begins with a <code class="literal">@</code>, that name expands to a list of names in the group of the same name. + </p></li><li><p> + If the service is a guest service, a connection is made as the username given in the <code class="literal">guest account + =</code> for the service, irrespective of the supplied password. + </p></li></ol></div></div><div class="refsect1" lang="en"><a name="id301448"></a><h2>EXPLANATION OF EACH PARAMETER</h2><div class="variablelist"><dl><dt><span class="term"><a name="ABORTSHUTDOWNSCRIPT"></a>abort shutdown script (G)</span></dt><dd><p>This a full path name to a script called by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> that + should stop a shutdown procedure issued by the <a class="indexterm" name="id301488"></a>shutdown script.</p><p>If the connected user posseses the <code class="constant">SeRemoteShutdownPrivilege</code>, + right, this command will be run as user.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>abort shutdown script</code></em> = <code class="literal">""</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>abort shutdown script</code></em> = <code class="literal">/sbin/shutdown -c</code> +</em></span> +</p></dd><dt><span class="term"><a name="ACLCHECKPERMISSIONS"></a>acl check permissions (S)</span></dt><dd><p>This boolean parameter controls what <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>does on receiving a protocol request of "open for delete" + from a Windows client. If a Windows client doesn't have permissions to delete a file then they + expect this to be denied at open time. POSIX systems normally only detect restrictions on delete by + actually attempting to delete the file or directory. As Windows clients can (and do) "back out" a + delete request by unsetting the "delete on close" bit Samba cannot delete the file immediately + on "open for delete" request as we cannot restore such a deleted file. With this parameter set to + true (the default) then smbd checks the file system permissions directly on "open for delete" and denies the + request without actually deleting the file if the file system permissions would seem to deny it. + This is not perfect, as it's possible a user could have deleted a file without Samba being able to + check the permissions correctly, but it is close enough to Windows semantics for mostly correct + behaviour. Samba will correctly check POSIX ACL semantics in this case. + </p><p>If this parameter is set to "false" Samba doesn't check permissions on "open for delete" + and allows the open. If the user doesn't have permission to delete the file this will only be + discovered at close time, which is too late for the Windows user tools to display an error message + to the user. The symptom of this is files that appear to have been deleted "magically" re-appearing + on a Windows explorer refersh. This is an extremely advanced protocol option which should not + need to be changed. This parameter was introduced in its final form in 3.0.21, an earlier version + with slightly different semantics was introduced in 3.0.20. That older version is not documented here. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>acl check permissions</code></em> = <code class="literal">True</code> +</em></span> +</p></dd><dt><span class="term"><a name="ACLCOMPATIBILITY"></a>acl compatibility (S)</span></dt><dd><p>This parameter specifies what OS ACL semantics should + be compatible with. Possible values are <span class="emphasis"><em>winnt</em></span> for Windows NT 4, + <span class="emphasis"><em>win2k</em></span> for Windows 2000 and above and <span class="emphasis"><em>auto</em></span>. + If you specify <span class="emphasis"><em>auto</em></span>, the value for this parameter + will be based upon the version of the client. There should + be no reason to change this parameter from the default.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>acl compatibility</code></em> = <code class="literal">Auto</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>acl compatibility</code></em> = <code class="literal">win2k</code> +</em></span> +</p></dd><dt><span class="term"><a name="ACLGROUPCONTROL"></a>acl group control (S)</span></dt><dd><p> + In a POSIX filesystem, only the owner of a file or directory and the superuser can modify the permissions + and ACLs on a file. If this parameter is set, then Samba overrides this restriction, and also allows the + <span class="emphasis"><em>primary group owner</em></span> of a file or directory to modify the permissions and ACLs + on that file. + </p><p> + On a Windows server, groups may be the owner of a file or directory - thus allowing anyone in + that group to modify the permissions on it. This allows the delegation of security controls + on a point in the filesystem to the group owner of a directory and anything below it also owned + by that group. This means there are multiple people with permissions to modify ACLs on a file + or directory, easing managability. + </p><p> + This parameter allows Samba to also permit delegation of the control over a point in the exported + directory hierarchy in much the same was as Windows. This allows all members of a UNIX group to + control the permissions on a file or directory they have group ownership on. + </p><p> + This parameter is best used with the <a class="indexterm" name="id301716"></a>inherit owner option and also + on on a share containing directories with the UNIX <span class="emphasis"><em>setgid bit</em></span> bit set + on them, which causes new files and directories created within it to inherit the group + ownership from the containing directory. + </p><p> + This is parameter has been marked deprecated in Samba 3.0.23. The same behavior is now + implemented by the <em class="parameter"><code>dos filemode</code></em> option. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>acl group control</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="ACLMAPFULLCONTROL"></a>acl map full control (S)</span></dt><dd><p> + This boolean parameter controls whether <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>maps a POSIX ACE entry of "rwx" (read/write/execute), the maximum + allowed POSIX permission set, into a Windows ACL of "FULL CONTROL". If this parameter is set to true any POSIX + ACE entry of "rwx" will be returned in a Windows ACL as "FULL CONTROL", is this parameter is set to false any + POSIX ACE entry of "rwx" will be returned as the specific Windows ACL bits representing read, write and + execute. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>acl map full control</code></em> = <code class="literal">True</code> +</em></span> +</p></dd><dt><span class="term"><a name="ADDGROUPSCRIPT"></a>add group script (G)</span></dt><dd><p> + This is the full pathname to a script that will be run <span class="emphasis"><em>AS ROOT</em></span> by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> when a new group is requested. It + will expand any <em class="parameter"><code>%g</code></em> to the group name passed. This script is only useful + for installations using the Windows NT domain administration tools. The script is free to create a group with + an arbitrary name to circumvent unix group name restrictions. In that case the script must print the numeric + gid of the created group on stdout. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>add group script</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>add group script</code></em> = <code class="literal">/usr/sbin/groupadd %g</code> +</em></span> +</p></dd><dt><span class="term"><a name="ADDMACHINESCRIPT"></a>add machine script (G)</span></dt><dd><p> + This is the full pathname to a script that will be run by + <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> when a machine is + added to Samba's domain and a Unix account matching the machine's name appended with a "$" does not + already exist. + </p><p>This option is very similar to the <a class="indexterm" name="id301914"></a>add user script, and likewise uses the %u + substitution for the account name. Do not use the %m + substitution. </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>add machine script</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>add machine script</code></em> = <code class="literal">/usr/sbin/adduser -n -g machines -c Machine -d /var/lib/nobody -s /bin/false %u</code> +</em></span> +</p></dd><dt><span class="term"><a name="ADDPORTCOMMAND"></a>add port command (G)</span></dt><dd><p>Samba 3.0.23 introduces support for adding printer ports + remotely using the Windows "Add Standard TCP/IP Port Wizard". + This option defines an external program to be executed when + smbd receives a request to add a new Port to the system. + he script is passed two parameters: + </p><div class="itemizedlist"><ul type="disc"><li><p><em class="parameter"><code>port name</code></em></p></li><li><p><em class="parameter"><code>device URI</code></em></p></li></ul></div><p>The deviceURI is in the for of socket://<hostname>[:<portnumber>] + or lpd://<hostname>/<queuename>.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>add port command</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>add port command</code></em> = <code class="literal">/etc/samba/scripts/addport.sh</code> +</em></span> +</p></dd><dt><span class="term"><a name="ADDPRINTERCOMMAND"></a>add printer command (G)</span></dt><dd><p>With the introduction of MS-RPC based printing + support for Windows NT/2000 clients in Samba 2.2, The MS Add + Printer Wizard (APW) icon is now also available in the + "Printers..." folder displayed a share listing. The APW + allows for printers to be add remotely to a Samba or Windows + NT/2000 print server.</p><p>For a Samba host this means that the printer must be + physically added to the underlying printing system. The <em class="parameter"><code>add + printer command</code></em> defines a script to be run which + will perform the necessary operations for adding the printer + to the print system and to add the appropriate service definition + to the <code class="filename">smb.conf</code> file in order that it can be + shared by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>.</p><p>The <em class="parameter"><code>addprinter command</code></em> is + automatically invoked with the following parameter (in + order):</p><div class="itemizedlist"><ul type="disc"><li><p><em class="parameter"><code>printer name</code></em></p></li><li><p><em class="parameter"><code>share name</code></em></p></li><li><p><em class="parameter"><code>port name</code></em></p></li><li><p><em class="parameter"><code>driver name</code></em></p></li><li><p><em class="parameter"><code>location</code></em></p></li><li><p><em class="parameter"><code>Windows 9x driver location</code></em></p></li></ul></div><p>All parameters are filled in from the PRINTER_INFO_2 structure sent + by the Windows NT/2000 client with one exception. The "Windows 9x + driver location" parameter is included for backwards compatibility + only. The remaining fields in the structure are generated from answers + to the APW questions.</p><p>Once the <em class="parameter"><code>addprinter command</code></em> has + been executed, <code class="literal">smbd</code> will reparse the <code class="filename"> + smb.conf</code> to determine if the share defined by the APW + exists. If the sharename is still invalid, then <code class="literal">smbd + </code> will return an ACCESS_DENIED error to the client.</p><p> + The "add printer command" program can output a single line of text, + which Samba will set as the port the new printer is connected to. + If this line isn't output, Samba won't reload its printer shares. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>add printer command</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>add printer command</code></em> = <code class="literal">/usr/bin/addprinter</code> +</em></span> +</p></dd><dt><span class="term"><a name="ADDSHARECOMMAND"></a>add share command (G)</span></dt><dd><p>Samba 2.2.0 introduced the ability to dynamically + add and delete shares via the Windows NT 4.0 Server Manager. The + <em class="parameter"><code>add share command</code></em> is used to define an + external program or script which will add a new service definition + to <code class="filename">smb.conf</code>. In order to successfully + execute the <em class="parameter"><code>add share command</code></em>, <code class="literal">smbd</code> + requires that the administrator be connected using a root account (i.e. + uid == 0). + </p><p> + When executed, <code class="literal">smbd</code> will automatically invoke the + <em class="parameter"><code>add share command</code></em> with five parameters. + </p><div class="itemizedlist"><ul type="disc"><li><p><em class="parameter"><code>configFile</code></em> - the location + of the global <code class="filename">smb.conf</code> file. + </p></li><li><p><em class="parameter"><code>shareName</code></em> - the name of the new + share. + </p></li><li><p><em class="parameter"><code>pathName</code></em> - path to an **existing** + directory on disk. + </p></li><li><p><em class="parameter"><code>comment</code></em> - comment string to associate + with the new share. + </p></li><li><p><em class="parameter"><code>max + connections</code></em> + Number of maximum simultaneous connections to this + share. + </p></li></ul></div><p> + This parameter is only used for add file shares. To add printer shares, + see the <a class="indexterm" name="id302354"></a>addprinter command. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>add share command</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>add share command</code></em> = <code class="literal">/usr/local/bin/addshare</code> +</em></span> +</p></dd><dt><span class="term"><a name="ADDUSERSCRIPT"></a>add user script (G)</span></dt><dd><p> + This is the full pathname to a script that will be run <span class="emphasis"><em>AS ROOT</em></span> by + <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> + under special circumstances described below. + </p><p> + Normally, a Samba server requires that UNIX users are created for all users accessing + files on this server. For sites that use Windows NT account databases as their primary + user database creating these users and keeping the user list in sync with the Windows + NT PDC is an onerous task. This option allows smbd to create the required UNIX users + <span class="emphasis"><em>ON DEMAND</em></span> when a user accesses the Samba server. + </p><p> + In order to use this option, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> must <span class="emphasis"><em>NOT</em></span> be set to + <a class="indexterm" name="id302456"></a>security = share and <a class="indexterm" name="id302463"></a>add user script + must be set to a full pathname for a script that will create a UNIX user given one argument of + <em class="parameter"><code>%u</code></em>, which expands into the UNIX user name to create. + </p><p> + When the Windows user attempts to access the Samba server, at login (session setup in + the SMB protocol) time, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> contacts the <a class="indexterm" name="id302489"></a>password server + and attempts to authenticate the given user with the given password. If the authentication + succeeds then <code class="literal">smbd</code> attempts to find a UNIX user in the UNIX + password database to map the Windows user into. If this lookup fails, and + <a class="indexterm" name="id302504"></a>add user script is set then <code class="literal">smbd</code> will + call the specified script <span class="emphasis"><em>AS ROOT</em></span>, expanding any + <em class="parameter"><code>%u</code></em> argument to be the user name to create. + </p><p> + If this script successfully creates the user then <code class="literal">smbd</code> will + continue on as though the UNIX user already existed. In this way, UNIX users are dynamically created to + match existing Windows NT accounts. + </p><p> + See also <a class="indexterm" name="id302541"></a>security, <a class="indexterm" name="id302548"></a>password server, + <a class="indexterm" name="id302555"></a>delete user script. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>add user script</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>add user script</code></em> = <code class="literal">/usr/local/samba/bin/add_user %u</code> +</em></span> +</p></dd><dt><span class="term"><a name="ADDUSERTOGROUPSCRIPT"></a>add user to group script (G)</span></dt><dd><p> + Full path to the script that will be called when a user is added to a group using the Windows NT domain administration + tools. It will be run by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> + <span class="emphasis"><em>AS ROOT</em></span>. Any <em class="parameter"><code>%g</code></em> will be replaced with the group name and + any <em class="parameter"><code>%u</code></em> will be replaced with the user name. + </p><p> + Note that the <code class="literal">adduser</code> command used in the example below does + not support the used syntax on all systems. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>add user to group script</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>add user to group script</code></em> = <code class="literal">/usr/sbin/adduser %u %g</code> +</em></span> +</p></dd><dt><span class="term"><a name="ADMINUSERS"></a>admin users (S)</span></dt><dd><p>This is a list of users who will be granted + administrative privileges on the share. This means that they + will do all file operations as the super-user (root).</p><p>You should use this option very carefully, as any user in + this list will be able to do anything they like on the share, + irrespective of file permissions.</p><p>This parameter will not work with the <a class="indexterm" name="id302715"></a>security = share in + Samba 3.0. This is by design.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>admin users</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>admin users</code></em> = <code class="literal">jason</code> +</em></span> +</p></dd><dt><span class="term"><a name="AFSSHARE"></a>afs share (S)</span></dt><dd><p>This parameter controls whether special AFS features are enabled + for this share. If enabled, it assumes that the directory exported via + the <em class="parameter"><code>path</code></em> parameter is a local AFS import. The + special AFS features include the attempt to hand-craft an AFS token + if you enabled --with-fake-kaserver in configure. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>afs share</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="AFSUSERNAMEMAP"></a>afs username map (G)</span></dt><dd><p>If you are using the fake kaserver AFS feature, you might + want to hand-craft the usernames you are creating tokens for. + For example this is necessary if you have users from several domain + in your AFS Protection Database. One possible scheme to code users + as DOMAIN+User as it is done by winbind with the + as a separator. + </p><p>The mapped user name must contain the cell name to log into, + so without setting this parameter there will be no token.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>afs username map</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>afs username map</code></em> = <code class="literal">%u@afs.samba.org</code> +</em></span> +</p></dd><dt><span class="term"><a name="AIOREADSIZE"></a>aio read size (S)</span></dt><dd><p>If Samba has been built with asynchronous I/O support and this + integer parameter is set to non-zero value, + Samba will read from file asynchronously when size of request is bigger + than this value. Note that it happens only for non-chained and non-chaining + reads and when not using write cache.</p><p>Current implementation of asynchronous I/O in Samba 3.0 does support + only up to 10 outstanding asynchronous requests, read and write combined.</p> + + write cache size + aio write size + +<p>Default: <span class="emphasis"><em><em class="parameter"><code>aio read size</code></em> = <code class="literal">0</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>aio read size</code></em> = <code class="literal">16384 +# Use asynchronous I/O for reads bigger than 16KB + request size</code> +</em></span> +</p></dd><dt><span class="term"><a name="AIOWRITESIZE"></a>aio write size (S)</span></dt><dd><p>If Samba has been built with asynchronous I/O support and this + integer parameter is set to non-zero value, + Samba will write to file asynchronously when size of request is bigger + than this value. Note that it happens only for non-chained and non-chaining + reads and when not using write cache.</p><p>Current implementation of asynchronous I/O in Samba 3.0 does support + only up to 10 outstanding asynchronous requests, read and write combined.</p> + + write cache size + aio read size + +<p>Default: <span class="emphasis"><em><em class="parameter"><code>aio write size</code></em> = <code class="literal">0</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>aio write size</code></em> = <code class="literal">16384 +# Use asynchronous I/O for writes bigger than 16KB + request size</code> +</em></span> +</p></dd><dt><span class="term"><a name="ALGORITHMICRIDBASE"></a>algorithmic rid base (G)</span></dt><dd><p>This determines how Samba will use its + algorithmic mapping from uids/gid to the RIDs needed to construct + NT Security Identifiers. + </p><p>Setting this option to a larger value could be useful to sites + transitioning from WinNT and Win2k, as existing user and + group rids would otherwise clash with sytem users etc. + </p><p>All UIDs and GIDs must be able to be resolved into SIDs for + the correct operation of ACLs on the server. As such the algorithmic + mapping can't be 'turned off', but pushing it 'out of the way' should + resolve the issues. Users and groups can then be assigned 'low' RIDs + in arbitary-rid supporting backends. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>algorithmic rid base</code></em> = <code class="literal">1000</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>algorithmic rid base</code></em> = <code class="literal">100000</code> +</em></span> +</p></dd><dt><span class="term"><a name="ALLOCATIONROUNDUPSIZE"></a>allocation roundup size (S)</span></dt><dd><p>This parameter allows an administrator to tune the + allocation size reported to Windows clients. The default + size of 1Mb generally results in improved Windows client + performance. However, rounding the allocation size may cause + difficulties for some applications, e.g. MS Visual Studio. + If the MS Visual Studio compiler starts to crash with an + internal error, set this parameter to zero for this share. + </p><p>The integer parameter specifies the roundup size in bytes.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>allocation roundup size</code></em> = <code class="literal">1048576</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>allocation roundup size</code></em> = <code class="literal">0 +# (to disable roundups)</code> +</em></span> +</p></dd><dt><span class="term"><a name="ALLOWTRUSTEDDOMAINS"></a>allow trusted domains (G)</span></dt><dd><p> + This option only takes effect when the <a class="indexterm" name="id303140"></a>security option is set to + <code class="constant">server</code>, <code class="constant">domain</code> or <code class="constant">ads</code>. + If it is set to no, then attempts to connect to a resource from + a domain or workgroup other than the one which smbd is running + in will fail, even if that domain is trusted by the remote server + doing the authentication.</p><p>This is useful if you only want your Samba server to + serve resources to users in the domain it is a member of. As + an example, suppose that there are two domains DOMA and DOMB. DOMB + is trusted by DOMA, which contains the Samba server. Under normal + circumstances, a user with an account in DOMB can then access the + resources of a UNIX account with the same account name on the + Samba server even if they do not have an account in DOMA. This + can make implementing a security boundary difficult.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>allow trusted domains</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="ANNOUNCEAS"></a>announce as (G)</span></dt><dd><p>This specifies what type of server <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> will announce itself as, to a network neighborhood browse + list. By default this is set to Windows NT. The valid options + are : "NT Server" (which can also be written as "NT"), + "NT Workstation", "Win95" or "WfW" meaning Windows NT Server, + Windows NT Workstation, Windows 95 and Windows for Workgroups + respectively. Do not change this parameter unless you have a + specific need to stop Samba appearing as an NT server as this + may prevent Samba servers from participating as browser servers + correctly.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>announce as</code></em> = <code class="literal">NT Server</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>announce as</code></em> = <code class="literal">Win95</code> +</em></span> +</p></dd><dt><span class="term"><a name="ANNOUNCEVERSION"></a>announce version (G)</span></dt><dd><p>This specifies the major and minor version numbers + that nmbd will use when announcing itself as a server. The default + is 4.9. Do not change this parameter unless you have a specific + need to set a Samba server to be a downlevel server.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>announce version</code></em> = <code class="literal">4.9</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>announce version</code></em> = <code class="literal">2.0</code> +</em></span> +</p></dd><dt><span class="term"><a name="AUTHMETHODS"></a>auth methods (G)</span></dt><dd><p> + This option allows the administrator to chose what authentication methods <code class="literal">smbd</code> + will use when authenticating a user. This option defaults to sensible values based on <a class="indexterm" name="id303341"></a>security. + This should be considered a developer option and used only in rare circumstances. In the majority (if not all) + of production servers, the default setting should be adequate. + </p><p> + Each entry in the list attempts to authenticate the user in turn, until + the user authenticates. In practice only one method will ever actually + be able to complete the authentication. + </p><p> + Possible options include <code class="constant">guest</code> (anonymous access), + <code class="constant">sam</code> (lookups in local list of accounts based on netbios + name or domain name), <code class="constant">winbind</code> (relay authentication requests + for remote users through winbindd), <code class="constant">ntdomain</code> (pre-winbindd + method of authentication for remote domain users; deprecated in favour of winbind method), + <code class="constant">trustdomain</code> (authenticate trusted users by contacting the + remote DC directly from smbd; deprecated in favour of winbind method). + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>auth methods</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>auth methods</code></em> = <code class="literal">guest sam winbind</code> +</em></span> +</p></dd><dt><span class="term"><a name="AVAILABLE"></a>available (S)</span></dt><dd><p>This parameter lets you "turn off" a service. If + <em class="parameter"><code>available = no</code></em>, then <span class="emphasis"><em>ALL</em></span> + attempts to connect to the service will fail. Such failures are + logged.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>available</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="BINDINTERFACESONLY"></a>bind interfaces only (G)</span></dt><dd><p>This global parameter allows the Samba admin + to limit what interfaces on a machine will serve SMB requests. It + affects file service <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> and name service <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> in a slightly different ways.</p><p> + For name service it causes <code class="literal">nmbd</code> to bind to ports 137 and 138 on the + interfaces listed in the <a class="indexterm" name="id303510"></a>interfaces parameter. <code class="literal">nmbd</code> + also binds to the "all addresses" interface (0.0.0.0) on ports 137 and 138 for the purposes of + reading broadcast messages. If this option is not set then <code class="literal">nmbd</code> will + service name requests on all of these sockets. If <a class="indexterm" name="id303531"></a>bind interfaces only is set then + <code class="literal">nmbd</code> will check the source address of any packets coming in on the + broadcast sockets and discard any that don't match the broadcast addresses of the interfaces in the + <a class="indexterm" name="id303545"></a>interfaces parameter list. As unicast packets are received on the other sockets it + allows <code class="literal">nmbd</code> to refuse to serve names to machines that send packets that + arrive through any interfaces not listed in the <a class="indexterm" name="id303560"></a>interfaces list. IP Source address + spoofing does defeat this simple check, however, so it must not be used seriously as a security feature for + <code class="literal">nmbd</code>. + </p><p> + For file service it causes <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> to bind only to the interface list given in the <a class="indexterm" name="id303585"></a>interfaces parameter. This restricts the networks that <code class="literal">smbd</code> will + serve to packets coming in those interfaces. Note that you should not use this parameter for machines that + are serving PPP or other intermittent or non-broadcast network interfaces as it will not cope with + non-permanent interfaces. + </p><p> + If <a class="indexterm" name="id303604"></a>bind interfaces only is set then unless the network address + <span class="emphasis"><em>127.0.0.1</em></span> is added to the <a class="indexterm" name="id303615"></a>interfaces parameter list + <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a> and + <a href="swat.8.html"><span class="citerefentry"><span class="refentrytitle">swat</span>(8)</span></a> may not work as + expected due to the reasons covered below. + </p><p> + To change a users SMB password, the <code class="literal">smbpasswd</code> by default connects to the + <span class="emphasis"><em>localhost - 127.0.0.1</em></span> address as an SMB client to issue the password change request. If + <a class="indexterm" name="id303653"></a>bind interfaces only is set then unless the network address + <span class="emphasis"><em>127.0.0.1</em></span> is added to the <a class="indexterm" name="id303664"></a>interfaces parameter list then <code class="literal"> smbpasswd</code> will fail to connect in it's default mode. <code class="literal">smbpasswd</code> can be forced to use the primary IP interface of the local host by using + its <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a> <em class="parameter"><code>-r <em class="replaceable"><code>remote machine</code></em></code></em> parameter, with <em class="replaceable"><code>remote + machine</code></em> set to the IP name of the primary interface of the local host. + </p><p> + The <code class="literal">swat</code> status page tries to connect with <code class="literal">smbd</code> and <code class="literal">nmbd</code> at the address + <span class="emphasis"><em>127.0.0.1</em></span> to determine if they are running. Not adding <span class="emphasis"><em>127.0.0.1</em></span> + will cause <code class="literal"> smbd</code> and <code class="literal">nmbd</code> to always show + "not running" even if they really are. This can prevent <code class="literal"> swat</code> + from starting/stopping/restarting <code class="literal">smbd</code> and <code class="literal">nmbd</code>. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>bind interfaces only</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="BLOCKINGLOCKS"></a>blocking locks (S)</span></dt><dd><p>This parameter controls the behavior + of <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> when given a request by a client + to obtain a byte range lock on a region of an open file, and the + request has a time limit associated with it.</p><p>If this parameter is set and the lock range requested + cannot be immediately satisfied, samba will internally + queue the lock request, and periodically attempt to obtain + the lock until the timeout period expires.</p><p>If this parameter is set to <code class="constant">no</code>, then + samba will behave as previous versions of Samba would and + will fail the lock request immediately if the lock range + cannot be obtained.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>blocking locks</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="BLOCKSIZE"></a>block size (S)</span></dt><dd><p>This parameter controls the behavior of <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> when reporting disk free + sizes. By default, this reports a disk block size of 1024 bytes. + </p><p>Changing this parameter may have some effect on the + efficiency of client writes, this is not yet confirmed. This + parameter was added to allow advanced administrators to change + it (usually to a higher value) and test the effect it has on + client write performance without re-compiling the code. As this + is an experimental option it may be removed in a future release. + </p><p>Changing this option does not change the disk free reporting + size, just the block size unit reported to the client. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>block size</code></em> = <code class="literal">1024</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>block size</code></em> = <code class="literal">4096</code> +</em></span> +</p></dd><dt><span class="term"><a name="BROWSABLE"></a>browsable</span></dt><dd><p>This parameter is a synonym for browseable.</p></dd><dt><span class="term"><a name="BROWSEABLE"></a>browseable (S)</span></dt><dd><p>This controls whether this share is seen in + the list of available shares in a net view and in the browse list.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>browseable</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="BROWSELIST"></a>browse list (G)</span></dt><dd><p>This controls whether <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will serve a browse list to + a client doing a <code class="literal">NetServerEnum</code> call. Normally + set to <code class="constant">yes</code>. You should never need to change + this.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>browse list</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="CASESIGNAMES"></a>casesignames</span></dt><dd><p>This parameter is a synonym for case sensitive.</p></dd><dt><span class="term"><a name="CASESENSITIVE"></a>case sensitive (S)</span></dt><dd><p>See the discussion in the section <a class="indexterm" name="id304074"></a>name mangling.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>case sensitive</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="CHANGENOTIFY"></a>change notify (S)</span></dt><dd><p>This parameter specifies whether Samba should reply + to a client's file change notify requests. + </p><p>You should never need to change this parameter</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>change notify</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="CHANGESHARECOMMAND"></a>change share command (G)</span></dt><dd><p>Samba 2.2.0 introduced the ability to dynamically + add and delete shares via the Windows NT 4.0 Server Manager. The + <em class="parameter"><code>change share command</code></em> is used to define an + external program or script which will modify an existing service definition + in <code class="filename">smb.conf</code>. In order to successfully + execute the <em class="parameter"><code>change share command</code></em>, <code class="literal">smbd</code> + requires that the administrator be connected using a root account (i.e. + uid == 0). + </p><p> + When executed, <code class="literal">smbd</code> will automatically invoke the + <em class="parameter"><code>change share command</code></em> with five parameters. + </p><div class="itemizedlist"><ul type="disc"><li><p><em class="parameter"><code>configFile</code></em> - the location + of the global <code class="filename">smb.conf</code> file. + </p></li><li><p><em class="parameter"><code>shareName</code></em> - the name of the new + share. + </p></li><li><p><em class="parameter"><code>pathName</code></em> - path to an **existing** + directory on disk. + </p></li><li><p><em class="parameter"><code>comment</code></em> - comment string to associate + with the new share. + </p></li><li><p><em class="parameter"><code>max + connections</code></em> + Number of maximum simultaneous connections to this + share. + </p></li></ul></div><p> + This parameter is only used modify existing file shares definitions. To modify + printer shares, use the "Printers..." folder as seen when browsing the Samba host. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>change share command</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>change share command</code></em> = <code class="literal">/usr/local/bin/addshare</code> +</em></span> +</p></dd><dt><span class="term"><a name="CHECKPASSWORDSCRIPT"></a>check password script (G)</span></dt><dd><p>The name of a program that can be used to check password + complexity. The password is sent to the program's standrad input.</p><p>The program must return 0 on good password any other value otherwise. + In case the password is considered weak (the program do not return 0) the + user will be notified and the password change will fail.</p><p>Note: In the example directory there is a sample program called crackcheck + that uses cracklib to checkpassword quality</p>. + + +<p>Default: <span class="emphasis"><em><em class="parameter"><code>check password script</code></em> = <code class="literal">Disabled</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>check password script</code></em> = <code class="literal">check password script = /usr/local/sbin/crackcheck</code> +</em></span> +</p></dd><dt><span class="term"><a name="CLIENTLANMANAUTH"></a>client lanman auth (G)</span></dt><dd><p>This parameter determines whether or not <a href="smbclient.8.html"><span class="citerefentry"><span class="refentrytitle">smbclient</span>(8)</span></a> and other samba client + tools will attempt to authenticate itself to servers using the + weaker LANMAN password hash. If disabled, only server which support NT + password hashes (e.g. Windows NT/2000, Samba, etc... but not + Windows 95/98) will be able to be connected from the Samba client.</p><p>The LANMAN encrypted response is easily broken, due to it's + case-insensitive nature, and the choice of algorithm. Clients + without Windows 95/98 servers are advised to disable + this option. </p><p>Disabling this option will also disable the <code class="literal">client plaintext auth</code> option</p><p>Likewise, if the <code class="literal">client ntlmv2 + auth</code> parameter is enabled, then only NTLMv2 logins will be + attempted.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>client lanman auth</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="CLIENTNTLMV2AUTH"></a>client ntlmv2 auth (G)</span></dt><dd><p>This parameter determines whether or not <a href="smbclient.8.html"><span class="citerefentry"><span class="refentrytitle">smbclient</span>(8)</span></a> will attempt to + authenticate itself to servers using the NTLMv2 encrypted password + response.</p><p>If enabled, only an NTLMv2 and LMv2 response (both much more + secure than earlier versions) will be sent. Many servers + (including NT4 < SP4, Win9x and Samba 2.2) are not compatible with + NTLMv2. </p><p>Similarly, if enabled, NTLMv1, <code class="literal">client lanman auth</code> and <code class="literal">client plaintext auth</code> + authentication will be disabled. This also disables share-level + authentication. </p><p>If disabled, an NTLM response (and possibly a LANMAN response) + will be sent by the client, depending on the value of <code class="literal">client lanman auth</code>. </p><p>Note that some sites (particularly + those following 'best practice' security polices) only allow NTLMv2 + responses, and not the weaker LM or NTLM.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>client ntlmv2 auth</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="CLIENTPLAINTEXTAUTH"></a>client plaintext auth (G)</span></dt><dd><p>Specifies whether a client should send a plaintext + password if the server does not support encrypted passwords.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>client plaintext auth</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="CLIENTSCHANNEL"></a>client schannel (G)</span></dt><dd><p> + This controls whether the client offers or even demands the use of the netlogon schannel. + <a class="indexterm" name="id304593"></a>client schannel = no does not offer the schannel, + <a class="indexterm" name="id304601"></a>client schannel = auto offers the schannel but does not + enforce it, and <a class="indexterm" name="id304608"></a>client schannel = yes denies access + if the server is not able to speak netlogon schannel. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>client schannel</code></em> = <code class="literal">auto</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>client schannel</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="CLIENTSIGNING"></a>client signing (G)</span></dt><dd><p>This controls whether the client offers or requires + the server it talks to to use SMB signing. Possible values + are <span class="emphasis"><em>auto</em></span>, <span class="emphasis"><em>mandatory</em></span> + and <span class="emphasis"><em>disabled</em></span>. + </p><p>When set to auto, SMB signing is offered, but not enforced. + When set to mandatory, SMB signing is required and if set + to disabled, SMB signing is not offered either.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>client signing</code></em> = <code class="literal">auto</code> +</em></span> +</p></dd><dt><span class="term"><a name="CLIENTUSESPNEGO"></a>client use spnego (G)</span></dt><dd><p> This variable controls whether Samba clients will try + to use Simple and Protected NEGOciation (as specified by rfc2478) with + supporting servers (including WindowsXP, Windows2000 and Samba + 3.0) to agree upon an authentication + mechanism. This enables Kerberos authentication in particular.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>client use spnego</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="COMMENT"></a>comment (S)</span></dt><dd><p>This is a text field that is seen next to a share + when a client does a queries the server, either via the network + neighborhood or via <code class="literal">net view</code> to list what shares + are available.</p><p>If you want to set the string that is displayed next to the + machine name then see the <a class="indexterm" name="id304778"></a>server string parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>comment</code></em> = <code class="literal"> +# No comment</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>comment</code></em> = <code class="literal">Fred's Files</code> +</em></span> +</p></dd><dt><span class="term"><a name="CONFIGFILE"></a>config file (G)</span></dt><dd><p>This allows you to override the config file + to use, instead of the default (usually <code class="filename">smb.conf</code>). + There is a chicken and egg problem here as this option is set + in the config file!</p><p>For this reason, if the name of the config file has changed + when the parameters are loaded then it will reload them from + the new config file.</p><p>This option takes the usual substitutions, which can + be very useful.</p><p>If the config file doesn't exist then it won't be loaded + (allowing you to special case the config files of just a few + clients).</p><p><span class="emphasis"><em>No default</em></span></p><p>Example: <span class="emphasis"><em><em class="parameter"><code>config file</code></em> = <code class="literal">/usr/local/samba/lib/smb.conf.%m</code> +</em></span> +</p></dd><dt><span class="term"><a name="COPY"></a>copy (S)</span></dt><dd><p>This parameter allows you to "clone" service + entries. The specified service is simply duplicated under the + current service's name. Any parameters specified in the current + section will override those in the section being copied.</p><p>This feature lets you set up a 'template' service and + create similar services easily. Note that the service being + copied must occur earlier in the configuration file than the + service doing the copying.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>copy</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>copy</code></em> = <code class="literal">otherservice</code> +</em></span> +</p></dd><dt><span class="term"><a name="CREATEMODE"></a>create mode</span></dt><dd><p>This parameter is a synonym for create mask.</p></dd><dt><span class="term"><a name="CREATEMASK"></a>create mask (S)</span></dt><dd><p> + When a file is created, the necessary permissions are calculated according to the mapping from DOS modes to + UNIX permissions, and the resulting UNIX mode is then bit-wise 'AND'ed with this parameter. This parameter may + be thought of as a bit-wise MASK for the UNIX modes of a file. Any bit <span class="emphasis"><em>not</em></span> set here will + be removed from the modes set on a file when it is created. + </p><p> + The default value of this parameter removes the <code class="literal">group</code> and <code class="literal">other</code> + write and execute bits from the UNIX modes. + </p><p> + Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the + <a class="indexterm" name="id305012"></a>force create mode parameter which is set to 000 by default. + </p><p> + This parameter does not affect directory masks. See the parameter <a class="indexterm" name="id305023"></a>directory mask + for details. + </p><p> + Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the + administrator wishes to enforce a mask on access control lists also, they need to set the <a class="indexterm" name="id305036"></a>security mask. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>create mask</code></em> = <code class="literal">0744</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>create mask</code></em> = <code class="literal">0775</code> +</em></span> +</p></dd><dt><span class="term"><a name="CSCPOLICY"></a>csc policy (S)</span></dt><dd><p> + This stands for <span class="emphasis"><em>client-side caching policy</em></span>, and specifies how clients capable of offline + caching will cache the files in the share. The valid values are: manual, documents, programs, disable. + </p><p> + These values correspond to those used on Windows servers. + </p><p> + For example, shares containing roaming profiles can have offline caching disabled using + <a class="indexterm" name="id305112"></a>csc policy = disable. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>csc policy</code></em> = <code class="literal">manual</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>csc policy</code></em> = <code class="literal">programs</code> +</em></span> +</p></dd><dt><span class="term"><a name="CUPSOPTIONS"></a>cups options (S)</span></dt><dd><p> + This parameter is only applicable if <a class="indexterm" name="id305175"></a>printing is + set to <code class="constant">cups</code>. Its value is a free form string of options + passed directly to the cups library. + </p><p> + You can pass any generic print option known to CUPS (as listed + in the CUPS "Software Users' Manual"). You can also pass any printer + specific option (as listed in "lpoptions -d printername -l") + valid for the target queue. + </p><p> + You should set this parameter to <code class="constant">raw</code> if your CUPS server + <code class="filename">error_log</code> file contains messages such as + "Unsupported format 'application/octet-stream'" when printing from a Windows client + through Samba. It is no longer necessary to enable + system wide raw printing in <code class="filename">/etc/cups/mime.{convs,types}</code>. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>cups options</code></em> = <code class="literal">""</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>cups options</code></em> = <code class="literal">"raw,media=a4,job-sheets=secret,secret"</code> +</em></span> +</p></dd><dt><span class="term"><a name="CUPSSERVER"></a>cups server (G)</span></dt><dd><p> + This parameter is only applicable if <a class="indexterm" name="id305268"></a>printing is set to <code class="constant">cups</code>. + </p><p> + If set, this option overrides the ServerName option in the CUPS <code class="filename">client.conf</code>. This is + necessary if you have virtual samba servers that connect to different CUPS daemons. + </p><p>Optionally, a port can be specified by separating the server name + and port number with a colon. If no port was specified, + the default port for IPP (631) will be used. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>cups server</code></em> = <code class="literal">""</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>cups server</code></em> = <code class="literal">mycupsserver</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>cups server</code></em> = <code class="literal">mycupsserver:1631</code> +</em></span> +</p></dd><dt><span class="term"><a name="DEADTIME"></a>deadtime (G)</span></dt><dd><p>The value of the parameter (a decimal integer) + represents the number of minutes of inactivity before a connection + is considered dead, and it is disconnected. The deadtime only takes + effect if the number of open files is zero.</p><p>This is useful to stop a server's resources being + exhausted by a large number of inactive connections.</p><p>Most clients have an auto-reconnect feature when a + connection is broken so in most cases this parameter should be + transparent to users.</p><p>Using this parameter with a timeout of a few minutes + is recommended for most systems.</p><p>A deadtime of zero indicates that no auto-disconnection + should be performed.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>deadtime</code></em> = <code class="literal">0</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>deadtime</code></em> = <code class="literal">15</code> +</em></span> +</p></dd><dt><span class="term"><a name="DEBUGHIRESTIMESTAMP"></a>debug hires timestamp (G)</span></dt><dd><p> + Sometimes the timestamps in the log messages are needed with a resolution of higher that seconds, this + boolean parameter adds microsecond resolution to the timestamp message header when turned on. + </p><p> + Note that the parameter <a class="indexterm" name="id305445"></a>debug timestamp must be on for this to have an effect. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>debug hires timestamp</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="DEBUGPID"></a>debug pid (G)</span></dt><dd><p> + When using only one log file for more then one forked <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>-process there may be hard to follow which process outputs which + message. This boolean parameter is adds the process-id to the timestamp message headers in the + logfile when turned on. + </p><p> + Note that the parameter <a class="indexterm" name="id305504"></a>debug timestamp must be on for this to have an effect. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>debug pid</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="DEBUGPREFIXTIMESTAMP"></a>debug prefix timestamp (G)</span></dt><dd><p> + With this option enabled, the timestamp message header is prefixed to the debug message without the + filename and function information that is included with the <a class="indexterm" name="id305552"></a>debug timestamp + parameter. This gives timestamps to the messages without adding an additional line. + </p><p> + Note that this parameter overrides the <a class="indexterm" name="id305563"></a>debug timestamp parameter. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>debug prefix timestamp</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="TIMESTAMPLOGS"></a>timestamp logs</span></dt><dd><p>This parameter is a synonym for debug timestamp.</p></dd><dt><span class="term"><a name="DEBUGTIMESTAMP"></a>debug timestamp (G)</span></dt><dd><p> + Samba debug log messages are timestamped by default. If you are running at a high + <a class="indexterm" name="id305630"></a>debug level these timestamps can be distracting. This + boolean parameter allows timestamping to be turned off. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>debug timestamp</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="DEBUGUID"></a>debug uid (G)</span></dt><dd><p> + Samba is sometimes run as root and sometime run as the connected user, this boolean parameter inserts the + current euid, egid, uid and gid to the timestamp message headers in the log file if turned on. + </p><p> + Note that the parameter <a class="indexterm" name="id305681"></a>debug timestamp must be on for this to have an effect. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>debug uid</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="DEFAULTCASE"></a>default case (S)</span></dt><dd><p>See the section on <a class="indexterm" name="id305726"></a>name mangling. + Also note the <a class="indexterm" name="id305734"></a>short preserve case parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>default case</code></em> = <code class="literal">lower</code> +</em></span> +</p></dd><dt><span class="term"><a name="DEFAULTDEVMODE"></a>default devmode (S)</span></dt><dd><p>This parameter is only applicable to <a class="indexterm" name="id305779"></a>printable services. + When smbd is serving Printer Drivers to Windows NT/2k/XP clients, each printer on the Samba + server has a Device Mode which defines things such as paper size and + orientation and duplex settings. The device mode can only correctly be + generated by the printer driver itself (which can only be executed on a + Win32 platform). Because smbd is unable to execute the driver code + to generate the device mode, the default behavior is to set this field + to NULL. + </p><p>Most problems with serving printer drivers to Windows NT/2k/XP clients + can be traced to a problem with the generated device mode. Certain drivers + will do things such as crashing the client's Explorer.exe with a NULL devmode. + However, other printer drivers can cause the client's spooler service + (spoolsv.exe) to die if the devmode was not created by the driver itself + (i.e. smbd generates a default devmode). + </p><p>This parameter should be used with care and tested with the printer + driver in question. It is better to leave the device mode to NULL + and let the Windows client set the correct values. Because drivers do not + do this all the time, setting <code class="literal">default devmode = yes</code> + will instruct smbd to generate a default one. + </p><p>For more information on Windows NT/2k printing and Device Modes, + see the <a href="http://msdn.microsoft.com/" target="_top">MSDN documentation</a>. +</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>default devmode</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="DEFAULT"></a>default</span></dt><dd><p>This parameter is a synonym for default service.</p></dd><dt><span class="term"><a name="DEFAULTSERVICE"></a>default service (G)</span></dt><dd><p>This parameter specifies the name of a service + which will be connected to if the service actually requested cannot + be found. Note that the square brackets are <span class="emphasis"><em>NOT</em></span> + given in the parameter value (see example below).</p><p>There is no default value for this parameter. If this + parameter is not given, attempting to connect to a nonexistent + service results in an error.</p><p> + Typically the default service would be a <a class="indexterm" name="id305892"></a>guest ok, <a class="indexterm" name="id305899"></a>read-only service.</p><p>Also note that the apparent service name will be changed to equal + that of the requested service, this is very useful as it allows you to use macros like <em class="parameter"><code>%S</code></em> to make a wildcard service. + </p><p>Note also that any "_" characters in the name of the service + used in the default service will get mapped to a "/". This allows for + interesting things.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>default service</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>default service</code></em> = <code class="literal">pub</code> +</em></span> +</p></dd><dt><span class="term"><a name="DEFERSHARINGVIOLATIONS"></a>defer sharing violations (G)</span></dt><dd><p> + Windows allows specifying how a file will be shared with + other processes when it is opened. Sharing violations occur when + a file is opened by a different process using options that violate + the share settings specified by other processes. This parameter causes + smbd to act as a Windows server does, and defer returning a "sharing + violation" error message for up to one second, allowing the client + to close the file causing the violation in the meantime. + </p><p>UNIX by default does not have this behaviour.</p><p> + There should be no reason to turn off this parameter, as it is + designed to enable Samba to more correctly emulate Windows. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>defer sharing violations</code></em> = <code class="literal">True</code> +</em></span> +</p></dd><dt><span class="term"><a name="DELETEGROUPSCRIPT"></a>delete group script (G)</span></dt><dd><p>This is the full pathname to a script that will + be run <span class="emphasis"><em>AS ROOT</em></span> <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> when a group is requested to be deleted. + It will expand any <em class="parameter"><code>%g</code></em> to the group name passed. + This script is only useful for installations using the Windows NT domain administration tools. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>delete group script</code></em> = <code class="literal"></code> +</em></span> +</p></dd><dt><span class="term"><a name="DELETEPRINTERCOMMAND"></a>deleteprinter command (G)</span></dt><dd><p>With the introduction of MS-RPC based printer + support for Windows NT/2000 clients in Samba 2.2, it is now + possible to delete printer at run time by issuing the + DeletePrinter() RPC call.</p><p>For a Samba host this means that the printer must be + physically deleted from underlying printing system. The + <a class="indexterm" name="id306089"></a>deleteprinter command defines a script to be run which + will perform the necessary operations for removing the printer + from the print system and from <code class="filename">smb.conf</code>. + </p><p>The <a class="indexterm" name="id306106"></a>deleteprinter command is + automatically called with only one parameter: <a class="indexterm" name="id306114"></a>printer name. + </p><p>Once the <a class="indexterm" name="id306124"></a>deleteprinter command has + been executed, <code class="literal">smbd</code> will reparse the <code class="filename"> + smb.conf</code> to associated printer no longer exists. + If the sharename is still valid, then <code class="literal">smbd + </code> will return an ACCESS_DENIED error to the client.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>deleteprinter command</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>deleteprinter command</code></em> = <code class="literal">/usr/bin/removeprinter</code> +</em></span> +</p></dd><dt><span class="term"><a name="DELETEREADONLY"></a>delete readonly (S)</span></dt><dd><p>This parameter allows readonly files to be deleted. + This is not normal DOS semantics, but is allowed by UNIX.</p><p>This option may be useful for running applications such + as rcs, where UNIX file ownership prevents changing file + permissions, and DOS semantics prevent deletion of a read only file.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>delete readonly</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="DELETESHARECOMMAND"></a>delete share command (G)</span></dt><dd><p>Samba 2.2.0 introduced the ability to dynamically + add and delete shares via the Windows NT 4.0 Server Manager. The + <em class="parameter"><code>delete share command</code></em> is used to define an + external program or script which will remove an existing service + definition from <code class="filename">smb.conf</code>. In order to successfully + execute the <em class="parameter"><code>delete share command</code></em>, <code class="literal">smbd</code> + requires that the administrator be connected using a root account (i.e. + uid == 0). + </p><p> + When executed, <code class="literal">smbd</code> will automatically invoke the + <em class="parameter"><code>delete share command</code></em> with two parameters. + </p><div class="itemizedlist"><ul type="disc"><li><p><em class="parameter"><code>configFile</code></em> - the location + of the global <code class="filename">smb.conf</code> file. + </p></li><li><p><em class="parameter"><code>shareName</code></em> - the name of + the existing service. + </p></li></ul></div><p> + This parameter is only used to remove file shares. To delete printer shares, + see the <a class="indexterm" name="id306327"></a>deleteprinter command. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>delete share command</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>delete share command</code></em> = <code class="literal">/usr/local/bin/delshare</code> +</em></span> +</p></dd><dt><span class="term"><a name="DELETEUSERFROMGROUPSCRIPT"></a>delete user from group script (G)</span></dt><dd><p>Full path to the script that will be called when + a user is removed from a group using the Windows NT domain administration + tools. It will be run by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> <span class="emphasis"><em>AS ROOT</em></span>. + Any <em class="parameter"><code>%g</code></em> will be replaced with the group name and + any <em class="parameter"><code>%u</code></em> will be replaced with the user name. +</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>delete user from group script</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>delete user from group script</code></em> = <code class="literal">/usr/sbin/deluser %u %g</code> +</em></span> +</p></dd><dt><span class="term"><a name="DELETEUSERSCRIPT"></a>delete user script (G)</span></dt><dd><p>This is the full pathname to a script that will + be run by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> when managing users + with remote RPC (NT) tools. + </p><p>This script is called when a remote client removes a user + from the server, normally using 'User Manager for Domains' or + <code class="literal">rpcclient</code>.</p><p>This script should delete the given UNIX username.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>delete user script</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>delete user script</code></em> = <code class="literal">/usr/local/samba/bin/del_user %u</code> +</em></span> +</p></dd><dt><span class="term"><a name="DELETEVETOFILES"></a>delete veto files (S)</span></dt><dd><p>This option is used when Samba is attempting to + delete a directory that contains one or more vetoed directories + (see the <a class="indexterm" name="id306545"></a>veto files + option). If this option is set to <code class="constant">no</code> (the default) then if a vetoed + directory contains any non-vetoed files or directories then the + directory delete will fail. This is usually what you want.</p><p>If this option is set to <code class="constant">yes</code>, then Samba + will attempt to recursively delete any files and directories within + the vetoed directory. This can be useful for integration with file + serving systems such as NetAtalk which create meta-files within + directories you might normally veto DOS/Windows users from seeing + (e.g. <code class="filename">.AppleDouble</code>)</p><p>Setting <a class="indexterm" name="id306576"></a>delete veto files = yes allows these + directories to be transparently deleted when the parent directory + is deleted (so long as the user has permissions to do so).</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>delete veto files</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="DFREECACHETIME"></a>dfree cache time (S)</span></dt><dd><p> + The <em class="parameter"><code>dfree cache time</code></em> should only be used on systems where a problem + occurs with the internal disk space calculations. This has been known to happen with Ultrix, but may occur + with other operating systems. The symptom that was seen was an error of "Abort Retry Ignore" at the + end of each directory listing. + </p><p> + This is a new parameter introduced in Samba version 3.0.21. It specifies in seconds the time that smbd will + cache the output of a disk free query. If set to zero (the default) no caching is done. This allows a heavily + loaded server to prevent rapid spawning of <a class="indexterm" name="id306636"></a>dfree command scripts increasing the load. + </p><p> + By default this parameter is zero, meaning no caching will be done. + </p><p><span class="emphasis"><em>No default</em></span></p><p>Example: <span class="emphasis"><em><em class="parameter"><code>dfree cache time</code></em> = <code class="literal">dfree cache time = 60</code> +</em></span> +</p></dd><dt><span class="term"><a name="DFREECOMMAND"></a>dfree command (S)</span></dt><dd><p> + The <em class="parameter"><code>dfree command</code></em> setting should only be used on systems where a + problem occurs with the internal disk space calculations. This has been known to happen with Ultrix, but may + occur with other operating systems. The symptom that was seen was an error of "Abort Retry Ignore" + at the end of each directory listing. + </p><p> + This setting allows the replacement of the internal routines to calculate the total disk space and amount + available with an external routine. The example below gives a possible script that might fulfill this + function. + </p><p> + In Samba version 3.0.21 this parameter has been changed to be a per-share parameter, and in addition the + parameter <a class="indexterm" name="id306708"></a>dfree cache time was added to allow the output of this script to be cached + for systems under heavy load. + </p><p> + The external program will be passed a single parameter indicating a directory in the filesystem being queried. + This will typically consist of the string <code class="filename">./</code>. The script should return + two integers in ASCII. The first should be the total disk space in blocks, and the second should be the number + of available blocks. An optional third return value can give the block size in bytes. The default blocksize is + 1024 bytes. + </p><p> + Note: Your script should <span class="emphasis"><em>NOT</em></span> be setuid or setgid and should be owned by (and writeable + only by) root! + </p><p> + Where the script dfree (which must be made executable) could be: +</p><pre class="programlisting"> +#!/bin/sh +df $1 | tail -1 | awk '{print $2" "$4}' +</pre><p> + or perhaps (on Sys V based systems): +</p><pre class="programlisting"> +#!/bin/sh +/usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}' +</pre><p> + Note that you may have to replace the command names with full path names on some systems. + </p><p> + By default internal routines for determining the disk capacity and remaining space will be used. + </p><p><span class="emphasis"><em>No default</em></span></p><p>Example: <span class="emphasis"><em><em class="parameter"><code>dfree command</code></em> = <code class="literal">/usr/local/samba/bin/dfree</code> +</em></span> +</p></dd><dt><span class="term"><a name="DIRECTORYMODE"></a>directory mode</span></dt><dd><p>This parameter is a synonym for directory mask.</p></dd><dt><span class="term"><a name="DIRECTORYMASK"></a>directory mask (S)</span></dt><dd><p>This parameter is the octal modes which are + used when converting DOS modes to UNIX modes when creating UNIX + directories.</p><p>When a directory is created, the necessary permissions are + calculated according to the mapping from DOS modes to UNIX permissions, + and the resulting UNIX mode is then bit-wise 'AND'ed with this + parameter. This parameter may be thought of as a bit-wise MASK for + the UNIX modes of a directory. Any bit <span class="emphasis"><em>not</em></span> set + here will be removed from the modes set on a directory when it is + created.</p><p>The default value of this parameter removes the 'group' + and 'other' write bits from the UNIX mode, allowing only the + user who owns the directory to modify it.</p><p>Following this Samba will bit-wise 'OR' the UNIX mode + created from this parameter with the value of the <a class="indexterm" name="id306842"></a>force directory mode parameter. + This parameter is set to 000 by default (i.e. no extra mode bits are added).</p><p>Note that this parameter does not apply to permissions + set by Windows NT/2000 ACL editors. If the administrator wishes to enforce + a mask on access control lists also, they need to set the <a class="indexterm" name="id306854"></a>directory security mask.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>directory mask</code></em> = <code class="literal">0755</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>directory mask</code></em> = <code class="literal">0775</code> +</em></span> +</p></dd><dt><span class="term"><a name="DIRECTORYSECURITYMASK"></a>directory security mask (S)</span></dt><dd><p>This parameter controls what UNIX permission bits + can be modified when a Windows NT client is manipulating the UNIX + permission on a directory using the native NT security dialog + box.</p><p> + This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not + in this mask from being modified. Make sure not to mix up this parameter with <a class="indexterm" name="id306924"></a>force directory security mode, which works similar like this one but uses logical OR instead of AND. + Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change. + </p><p>If not set explicitly this parameter is set to 0777 + meaning a user is allowed to modify all the user/group/world + permissions on a directory.</p><p><span class="emphasis"><em>Note</em></span> that users who can access the + Samba server through other means can easily bypass this restriction, + so it is primarily useful for standalone "appliance" systems. + Administrators of most normal systems will probably want to leave + it as the default of <code class="constant">0777</code>.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>directory security mask</code></em> = <code class="literal">0777</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>directory security mask</code></em> = <code class="literal">0700</code> +</em></span> +</p></dd><dt><span class="term"><a name="DISABLENETBIOS"></a>disable netbios (G)</span></dt><dd><p>Enabling this parameter will disable netbios support + in Samba. Netbios is the only available form of browsing in + all windows versions except for 2000 and XP. </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Clients that only support netbios won't be able to + see your samba server when netbios support is disabled. + </p></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>disable netbios</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="DISABLESPOOLSS"></a>disable spoolss (G)</span></dt><dd><p>Enabling this parameter will disable Samba's support + for the SPOOLSS set of MS-RPC's and will yield identical behavior + as Samba 2.0.x. Windows NT/2000 clients will downgrade to using + Lanman style printing commands. Windows 9x/ME will be unaffected by + the parameter. However, this will also disable the ability to upload + printer drivers to a Samba server via the Windows NT Add Printer + Wizard or by using the NT printer properties dialog window. It will + also disable the capability of Windows NT/2000 clients to download + print drivers from the Samba host upon demand. + <span class="emphasis"><em>Be very careful about enabling this parameter.</em></span> +</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>disable spoolss</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="DISPLAYCHARSET"></a>display charset (G)</span></dt><dd><p> + Specifies the charset that samba will use to print messages to stdout and stderr. + The default value is "LOCALE", which means automatically set, depending on the + current locale. The value should generally be the same as the value of the parameter + <a class="indexterm" name="id258203"></a>unix charset. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>display charset</code></em> = <code class="literal">"LOCALE" or "ASCII" (depending on the system)</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>display charset</code></em> = <code class="literal">UTF8</code> +</em></span> +</p></dd><dt><span class="term"><a name="DMAPISUPPORT"></a>dmapi support (S)</span></dt><dd><p>This parameter specifies whether Samba should use DMAPI to + determine whether a file is offline or not. This would typically + be used in conjunction with a hierarchical storage system that + automatically migrates files to tape. + </p><p>Note that Samba infers the status of a file by examining the + events that a DMAPI application has registered interest in. This + heuristic is satisfactory for a number of hierarchical storage + systems, but there may be system for which it will fail. In this + case, Samba may erroneously report files to be offline. + </p><p>This parameter is only available if a supported DMAPI + implementation was found at compilation time. It will only be used + if DMAPI is found to enabled on the system at run time. + </p><p> + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>dmapi support</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="DNSPROXY"></a>dns proxy (G)</span></dt><dd><p>Specifies that <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> when acting as a WINS server and + finding that a NetBIOS name has not been registered, should treat the + NetBIOS name word-for-word as a DNS name and do a lookup with the DNS server + for that name on behalf of the name-querying client.</p><p>Note that the maximum length for a NetBIOS name is 15 + characters, so the DNS name (or DNS alias) can likewise only be + 15 characters, maximum.</p><p><code class="literal">nmbd</code> spawns a second copy of itself to do the + DNS name lookup requests, as doing a name lookup is a blocking + action.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>dns proxy</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="DOMAINLOGONS"></a>domain logons (G)</span></dt><dd><p> + If set to <code class="constant">yes</code>, the Samba server will + provide the netlogon service for Windows 9X network logons for the + <a class="indexterm" name="id307348"></a>workgroup it is in. + This will also cause the Samba server to act as a domain + controller for NT4 style domain services. For more details on + setting up this feature see the Domain Control chapter of the + Samba HOWTO Collection. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>domain logons</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="DOMAINMASTER"></a>domain master (G)</span></dt><dd><p> + Tell <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> to enable + WAN-wide browse list collation. Setting this option causes <code class="literal">nmbd</code> to claim a + special domain specific NetBIOS name that identifies it as a domain master browser for its given + <a class="indexterm" name="id307410"></a>workgroup. Local master browsers in the same <a class="indexterm" name="id307417"></a>workgroup on + broadcast-isolated subnets will give this <code class="literal">nmbd</code> their local browse lists, + and then ask <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> for a + complete copy of the browse list for the whole wide area network. Browser clients will then contact their + local master browser, and will receive the domain-wide browse list, instead of just the list for their + broadcast-isolated subnet. + </p><p> + Note that Windows NT Primary Domain Controllers expect to be able to claim this <a class="indexterm" name="id307445"></a>workgroup specific special NetBIOS name that identifies them as domain master browsers for that + <a class="indexterm" name="id307453"></a>workgroup by default (i.e. there is no way to prevent a Windows NT PDC from attempting + to do this). This means that if this parameter is set and <code class="literal">nmbd</code> claims the + special name for a <a class="indexterm" name="id307467"></a>workgroup before a Windows NT PDC is able to do so then cross + subnet browsing will behave strangely and may fail. + </p><p> + If <a class="indexterm" name="id307478"></a>domain logons = yes, then the default behavior is to enable the + <a class="indexterm" name="id307486"></a>domain master parameter. If <a class="indexterm" name="id307493"></a>domain logons is not enabled (the + default setting), then neither will <a class="indexterm" name="id307501"></a>domain master be enabled by default. + </p><p> + When <a class="indexterm" name="id307511"></a>domain logons = Yes the default setting for this parameter is + Yes, with the result that Samba will be a PDC. If <a class="indexterm" name="id307519"></a>domain master = No, + Samba will function as a BDC. In general, this parameter should be set to 'No' only on a BDC. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>domain master</code></em> = <code class="literal">auto</code> +</em></span> +</p></dd><dt><span class="term"><a name="DONTDESCEND"></a>dont descend (S)</span></dt><dd><p>There are certain directories on some systems + (e.g., the <code class="filename">/proc</code> tree under Linux) that are either not + of interest to clients or are infinitely deep (recursive). This + parameter allows you to specify a comma-delimited list of directories + that the server should always show as empty.</p><p>Note that Samba can be very fussy about the exact format + of the "dont descend" entries. For example you may need <code class="filename"> + ./proc</code> instead of just <code class="filename">/proc</code>. + Experimentation is the best policy :-) </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>dont descend</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>dont descend</code></em> = <code class="literal">/proc,/dev</code> +</em></span> +</p></dd><dt><span class="term"><a name="DOSCHARSET"></a>dos charset (G)</span></dt><dd><p>DOS SMB clients assume the server has + the same charset as they do. This option specifies which + charset Samba should talk to DOS clients. + </p><p>The default depends on which charsets you have installed. + Samba tries to use charset 850 but falls back to ASCII in + case it is not available. Run <a href="testparm.1.html"><span class="citerefentry"><span class="refentrytitle">testparm</span>(1)</span></a> to check the default on your system.</p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="DOSFILEMODE"></a>dos filemode (S)</span></dt><dd><p> The default behavior in Samba is to provide + UNIX-like behavior where only the owner of a file/directory is + able to change the permissions on it. However, this behavior + is often confusing to DOS/Windows users. Enabling this parameter + allows a user who has write access to the file (by whatever + means) to modify the permissions (including ACL) on it. Note that a user + belonging to the group owning the file will not be allowed to + change permissions if the group is only granted read access. + Ownership of the file/directory may also be changed.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>dos filemode</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="DOSFILETIMERESOLUTION"></a>dos filetime resolution (S)</span></dt><dd><p>Under the DOS and Windows FAT filesystem, the finest + granularity on time resolution is two seconds. Setting this parameter + for a share causes Samba to round the reported time down to the + nearest two second boundary when a query call that requires one second + resolution is made to <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>.</p><p>This option is mainly used as a compatibility option for Visual + C++ when used against Samba shares. If oplocks are enabled on a + share, Visual C++ uses two different time reading calls to check if a + file has changed since it was last read. One of these calls uses a + one-second granularity, the other uses a two second granularity. As + the two second call rounds any odd second down, then if the file has a + timestamp of an odd number of seconds then the two timestamps will not + match and Visual C++ will keep reporting the file has changed. Setting + this option causes the two timestamps to match, and Visual C++ is + happy.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>dos filetime resolution</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="DOSFILETIMES"></a>dos filetimes (S)</span></dt><dd><p>Under DOS and Windows, if a user can write to a + file they can change the timestamp on it. Under POSIX semantics, + only the owner of the file or root may change the timestamp. By + default, Samba runs with POSIX semantics and refuses to change the + timestamp on a file if the user <code class="literal">smbd</code> is acting + on behalf of is not the file owner. Setting this option to <code class="constant"> + yes</code> allows DOS semantics and <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will change the file + timestamp as DOS requires. Due to changes in Microsoft Office 2000 and beyond, + the default for this parameter has been changed from "no" to "yes" in Samba 3.0.14 + and above. Microsoft Excel will display dialog box warnings about the file being + changed by another user if this parameter is not set to "yes" and files are being + shared between users. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>dos filetimes</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="EASUPPORT"></a>ea support (S)</span></dt><dd><p>This boolean parameter controls whether <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will allow clients to attempt to store OS/2 style Extended + attributes on a share. In order to enable this parameter the underlying filesystem exported by + the share must support extended attributes (such as provided on XFS and EXT3 on Linux, with the + correct kernel patches). On Linux the filesystem must have been mounted with the mount + option user_xattr in order for extended attributes to work, also + extended attributes must be compiled into the Linux kernel.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ea support</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="ENABLEASUSUPPORT"></a>enable asu support (G)</span></dt><dd><p>Hosts running the "Advanced Server for Unix (ASU)" product + require some special accomodations such as creating a builting [ADMIN$] + share that only supports IPC connections. The has been the default + behavior in smbd for many years. However, certain Microsoft applications + such as the Print Migrator tool require that the remote server support + an [ADMIN$} file share. Disabling this parameter allows for creating + an [ADMIN$] file share in smb.conf.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>enable asu support</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="ENABLEPRIVILEGES"></a>enable privileges (G)</span></dt><dd><p> + This parameter controls whether or not smbd will honor privileges assigned to specific SIDs via either + <code class="literal">net rpc rights</code> or one of the Windows user and group manager tools. This parameter is + enabled by default. It can be disabled to prevent members of the Domain Admins group from being able to + assign privileges to users or groups which can then result in certain smbd operations running as root that + would normally run under the context of the connected user. + </p><p> + An example of how privileges can be used is to assign the right to join clients to a Samba controlled + domain without providing root access to the server via smbd. + </p><p> + Please read the extended description provided in the Samba HOWTO documentation. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>enable privileges</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="ENCRYPTPASSWORDS"></a>encrypt passwords (G)</span></dt><dd><p>This boolean controls whether encrypted passwords + will be negotiated with the client. Note that Windows NT 4.0 SP3 and + above and also Windows 98 will by default expect encrypted passwords + unless a registry entry is changed. To use encrypted passwords in + Samba see the chapter "User Database" in the Samba HOWTO Collection. + </p><p> + MS Windows clients that expect Microsoft encrypted passwords and that + do not have plain text password support enabled will be able to + connect only to a Samba server that has encrypted password support + enabled and for which the user accounts have a valid encrypted password. + Refer to the smbpasswd command man page for information regarding the + creation of encrypted passwords for user accounts. + </p><p> + The use of plain text passwords is NOT advised as support for this feature + is no longer maintained in Microsoft Windows products. If you want to use + plain text passwords you must set this parameter to no. + </p><p>In order for encrypted passwords to work correctly + <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> must either + have access to a local <a href="smbpasswd.5.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(5)</span></a> file (see the <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a> program for information on how to set up + and maintain this file), or set the <a class="indexterm" name="id308038"></a>security = [server|domain|ads] parameter which + causes <code class="literal">smbd</code> to authenticate against another + server.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>encrypt passwords</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="ENHANCEDBROWSING"></a>enhanced browsing (G)</span></dt><dd><p>This option enables a couple of enhancements to + cross-subnet browse propagation that have been added in Samba + but which are not standard in Microsoft implementations. + </p><p>The first enhancement to browse propagation consists of a regular + wildcard query to a Samba WINS server for all Domain Master Browsers, + followed by a browse synchronization with each of the returned + DMBs. The second enhancement consists of a regular randomised browse + synchronization with all currently known DMBs.</p><p>You may wish to disable this option if you have a problem with empty + workgroups not disappearing from browse lists. Due to the restrictions + of the browse protocols these enhancements can cause a empty workgroup + to stay around forever which can be annoying.</p><p>In general you should leave this option enabled as it makes + cross-subnet browse propagation much more reliable.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>enhanced browsing</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="ENUMPORTSCOMMAND"></a>enumports command (G)</span></dt><dd><p>The concept of a "port" is fairly foreign + to UNIX hosts. Under Windows NT/2000 print servers, a port + is associated with a port monitor and generally takes the form of + a local port (i.e. LPT1:, COM1:, FILE:) or a remote port + (i.e. LPD Port Monitor, etc...). By default, Samba has only one + port defined--<code class="constant">"Samba Printer Port"</code>. Under + Windows NT/2000, all printers must have a valid port name. + If you wish to have a list of ports displayed (<code class="literal">smbd + </code> does not use a port name for anything) other than + the default <code class="constant">"Samba Printer Port"</code>, you + can define <em class="parameter"><code>enumports command</code></em> to point to + a program which should generate a list of ports, one per line, + to standard output. This listing will then be used in response + to the level 1 and 2 EnumPorts() RPC.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>enumports command</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>enumports command</code></em> = <code class="literal">/usr/bin/listports</code> +</em></span> +</p></dd><dt><span class="term"><a name="EVENTLOGLIST"></a>eventlog list (G)</span></dt><dd><p>This option defines a list of log names that Samba will + report to the Microsoft EventViewer utility. The listed + eventlogs will be associated with tdb file on disk in the + <code class="filename">$(lockdir)/eventlog</code>. + </p><p> + The administrator must use an external process to parse the normal + Unix logs such as <code class="filename">/var/log/messages</code> + and write then entries to the eventlog tdb files. Refer to the + eventlogadm(8) utility for how to write eventlog entries. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>eventlog list</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>eventlog list</code></em> = <code class="literal">Security Application Syslog Apache</code> +</em></span> +</p></dd><dt><span class="term"><a name="FAKEDIRECTORYCREATETIMES"></a>fake directory create times (S)</span></dt><dd><p>NTFS and Windows VFAT file systems keep a create + time for all files and directories. This is not the same as the + ctime - status change time - that Unix keeps, so Samba by default + reports the earliest of the various times Unix does keep. Setting + this parameter for a share causes Samba to always report midnight + 1-1-1980 as the create time for directories.</p><p>This option is mainly used as a compatibility option for + Visual C++ when used against Samba shares. Visual C++ generated + makefiles have the object directory as a dependency for each object + file, and a make rule to create the directory. Also, when NMAKE + compares timestamps it uses the creation time when examining a + directory. Thus the object directory will be created if it does not + exist, but once it does exist it will always have an earlier + timestamp than the object files it contains.</p><p>However, Unix time semantics mean that the create time + reported by Samba will be updated whenever a file is created or + or deleted in the directory. NMAKE finds all object files in + the object directory. The timestamp of the last one built is then + compared to the timestamp of the object directory. If the + directory's timestamp if newer, then all object files + will be rebuilt. Enabling this option + ensures directories always predate their contents and an NMAKE build + will proceed as expected.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>fake directory create times</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="FAKEOPLOCKS"></a>fake oplocks (S)</span></dt><dd><p>Oplocks are the way that SMB clients get permission + from a server to locally cache file operations. If a server grants + an oplock (opportunistic lock) then the client is free to assume + that it is the only one accessing the file and it will aggressively + cache file data. With some oplock types the client may even cache + file open/close operations. This can give enormous performance benefits. + </p><p>When you set <code class="literal">fake oplocks = yes</code>, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will + always grant oplock requests no matter how many clients are using the file.</p><p>It is generally much better to use the real <a class="indexterm" name="id308378"></a>oplocks support rather + than this parameter.</p><p>If you enable this option on all read-only shares or + shares that you know will only be accessed from one client at a + time such as physically read-only media like CDROMs, you will see + a big performance improvement on many operations. If you enable + this option on shares where multiple clients may be accessing the + files read-write at the same time you can get data corruption. Use + this option carefully!</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>fake oplocks</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="FOLLOWSYMLINKS"></a>follow symlinks (S)</span></dt><dd><p> + This parameter allows the Samba administrator to stop <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> from following symbolic links in a particular share. Setting this + parameter to <code class="constant">no</code> prevents any file or directory that is a symbolic link from being + followed (the user will get an error). This option is very useful to stop users from adding a symbolic + link to <code class="filename">/etc/passwd</code> in their home directory for instance. However + it will slow filename lookups down slightly. + </p><p> + This option is enabled (i.e. <code class="literal">smbd</code> will follow symbolic links) by default. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>follow symlinks</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="FORCECREATEMODE"></a>force create mode (S)</span></dt><dd><p>This parameter specifies a set of UNIX mode bit + permissions that will <span class="emphasis"><em>always</em></span> be set on a + file created by Samba. This is done by bitwise 'OR'ing these bits onto + the mode bits of a file that is being created or having its + permissions changed. The default for this parameter is (in octal) + 000. The modes in this parameter are bitwise 'OR'ed onto the file + mode after the mask set in the <em class="parameter"><code>create mask</code></em> + parameter is applied.</p><p>The example below would force all created files to have read and execute + permissions set for 'group' and 'other' as well as the + read/write/execute bits set for the 'user'.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>force create mode</code></em> = <code class="literal">000</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>force create mode</code></em> = <code class="literal">0755</code> +</em></span> +</p></dd><dt><span class="term"><a name="FORCEDIRECTORYMODE"></a>force directory mode (S)</span></dt><dd><p>This parameter specifies a set of UNIX mode bit + permissions that will <span class="emphasis"><em>always</em></span> be set on a directory + created by Samba. This is done by bitwise 'OR'ing these bits onto the + mode bits of a directory that is being created. The default for this + parameter is (in octal) 0000 which will not add any extra permission + bits to a created directory. This operation is done after the mode + mask in the parameter <em class="parameter"><code>directory mask</code></em> is + applied.</p><p>The example below would force all created directories to have read and execute + permissions set for 'group' and 'other' as well as the + read/write/execute bits set for the 'user'.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>force directory mode</code></em> = <code class="literal">000</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>force directory mode</code></em> = <code class="literal">0755</code> +</em></span> +</p></dd><dt><span class="term"><a name="FORCEDIRECTORYSECURITYMODE"></a>force directory security mode (S)</span></dt><dd><p> + This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating + the UNIX permission on a directory using the native NT security dialog box. + </p><p> + This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this + mask that the user may have modified to be on. Make sure not to mix up this parameter with <a class="indexterm" name="id308652"></a>directory security mask, which works in a similar manner to this one, but uses a logical AND instead + of an OR. + </p><p> + Essentially, this mask may be treated as a set of bits that, when modifying security on a directory, + to will enable (1) any flags that are off (0) but which the mask has set to on (1). + </p><p> + If not set explicitly this parameter is 0000, which allows a user to modify all the user/group/world + permissions on a directory without restrictions. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + Users who can access the Samba server through other means can easily bypass this restriction, so it is + primarily useful for standalone "appliance" systems. Administrators of most normal systems will + probably want to leave it set as 0000. + </p></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>force directory security mode</code></em> = <code class="literal">0</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>force directory security mode</code></em> = <code class="literal">700</code> +</em></span> +</p></dd><dt><span class="term"><a name="GROUP"></a>group</span></dt><dd><p>This parameter is a synonym for force group.</p></dd><dt><span class="term"><a name="FORCEGROUP"></a>force group (S)</span></dt><dd><p>This specifies a UNIX group name that will be + assigned as the default primary group for all users connecting + to this service. This is useful for sharing files by ensuring + that all access to files on service will use the named group for + their permissions checking. Thus, by assigning permissions for this + group to the files and directories within this service the Samba + administrator can restrict or allow sharing of these files.</p><p>In Samba 2.0.5 and above this parameter has extended + functionality in the following way. If the group name listed here + has a '+' character prepended to it then the current user accessing + the share only has the primary group default assigned to this group + if they are already assigned as a member of that group. This allows + an administrator to decide that only users who are already in a + particular group will create files with group ownership set to that + group. This gives a finer granularity of ownership assignment. For + example, the setting <code class="filename">force group = +sys</code> means + that only users who are already in group sys will have their default + primary group assigned to sys when accessing this Samba share. All + other users will retain their ordinary primary group.</p><p> + If the <a class="indexterm" name="id308775"></a>force user parameter is also set the group specified in + <em class="parameter"><code>force group</code></em> will override the primary group + set in <em class="parameter"><code>force user</code></em>.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>force group</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>force group</code></em> = <code class="literal">agroup</code> +</em></span> +</p></dd><dt><span class="term"><a name="FORCEPRINTERNAME"></a>force printername (S)</span></dt><dd><p>When printing from Windows NT (or later), + each printer in <code class="filename">smb.conf</code> has two + associated names which can be used by the client. The first + is the sharename (or shortname) defined in smb.conf. This + is the only printername available for use by Windows 9x clients. + The second name associated with a printer can be seen when + browsing to the "Printers" (or "Printers and Faxes") folder + on the Samba server. This is referred to simply as the printername + (not to be confused with the <em class="parameter"><code>printer name</code></em> option). + </p><p>When assigning a new driver to a printer on a remote + Windows compatible print server such as Samba, the Windows client + will rename the printer to match the driver name just uploaded. + This can result in confusion for users when multiple + printers are bound to the same driver. To prevent Samba from + allowing the printer's printername to differ from the sharename + defined in smb.conf, set <em class="parameter"><code>force printername = yes</code></em>. + </p><p>Be aware that enabling this parameter may affect migrating + printers from a Windows server to Samba since Windows has no way to + force the sharename and printername to match.</p><p>It is recommended that this parameter's value not be changed + once the printer is in use by clients as this could cause a user + not be able to delete printer connections from their local Printers + folder.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>force printername</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="FORCESECURITYMODE"></a>force security mode (S)</span></dt><dd><p> + This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating + the UNIX permission on a file using the native NT security dialog box. + </p><p> + This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this + mask that the user may have modified to be on. Make sure not to mix up this parameter with <a class="indexterm" name="id308932"></a>security mask, which works similar like this one but uses logical AND instead of OR. + </p><p> + Essentially, one bits in this mask may be treated as a set of bits that, when modifying security on a file, + the user has always set to be on. + </p><p> + If not set explicitly this parameter is set to 0, and allows a user to modify all the user/group/world + permissions on a file, with no restrictions. + </p><p><span class="emphasis"><em> + Note</em></span> that users who can access the Samba server through other means can easily bypass this + restriction, so it is primarily useful for standalone "appliance" systems. Administrators of most + normal systems will probably want to leave this set to 0000. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>force security mode</code></em> = <code class="literal">0</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>force security mode</code></em> = <code class="literal">700</code> +</em></span> +</p></dd><dt><span class="term"><a name="FORCEUNKNOWNACLUSER"></a>force unknown acl user (S)</span></dt><dd><p> + If this parameter is set, a Windows NT ACL that contains an unknown SID (security descriptor, or + representation of a user or group id) as the owner or group owner of the file will be silently + mapped into the current UNIX uid or gid of the currently connected user. + </p><p> + This is designed to allow Windows NT clients to copy files and folders containing ACLs that were + created locally on the client machine and contain users local to that machine only (no domain + users) to be copied to a Samba server (usually with XCOPY /O) and have the unknown userid and + groupid of the file owner map to the current connected user. This can only be fixed correctly + when winbindd allows arbitrary mapping from any Windows NT SID to a UNIX uid or gid. + </p><p> + Try using this parameter when XCOPY /O gives an ACCESS_DENIED error. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>force unknown acl user</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="FORCEUSER"></a>force user (S)</span></dt><dd><p>This specifies a UNIX user name that will be + assigned as the default user for all users connecting to this service. + This is useful for sharing files. You should also use it carefully + as using it incorrectly can cause security problems.</p><p>This user name only gets used once a connection is established. + Thus clients still need to connect as a valid user and supply a + valid password. Once connected, all file operations will be performed + as the "forced user", no matter what username the client connected + as. This can be very useful.</p><p>In Samba 2.0.5 and above this parameter also causes the + primary group of the forced user to be used as the primary group + for all file activity. Prior to 2.0.5 the primary group was left + as the primary group of the connecting user (this was a bug).</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>force user</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>force user</code></em> = <code class="literal">auser</code> +</em></span> +</p></dd><dt><span class="term"><a name="FSTYPE"></a>fstype (S)</span></dt><dd><p> + This parameter allows the administrator to configure the string that specifies the type of filesystem a share + is using that is reported by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> + when a client queries the filesystem type for a share. The default type is <code class="constant">NTFS</code> for compatibility + with Windows NT but this can be changed to other strings such as <code class="constant">Samba</code> or <code class="constant">FAT</code> + if required. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>fstype</code></em> = <code class="literal">NTFS</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>fstype</code></em> = <code class="literal">Samba</code> +</em></span> +</p></dd><dt><span class="term"><a name="GETQUOTACOMMAND"></a>get quota command (G)</span></dt><dd><p>The <code class="literal">get quota command</code> should only be used + whenever there is no operating system API available from the OS that + samba can use.</p><p>This option is only available with <code class="literal">./configure --with-sys-quotas</code>. + Or on linux when <code class="literal">./configure --with-quotas</code> was used and a working quota api + was found in the system.</p><p>This parameter should specify the path to a script that + queries the quota information for the specified + user/group for the partition that + the specified directory is on.</p><p>Such a script should take 3 arguments:</p><div class="itemizedlist"><ul type="disc"><li><p>directory</p></li><li><p>type of query</p></li><li><p>uid of user or gid of group</p></li></ul></div><p>The type of query can be one of :</p><div class="itemizedlist"><ul type="disc"><li><p>1 - user quotas</p></li><li><p>2 - user default quotas (uid = -1)</p></li><li><p>3 - group quotas</p></li><li><p>4 - group default quotas (gid = -1)</p></li></ul></div><p>This script should print one line as output with spaces between the arguments. The arguments are: + </p><div class="itemizedlist"><ul type="disc"><li><p>Arg 1 - quota flags (0 = no quotas, 1 = quotas enabled, 2 = quotas enabled and enforced)</p></li><li><p>Arg 2 - number of currently used blocks</p></li><li><p>Arg 3 - the softlimit number of blocks</p></li><li><p>Arg 4 - the hardlimit number of blocks</p></li><li><p>Arg 5 - currently used number of inodes</p></li><li><p>Arg 6 - the softlimit number of inodes</p></li><li><p>Arg 7 - the hardlimit number of inodes</p></li><li><p>Arg 8(optional) - the number of bytes in a block(default is 1024)</p></li></ul></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>get quota command</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>get quota command</code></em> = <code class="literal">/usr/local/sbin/query_quota</code> +</em></span> +</p></dd><dt><span class="term"><a name="GETWDCACHE"></a>getwd cache (G)</span></dt><dd><p>This is a tuning option. When this is enabled a + caching algorithm will be used to reduce the time taken for getwd() + calls. This can have a significant impact on performance, especially + when the <a class="indexterm" name="id309382"></a>wide smbconfoptions parameter is set to <code class="constant">no</code>.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>getwd cache</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="GUESTACCOUNT"></a>guest account (G)</span></dt><dd><p>This is a username which will be used for access + to services which are specified as <a class="indexterm" name="id309432"></a>guest ok (see below). Whatever privileges this + user has will be available to any client connecting to the guest service. + This user must exist in the password file, but does not require + a valid login. The user account "ftp" is often a good choice + for this parameter. + </p><p>On some systems the default guest account "nobody" may not + be able to print. Use another account in this case. You should test + this by trying to log in as your guest user (perhaps by using the + <code class="literal">su -</code> command) and trying to print using the + system print command such as <code class="literal">lpr(1)</code> or <code class="literal"> + lp(1)</code>.</p><p>This parameter does not accept % macros, because + many parts of the system require this value to be + constant for correct operation.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>guest account</code></em> = <code class="literal">nobody +# default can be changed at compile-time</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>guest account</code></em> = <code class="literal">ftp</code> +</em></span> +</p></dd><dt><span class="term"><a name="PUBLIC"></a>public</span></dt><dd><p>This parameter is a synonym for guest ok.</p></dd><dt><span class="term"><a name="GUESTOK"></a>guest ok (S)</span></dt><dd><p>If this parameter is <code class="constant">yes</code> for + a service, then no password is required to connect to the service. + Privileges will be those of the <a class="indexterm" name="id309550"></a>guest account.</p><p>This paramater nullifies the benifits of setting + <a class="indexterm" name="id309561"></a>restrict anonymous = 2 + </p><p>See the section below on <a class="indexterm" name="id309572"></a>security for more information about this option. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>guest ok</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="ONLYGUEST"></a>only guest</span></dt><dd><p>This parameter is a synonym for guest only.</p></dd><dt><span class="term"><a name="GUESTONLY"></a>guest only (S)</span></dt><dd><p>If this parameter is <code class="constant">yes</code> for + a service, then only guest connections to the service are permitted. + This parameter will have no effect if <a class="indexterm" name="id309642"></a>guest ok is not set for the service.</p><p>See the section below on <a class="indexterm" name="id309653"></a>security for more information about this option. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>guest only</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="HIDEDOTFILES"></a>hide dot files (S)</span></dt><dd><p>This is a boolean parameter that controls whether + files starting with a dot appear as hidden files.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>hide dot files</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="HIDEFILES"></a>hide files (S)</span></dt><dd><p>This is a list of files or directories that are not + visible but are accessible. The DOS 'hidden' attribute is applied + to any files or directories that match.</p><p>Each entry in the list must be separated by a '/', + which allows spaces to be included in the entry. '*' + and '?' can be used to specify multiple files or directories + as in DOS wildcards.</p><p>Each entry must be a Unix path, not a DOS path and must + not include the Unix directory separator '/'.</p><p>Note that the case sensitivity option is applicable + in hiding files.</p><p>Setting this parameter will affect the performance of Samba, + as it will be forced to check all files and directories for a match + as they are scanned.</p><p> + The example shown above is based on files that the Macintosh + SMB client (DAVE) available from <a href="http://www.thursby.com" target="_top"> + Thursby</a> creates for internal use, and also still hides + all files beginning with a dot. + </p><p> + An example of us of this parameter is: +</p><pre class="programlisting"> +hide files = /.*/DesktopFolderDB/TrashFor%m/resource.frk/ +</pre><p> + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>hide files</code></em> = <code class="literal"> +# no file are hidden</code> +</em></span> +</p></dd><dt><span class="term"><a name="HIDESPECIALFILES"></a>hide special files (S)</span></dt><dd><p> + This parameter prevents clients from seeing special files such as sockets, devices and + fifo's in directory listings. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>hide special files</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="HIDEUNREADABLE"></a>hide unreadable (S)</span></dt><dd><p>This parameter prevents clients from seeing the + existance of files that cannot be read. Defaults to off.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>hide unreadable</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="HIDEUNWRITEABLEFILES"></a>hide unwriteable files (S)</span></dt><dd><p> + This parameter prevents clients from seeing the existance of files that cannot be written to. + Defaults to off. Note that unwriteable directories are shown as usual. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>hide unwriteable files</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="HOMEDIRMAP"></a>homedir map (G)</span></dt><dd><p> + If <a class="indexterm" name="id309932"></a>nis homedir is <code class="constant">yes</code>, and <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> is also acting as a Win95/98 <em class="parameter"><code>logon server</code></em> + then this parameter specifies the NIS (or YP) map from which the server for the user's home directory should be extracted. + At present, only the Sun auto.home map format is understood. The form of the map is: +</p><pre class="programlisting"> +<code class="literal">username server:/some/file/system</code> +</pre><p> + and the program will extract the servername from before the first ':'. There should probably be a better parsing system + that copes with different map formats and also Amd (another automounter) maps. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + A working NIS client is required on the system for this option to work. + </p></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>homedir map</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>homedir map</code></em> = <code class="literal">amd.homedir</code> +</em></span> +</p></dd><dt><span class="term"><a name="HOSTMSDFS"></a>host msdfs (G)</span></dt><dd><p> + If set to <code class="constant">yes</code>, Samba will act as a Dfs server, and allow Dfs-aware clients to browse + Dfs trees hosted on the server. + </p><p> + See also the <a class="indexterm" name="id310039"></a>msdfs root share level parameter. For more information on + setting up a Dfs tree on Samba, refer to the MSFDS chapter in the book Samba3-HOWTO. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>host msdfs</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="HOSTNAMELOOKUPS"></a>hostname lookups (G)</span></dt><dd><p>Specifies whether samba should use (expensive) + hostname lookups or use the ip addresses instead. An example place + where hostname lookups are currently used is when checking + the <code class="literal">hosts deny</code> and <code class="literal">hosts allow</code>. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>hostname lookups</code></em> = <code class="literal">no</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>hostname lookups</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="ALLOWHOSTS"></a>allow hosts</span></dt><dd><p>This parameter is a synonym for hosts allow.</p></dd><dt><span class="term"><a name="HOSTSALLOW"></a>hosts allow (S)</span></dt><dd><p>A synonym for this parameter is <a class="indexterm" name="id310176"></a>allow hosts.</p><p>This parameter is a comma, space, or tab delimited + set of hosts which are permitted to access a service.</p><p>If specified in the [global] section then it will + apply to all services, regardless of whether the individual + service has a different setting.</p><p>You can specify the hosts by name or IP number. For + example, you could restrict access to only the hosts on a + Class C subnet with something like <code class="literal">allow hosts = 150.203.5.</code>. + The full syntax of the list is described in the man + page <code class="filename">hosts_access(5)</code>. Note that this man + page may not be present on your system, so a brief description will + be given here also.</p><p>Note that the localhost address 127.0.0.1 will always + be allowed access unless specifically denied by a <a class="indexterm" name="id310214"></a>hosts deny option.</p><p>You can also specify hosts by network/netmask pairs and + by netgroup names if your system supports netgroups. The + <span class="emphasis"><em>EXCEPT</em></span> keyword can also be used to limit a + wildcard list. The following examples may provide some help:</p><p>Example 1: allow all IPs in 150.203.*.*; except one</p><p><code class="literal">hosts allow = 150.203. EXCEPT 150.203.6.66</code></p><p>Example 2: allow hosts that match the given network/netmask</p><p><code class="literal">hosts allow = 150.203.15.0/255.255.255.0</code></p><p>Example 3: allow a couple of hosts</p><p><code class="literal">hosts allow = lapland, arvidsjaur</code></p><p>Example 4: allow only hosts in NIS netgroup "foonet", but + deny access from one particular host</p><p><code class="literal">hosts allow = @foonet</code></p><p><code class="literal">hosts deny = pirate</code></p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Note that access still requires suitable user-level passwords.</p></div><p>See <a href="testparm.1.html"><span class="citerefentry"><span class="refentrytitle">testparm</span>(1)</span></a> for a way of testing your host access + to see if it does what you expect.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>hosts allow</code></em> = <code class="literal"> +# none (i.e., all hosts permitted access)</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>hosts allow</code></em> = <code class="literal">150.203.5. myhost.mynet.edu.au</code> +</em></span> +</p></dd><dt><span class="term"><a name="DENYHOSTS"></a>deny hosts</span></dt><dd><p>This parameter is a synonym for hosts deny.</p></dd><dt><span class="term"><a name="HOSTSDENY"></a>hosts deny (S)</span></dt><dd><p>The opposite of <em class="parameter"><code>hosts allow</code></em> + - hosts listed here are <span class="emphasis"><em>NOT</em></span> permitted access to + services unless the specific services have their own lists to override + this one. Where the lists conflict, the <em class="parameter"><code>allow</code></em> + list takes precedence.</p><p> + In the event that it is necessary to deny all by default, use the keyword + ALL (or the netmask <code class="literal">0.0.0.0/0</code>) and then explicitly specify + to the <a class="indexterm" name="id310401"></a>hosts allow = hosts allow parameter those hosts + that should be permitted access. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>hosts deny</code></em> = <code class="literal"> +# none (i.e., no hosts specifically excluded)</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>hosts deny</code></em> = <code class="literal">150.203.4. badhost.mynet.edu.au</code> +</em></span> +</p></dd><dt><span class="term"><a name="IDMAPALLOCBACKEND"></a>idmap alloc backend (G)</span></dt><dd><p> + The idmap alloc backend provides a plugin interface for Winbind to use + when allocating Unix uids/gids for Windows SIDs. This option is + to be used in conjunction with the <a class="indexterm" name="id310466"></a>idmap domains + parameter and refers to the name of the idmap module which will provide + the id allocation functionality. Please refer to the man page + for each idmap plugin to determine whether or not the module implements + the allocation feature. The most common plugins are the tdb (<a href="idmap_tdb.8.html"><span class="citerefentry"><span class="refentrytitle">idmap_tdb</span>(8)</span></a>) + and ldap (<a href="idmap_ldap.8.html"><span class="citerefentry"><span class="refentrytitle">idmap_ldap</span>(8)</span></a>) libraries. + </p><p>Also refer to the <a class="indexterm" name="id310495"></a>idmap alloc config option. + </p><p><span class="emphasis"><em>No default</em></span></p><p>Example: <span class="emphasis"><em><em class="parameter"><code>idmap alloc backend</code></em> = <code class="literal">tdb</code> +</em></span> +</p></dd><dt><span class="term"><a name="IDMAPALLOCCONFIG"></a>idmap alloc config (G)</span></dt><dd><p> + The idmap alloc config prefix provides a means of managing settings + for the backend defined by the <a class="indexterm" name="id310546"></a>idmap alloc backend + parameter. Refer to the man page for each idmap plugin regarding + specific configuration details. + </p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="IDMAPBACKEND"></a>idmap backend (G)</span></dt><dd><p> + The idmap backend provides a plugin interface for Winbind to use + varying backends to store SID/uid/gid mapping tables. This + option is mutually exclusive with the newer and more flexible + <a class="indexterm" name="id310581"></a>idmap domains parameter. The main difference + between the "idmap backend" and the "idmap domains" + is that the former only allows on backend for all domains while the + latter supports configuring backends on a per domain basis. + </p><p>Examples of SID/uid/gid backends include tdb (<a href="idmap_tdb.8.html"><span class="citerefentry"><span class="refentrytitle">idmap_tdb</span>(8)</span></a>), + ldap (<a href="idmap_ldap.8.html"><span class="citerefentry"><span class="refentrytitle">idmap_ldap</span>(8)</span></a>), rid (<a href="idmap_rid.8.html"><span class="citerefentry"><span class="refentrytitle">idmap_rid</span>(8)</span></a>), + and ad (<a href="idmap_tdb.8.html"><span class="citerefentry"><span class="refentrytitle">idmap_tdb</span>(8)</span></a>). + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>idmap backend</code></em> = <code class="literal">tdb</code> +</em></span> +</p></dd><dt><span class="term"><a name="IDMAPCACHETIME"></a>idmap cache time (G)</span></dt><dd><p>This parameter specifies the number of seconds that Winbind's + idmap interface will cache positive SID/uid/gid query results. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>idmap cache time</code></em> = <code class="literal">900</code> +</em></span> +</p></dd><dt><span class="term"><a name="IDMAPCONFIG"></a>idmap config (G)</span></dt><dd><p> + The idmap config prefix provides a means of managing each domain + defined by the <a class="indexterm" name="id310703"></a>idmap domains option using Samba's + parameteric option support. The idmap config prefix should be + followed by the name of the domain, a colon, and a setting specific to + the chosen backend. There are three options available for all domains: + </p><div class="variablelist"><dl><dt><span class="term">backend = backend_name</span></dt><dd><p> + Specifies the name of the idmap plugin to use as the + SID/uid/gid backend for this domain. + </p></dd><dt><span class="term">default = [yes|no]</span></dt><dd><p> + The default domain/backend will be used for searching for + users and groups not belonging to one of the explicitly + listed domains (matched by comparing the account SID and the + domain SID). + </p></dd><dt><span class="term">readonly = [yes|no]</span></dt><dd><p> + Mark the domain as readonly which means that no attempts to + allocate a uid or gid (by the <a class="indexterm" name="id310750"></a>idmap alloc backend) for any user or group in that domain + will be attempted. + </p></dd></dl></div><p> + The following example illustrates how to configure the <a href="idmap_ad.8.html"><span class="citerefentry"><span class="refentrytitle">idmap_ad</span>(8)</span></a> + for the CORP domain and the <a href="idmap_tdb.8.html"><span class="citerefentry"><span class="refentrytitle">idmap_tdb</span>(8)</span></a> backend for all other domains. The + TRUSTEDDOMAINS string is simply a key used to reference the "idmap + config" settings and does not represent the actual name of a domain. + </p><pre class="programlisting"> + idmap domains = CORP TRUSTEDDOMAINS + + idmap config CORP:backend = ad + idmap config CORP:readonly = yes + + idmap config TRUSTEDDOMAINS:backend = tdb + idmap config TRUSTEDDOMAINS:default = yes + idmap config TRUSTEDDOMAINS:range = 1000 - 9999 + </pre><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="IDMAPDOMAINS"></a>idmap domains (G)</span></dt><dd><p> + The idmap domains option defines a list of Windows domains which will each + have a separately configured backend for managing Winbind's SID/uid/gid + tables. This parameter is mutually exclusive with the older <a class="indexterm" name="id310818"></a>idmap backend option. + </p><p> + Values consist of the short domain name for Winbind's primary or collection + of trusted domains. You may also use an arbitrary string to represent a catchall + domain backend for any domain not explicitly listed. + </p><p> + Refer to the <a class="indexterm" name="id310834"></a>idmap config for details about + managing the SID/uid/gid backend for each domain. + </p><p><span class="emphasis"><em>No default</em></span></p><p>Example: <span class="emphasis"><em><em class="parameter"><code>idmap domains</code></em> = <code class="literal">default AD CORP</code> +</em></span> +</p></dd><dt><span class="term"><a name="WINBINDGID"></a>winbind gid</span></dt><dd><p>This parameter is a synonym for idmap gid.</p></dd><dt><span class="term"><a name="IDMAPGID"></a>idmap gid (G)</span></dt><dd><p>The idmap gid parameter specifies the range of group ids + that are allocated for the purpose of mapping UNX groups to NT group + SIDs. This range of group ids should have no + existing local or NIS groups within it as strange conflicts can + occur otherwise.</p><p>See also the <a class="indexterm" name="id310911"></a>idmap backend, <a class="indexterm" name="id310918"></a>idmap domains, and <a class="indexterm" name="id310925"></a>idmap config options. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>idmap gid</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>idmap gid</code></em> = <code class="literal">10000-20000</code> +</em></span> +</p></dd><dt><span class="term"><a name="IDMAPNEGATIVECACHETIME"></a>idmap negative cache time (G)</span></dt><dd><p>This parameter specifies the number of seconds that Winbind's + idmap interface will cache negative SID/uid/gid query results. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>idmap negative cache time</code></em> = <code class="literal">120</code> +</em></span> +</p></dd><dt><span class="term"><a name="WINBINDUID"></a>winbind uid</span></dt><dd><p>This parameter is a synonym for idmap uid.</p></dd><dt><span class="term"><a name="IDMAPUID"></a>idmap uid (G)</span></dt><dd><p> + The idmap uid parameter specifies the range of user ids that are + allocated for use in mapping UNIX users to NT user SIDs. This + range of ids should have no existing local + or NIS users within it as strange conflicts can occur otherwise.</p><p>See also the <a class="indexterm" name="id311053"></a>idmap backend, <a class="indexterm" name="id311060"></a>idmap domains, and <a class="indexterm" name="id311067"></a>idmap config options. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>idmap uid</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>idmap uid</code></em> = <code class="literal">10000-20000</code> +</em></span> +</p></dd><dt><span class="term"><a name="INCLUDE"></a>include (G)</span></dt><dd><p> + This allows you to include one config file inside another. The file is included literally, as though typed + in place. + </p><p> + It takes the standard substitutions, except <em class="parameter"><code>%u</code></em>, + <em class="parameter"><code>%P</code></em> and <em class="parameter"><code>%S</code></em>. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>include</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>include</code></em> = <code class="literal">/usr/local/samba/lib/admin_smb.conf</code> +</em></span> +</p></dd><dt><span class="term"><a name="INHERITACLS"></a>inherit acls (S)</span></dt><dd><p>This parameter can be used to ensure that if default acls + exist on parent directories, they are always honored when creating a + new file or subdirectory in these parent directories. The default + behavior is to use the unix mode specified when creating the directory. + Enabling this option sets the unix mode to 0777, thus guaranteeing that + default directory acls are propagated. +</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>inherit acls</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="INHERITOWNER"></a>inherit owner (S)</span></dt><dd><p>The ownership of new files and directories + is normally governed by effective uid of the connected user. + This option allows the Samba administrator to specify that + the ownership for new files and directories should be controlled + by the ownership of the parent directory.</p><p>Common scenarios where this behavior is useful is in + implementing drop-boxes where users can create and edit files but not + delete them and to ensure that newly create files in a user's + roaming profile directory are actually owner by the user.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>inherit owner</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="INHERITPERMISSIONS"></a>inherit permissions (S)</span></dt><dd><p> + The permissions on new files and directories are normally governed by <a class="indexterm" name="id311291"></a>create mask, + <a class="indexterm" name="id311298"></a>directory mask, <a class="indexterm" name="id311305"></a>force create mode and <a class="indexterm" name="id311312"></a>force directory mode but the boolean inherit permissions parameter overrides this. + </p><p>New directories inherit the mode of the parent directory, + including bits such as setgid.</p><p> + New files inherit their read/write bits from the parent directory. Their execute bits continue to be + determined by <a class="indexterm" name="id311328"></a>map archive, <a class="indexterm" name="id311335"></a>map hidden and <a class="indexterm" name="id311342"></a>map system as usual. + </p><p>Note that the setuid bit is <span class="emphasis"><em>never</em></span> set via + inheritance (the code explicitly prohibits this).</p><p>This can be particularly useful on large systems with + many users, perhaps several thousand, to allow a single [homes] + share to be used flexibly by each user.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>inherit permissions</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="INTERFACES"></a>interfaces (G)</span></dt><dd><p>This option allows you to override the default + network interfaces list that Samba will use for browsing, name + registration and other NBT traffic. By default Samba will query + the kernel for the list of all active interfaces and use any + interfaces except 127.0.0.1 that are broadcast capable.</p><p>The option takes a list of interface strings. Each string + can be in any of the following forms:</p><div class="itemizedlist"><ul type="disc"><li><p>a network interface name (such as eth0). + This may include shell-like wildcards so eth* will match + any interface starting with the substring "eth"</p></li><li><p>an IP address. In this case the netmask is + determined from the list of interfaces obtained from the + kernel</p></li><li><p>an IP/mask pair. </p></li><li><p>a broadcast/mask pair.</p></li></ul></div><p>The "mask" parameters can either be a bit length (such + as 24 for a C class network) or a full netmask in dotted + decimal form.</p><p>The "IP" parameters above can either be a full dotted + decimal IP address or a hostname which will be looked up via + the OS's normal hostname resolution mechanisms.</p><p> + By default Samba enables all active interfaces that are broadcast capable + except the loopback adaptor (IP address 127.0.0.1). + </p><p> + The example below configures three network interfaces corresponding + to the eth0 device and IP addresses 192.168.2.10 and 192.168.3.10. + The netmasks of the latter two interfaces would be set to 255.255.255.0. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>interfaces</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>interfaces</code></em> = <code class="literal">eth0 192.168.2.10/24 192.168.3.10/255.255.255.0</code> +</em></span> +</p></dd><dt><span class="term"><a name="INVALIDUSERS"></a>invalid users (S)</span></dt><dd><p>This is a list of users that should not be allowed + to login to this service. This is really a <span class="emphasis"><em>paranoid</em></span> + check to absolutely ensure an improper setting does not breach + your security.</p><p>A name starting with a '@' is interpreted as an NIS + netgroup first (if your system supports NIS), and then as a UNIX + group if the name was not found in the NIS netgroup database.</p><p>A name starting with '+' is interpreted only + by looking in the UNIX group database via the NSS getgrnam() interface. A name starting with + '&' is interpreted only by looking in the NIS netgroup database + (this requires NIS to be working on your system). The characters + '+' and '&' may be used at the start of the name in either order + so the value <em class="parameter"><code>+&group</code></em> means check the + UNIX group database, followed by the NIS netgroup database, and + the value <em class="parameter"><code>&+group</code></em> means check the NIS + netgroup database, followed by the UNIX group database (the + same as the '@' prefix).</p><p>The current servicename is substituted for <em class="parameter"><code>%S</code></em>. + This is useful in the [homes] section.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>invalid users</code></em> = <code class="literal"> +# no invalid users</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>invalid users</code></em> = <code class="literal">root fred admin @wheel</code> +</em></span> +</p></dd><dt><span class="term"><a name="IPRINTSERVER"></a>iprint server (G)</span></dt><dd><p> + This parameter is only applicable if <a class="indexterm" name="id311602"></a>printing is set to <code class="constant">iprint</code>. + </p><p> + If set, this option overrides the ServerName option in the CUPS <code class="filename">client.conf</code>. This is + necessary if you have virtual samba servers that connect to different CUPS daemons. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>iprint server</code></em> = <code class="literal">""</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>iprint server</code></em> = <code class="literal">MYCUPSSERVER</code> +</em></span> +</p></dd><dt><span class="term"><a name="KEEPALIVE"></a>keepalive (G)</span></dt><dd><p>The value of the parameter (an integer) represents + the number of seconds between <em class="parameter"><code>keepalive</code></em> + packets. If this parameter is zero, no keepalive packets will be + sent. Keepalive packets, if sent, allow the server to tell whether + a client is still present and responding.</p><p>Keepalives should, in general, not be needed if the socket + has the SO_KEEPALIVE attribute set on it by default. (see <a class="indexterm" name="id311691"></a>socket options). +Basically you should only use this option if you strike difficulties.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>keepalive</code></em> = <code class="literal">300</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>keepalive</code></em> = <code class="literal">600</code> +</em></span> +</p></dd><dt><span class="term"><a name="KERNELCHANGENOTIFY"></a>kernel change notify (S)</span></dt><dd><p>This parameter specifies whether Samba should ask the + kernel for change notifications in directories so that + SMB clients can refresh whenever the data on the server changes. + </p><p>This parameter is only used when your kernel supports + change notification to user programs using the inotify interface. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>kernel change notify</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="KERNELOPLOCKS"></a>kernel oplocks (G)</span></dt><dd><p>For UNIXes that support kernel based <a class="indexterm" name="id311797"></a>oplocks + (currently only IRIX and the Linux 2.4 kernel), this parameter + allows the use of them to be turned on or off.</p><p>Kernel oplocks support allows Samba <em class="parameter"><code>oplocks + </code></em> to be broken whenever a local UNIX process or NFS operation + accesses a file that <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> has oplocked. This allows complete + data consistency between SMB/CIFS, NFS and local file access (and is + a <span class="emphasis"><em>very</em></span> cool feature :-).</p><p>This parameter defaults to <code class="constant">on</code>, but is translated + to a no-op on systems that no not have the necessary kernel support. + You should never need to touch this parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>kernel oplocks</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="LANMANAUTH"></a>lanman auth (G)</span></dt><dd><p>This parameter determines whether or not <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will attempt to + authenticate users or permit password changes + using the LANMAN password hash. If disabled, only clients which support NT + password hashes (e.g. Windows NT/2000 clients, smbclient, but not + Windows 95/98 or the MS DOS network client) will be able to + connect to the Samba host.</p><p>The LANMAN encrypted response is easily broken, due to it's + case-insensitive nature, and the choice of algorithm. Servers + without Windows 95/98/ME or MS DOS clients are advised to disable + this option. </p><p>Unlike the <code class="literal">encrypt + passwords</code> option, this parameter cannot alter client + behaviour, and the LANMAN response will still be sent over the + network. See the <code class="literal">client lanman + auth</code> to disable this for Samba's clients (such as smbclient)</p><p>If this option, and <code class="literal">ntlm + auth</code> are both disabled, then only NTLMv2 logins will be + permited. Not all clients support NTLMv2, and most will require + special configuration to use it.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lanman auth</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="LARGEREADWRITE"></a>large readwrite (G)</span></dt><dd><p>This parameter determines whether or not + <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> supports the new 64k + streaming read and write varient SMB requests introduced with + Windows 2000. Note that due to Windows 2000 client redirector bugs + this requires Samba to be running on a 64-bit capable operating + system such as IRIX, Solaris or a Linux 2.4 kernel. Can improve + performance by 10% with Windows 2000 clients. Defaults to on. Not as + tested as some other Samba code paths.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>large readwrite</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="LDAPADMINDN"></a>ldap admin dn (G)</span></dt><dd><p> + The <a class="indexterm" name="id312005"></a>ldap admin dn defines the Distinguished Name (DN) name used by Samba to contact + the ldap server when retreiving user account information. The <a class="indexterm" name="id312013"></a>ldap admin dn is used + in conjunction with the admin dn password stored in the <code class="filename">private/secrets.tdb</code> + file. See the <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a> + man page for more information on how to accomplish this. + </p><p> + The <a class="indexterm" name="id312038"></a>ldap admin dn requires a fully specified DN. The <a class="indexterm" name="id312046"></a>ldap suffix is not appended to the <a class="indexterm" name="id312053"></a>ldap admin dn. + </p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="LDAPDELETEDN"></a>ldap delete dn (G)</span></dt><dd><p> This parameter specifies whether a delete + operation in the ldapsam deletes the complete entry or only the attributes + specific to Samba. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap delete dn</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="LDAPGROUPSUFFIX"></a>ldap group suffix (G)</span></dt><dd><p>This parameter specifies the suffix that is + used for groups when these are added to the LDAP directory. + If this parameter is unset, the value of <a class="indexterm" name="id312126"></a>ldap suffix will be used instead. The suffix string is pre-pended to the + <a class="indexterm" name="id312134"></a>ldap suffix string so use a partial DN.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap group suffix</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>ldap group suffix</code></em> = <code class="literal">ou=Groups</code> +</em></span> +</p></dd><dt><span class="term"><a name="LDAPIDMAPSUFFIX"></a>ldap idmap suffix (G)</span></dt><dd><p> + This parameters specifies the suffix that is used when storing idmap mappings. If this parameter + is unset, the value of <a class="indexterm" name="id312196"></a>ldap suffix will be used instead. The suffix + string is pre-pended to the <a class="indexterm" name="id312204"></a>ldap suffix string so use a partial DN. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap idmap suffix</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>ldap idmap suffix</code></em> = <code class="literal">ou=Idmap</code> +</em></span> +</p></dd><dt><span class="term"><a name="LDAPMACHINESUFFIX"></a>ldap machine suffix (G)</span></dt><dd><p> + It specifies where machines should be added to the ldap tree. If this parameter is unset, the value of + <a class="indexterm" name="id312266"></a>ldap suffix will be used instead. The suffix string is pre-pended to the + <a class="indexterm" name="id312274"></a>ldap suffix string so use a partial DN. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap machine suffix</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>ldap machine suffix</code></em> = <code class="literal">ou=Computers</code> +</em></span> +</p></dd><dt><span class="term"><a name="LDAPPASSWDSYNC"></a>ldap passwd sync (G)</span></dt><dd><p> + This option is used to define whether or not Samba should sync the LDAP password with the NT + and LM hashes for normal accounts (NOT for workstation, server or domain trusts) on a password + change via SAMBA. + </p><p> + The <a class="indexterm" name="id312340"></a>ldap passwd sync can be set to one of three values: + </p><div class="itemizedlist"><ul type="disc"><li><p><em class="parameter"><code>Yes</code></em> = Try + to update the LDAP, NT and LM passwords and update the pwdLastSet time.</p></li><li><p><em class="parameter"><code>No</code></em> = Update NT and + LM passwords and update the pwdLastSet time.</p></li><li><p><em class="parameter"><code>Only</code></em> = Only update + the LDAP password and let the LDAP server do the rest.</p></li></ul></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap passwd sync</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="LDAPREPLICATIONSLEEP"></a>ldap replication sleep (G)</span></dt><dd><p> + When Samba is asked to write to a read-only LDAP replica, we are redirected to talk to the read-write master server. + This server then replicates our changes back to the 'local' server, however the replication might take some seconds, + especially over slow links. Certain client activities, particularly domain joins, can become confused by the 'success' + that does not immediately change the LDAP back-end's data. + </p><p> + This option simply causes Samba to wait a short time, to allow the LDAP server to catch up. If you have a particularly + high-latency network, you may wish to time the LDAP replication with a network sniffer, and increase this value accordingly. + Be aware that no checking is performed that the data has actually replicated. + </p><p> + The value is specified in milliseconds, the maximum value is 5000 (5 seconds). + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap replication sleep</code></em> = <code class="literal">1000</code> +</em></span> +</p></dd><dt><span class="term"><a name="LDAPSAM:EDITPOSIX"></a>ldapsam:editposix (G)</span></dt><dd><p> + Editposix is an option that leverages ldapsam:trusted to make it simpler to manage a domain controller + eliminating the need to set up custom scripts to add and manage the posix users and groups. This option + will instead directly manipulate the ldap tree to create, remove and modify user and group entries. + This option also requires a running winbindd as it is used to allocate new uids/gids on user/group + creation. The allocation range must be therefore configured. + </p><p> + To use this option, a basic ldap tree must be provided and the ldap suffix parameters must be properly + configured. On virgin servers the default users and groups (Administrator, Guest, Domain Users, + Domain Admins, Domain Guests) can be precreated with the command <code class="literal">net sam + provision</code>. To run this command the ldap server must be running, Winindd must be running and + the smb.conf ldap options must be properly configured. + + The typical ldap setup used with the <a class="indexterm" name="id312494"></a>ldapsam:trusted = yes option + is usually sufficient to use <a class="indexterm" name="id312501"></a>ldapsam:editposix = yes as well. + </p><p> + An example configuration can be the following: + + </p><pre class="programlisting"> + encrypt passwords = true + passdb backend = ldapsam + + ldapsam:trusted=yes + ldapsam:editposix=yes + + ldap admin dn = cn=admin,dc=samba,dc=org + ldap delete dn = yes + ldap group suffix = ou=groups + ldap idmap suffix = ou=idmap + ldap machine suffix = ou=computers + ldap user suffix = ou=users + ldap suffix = dc=samba,dc=org + + idmap backend = ldap:"ldap://localhost" + + idmap uid = 5000-50000 + idmap gid = 5000-50000 + </pre><p> + + This configuration assume the ldap server have been loaded with a base tree like described + in the following ldif: + + </p><pre class="programlisting"> + dn: dc=samba,dc=org + objectClass: top + objectClass: dcObject + objectClass: organization + o: samba.org + dc: samba + + dn: cn=admin,dc=samba,dc=org + objectClass: simpleSecurityObject + objectClass: organizationalRole + cn: admin + description: LDAP administrator + userPassword: secret + + dn: ou=users,dc=samba,dc=org + objectClass: top + objectClass: organizationalUnit + ou: users + + dn: ou=groups,dc=samba,dc=org + objectClass: top + objectClass: organizationalUnit + ou: groups + + dn: ou=idmap,dc=samba,dc=org + objectClass: top + objectClass: organizationalUnit + ou: idmap + + dn: ou=computers,dc=samba,dc=org + objectClass: top + objectClass: organizationalUnit + ou: computers + </pre><p> + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldapsam:editposix</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="LDAPSAM:TRUSTED"></a>ldapsam:trusted (G)</span></dt><dd><p> + By default, Samba as a Domain Controller with an LDAP backend needs to use the Unix-style NSS subsystem to + access user and group information. Due to the way Unix stores user information in /etc/passwd and /etc/group + this inevitably leads to inefficiencies. One important question a user needs to know is the list of groups he + is member of. The plain UNIX model involves a complete enumeration of the file /etc/group and its NSS + counterparts in LDAP. UNIX has optimized functions to enumerate group membership. Sadly, other functions that + are used to deal with user and group attributes lack such optimization. + </p><p> + To make Samba scale well in large environments, the <a class="indexterm" name="id312581"></a>ldapsam:trusted = yes + option assumes that the complete user and group database that is relevant to Samba is stored in LDAP with the + standard posixAccount/posixGroup attributes. It further assumes that the Samba auxiliary object classes are + stored together with the POSIX data in the same LDAP object. If these assumptions are met, + <a class="indexterm" name="id312590"></a>ldapsam:trusted = yes can be activated and Samba can bypass the + NSS system to query user group memberships. Optimized LDAP queries can greatly speed up domain logon and + administration tasks. Depending on the size of the LDAP database a factor of 100 or more for common queries + is easily achieved. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldapsam:trusted</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="LDAPSSL"></a>ldap ssl (G)</span></dt><dd><p>This option is used to define whether or not Samba should + use SSL when connecting to the ldap server + This is <span class="emphasis"><em>NOT</em></span> related to + Samba's previous SSL support which was enabled by specifying the + <code class="literal">--with-ssl</code> option to the <code class="filename">configure</code> + script.</p><p>The <a class="indexterm" name="id312659"></a>ldap ssl can be set to one of three values:</p><div class="itemizedlist"><ul type="disc"><li><p><em class="parameter"><code>Off</code></em> = Never + use SSL when querying the directory.</p></li><li><p><em class="parameter"><code>Start_tls</code></em> = Use + the LDAPv3 StartTLS extended operation (RFC2830) for + communicating with the directory server.</p></li><li><p><em class="parameter"><code>On</code></em> = Use SSL + on the ldaps port when contacting the <em class="parameter"><code>ldap server</code></em>. Only available when the + backwards-compatiblity <code class="literal">--with-ldapsam</code> option is specified + to configure. See <a class="indexterm" name="id312714"></a>passdb backend</p>. + </li></ul></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap ssl</code></em> = <code class="literal">start_tls</code> +</em></span> +</p></dd><dt><span class="term"><a name="LDAPSUFFIX"></a>ldap suffix (G)</span></dt><dd><p>Specifies the base for all ldap suffixes and for storing the sambaDomain object.</p><p> + The ldap suffix will be appended to the values specified for the <a class="indexterm" name="id312767"></a>ldap user suffix, + <a class="indexterm" name="id312774"></a>ldap group suffix, <a class="indexterm" name="id312781"></a>ldap machine suffix, and the + <a class="indexterm" name="id312788"></a>ldap idmap suffix. Each of these should be given only a DN relative to the + <a class="indexterm" name="id312796"></a>ldap suffix. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap suffix</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>ldap suffix</code></em> = <code class="literal">dc=samba,dc=org</code> +</em></span> +</p></dd><dt><span class="term"><a name="LDAPTIMEOUT"></a>ldap timeout (G)</span></dt><dd><p> + When Samba connects to an ldap server that servermay be down or unreachable. To prevent Samba from hanging whilst + waiting for the connection this parameter specifies in seconds how long Samba should wait before failing the + connect. The default is to only wait fifteen seconds for the ldap server to respond to the connect request. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap timeout</code></em> = <code class="literal">15</code> +</em></span> +</p></dd><dt><span class="term"><a name="LDAPUSERSUFFIX"></a>ldap user suffix (G)</span></dt><dd><p> + This parameter specifies where users are added to the tree. If this parameter is unset, + the value of <a class="indexterm" name="id312898"></a>ldap suffix will be used instead. The suffix + string is pre-pended to the <a class="indexterm" name="id312906"></a>ldap suffix string so use a partial DN. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap user suffix</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>ldap user suffix</code></em> = <code class="literal">ou=people</code> +</em></span> +</p></dd><dt><span class="term"><a name="LEVEL2OPLOCKS"></a>level2 oplocks (S)</span></dt><dd><p>This parameter controls whether Samba supports + level2 (read-only) oplocks on a share.</p><p>Level2, or read-only oplocks allow Windows NT clients + that have an oplock on a file to downgrade from a read-write oplock + to a read-only oplock once a second client opens the file (instead + of releasing all oplocks on a second open, as in traditional, + exclusive oplocks). This allows all openers of the file that + support level2 oplocks to cache the file for read-ahead only (ie. + they may not cache writes or lock requests) and increases performance + for many accesses of files that are not commonly written (such as + application .EXE files).</p><p>Once one of the clients which have a read-only oplock + writes to the file all clients are notified (no reply is needed + or waited for) and told to break their oplocks to "none" and + delete any read-ahead caches.</p><p>It is recommended that this parameter be turned on to + speed access to shared executables.</p><p>For more discussions on level2 oplocks see the CIFS spec.</p><p> + Currently, if <a class="indexterm" name="id312993"></a>kernel oplocks are supported then + level2 oplocks are not granted (even if this parameter is set to + <code class="constant">yes</code>). Note also, the <a class="indexterm" name="id313004"></a>oplocks + parameter must be set to <code class="constant">yes</code> on this share in order for + this parameter to have any effect.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>level2 oplocks</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="LMANNOUNCE"></a>lm announce (G)</span></dt><dd><p>This parameter determines if <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> will produce Lanman announce + broadcasts that are needed by OS/2 clients in order for them to see + the Samba server in their browse list. This parameter can have three + values, <code class="constant">yes</code>, <code class="constant">no</code>, or + <code class="constant">auto</code>. The default is <code class="constant">auto</code>. + If set to <code class="constant">no</code> Samba will never produce these + broadcasts. If set to <code class="constant">yes</code> Samba will produce + Lanman announce broadcasts at a frequency set by the parameter + <a class="indexterm" name="id313085"></a>lm interval. If set to <code class="constant">auto</code> + Samba will not send Lanman announce broadcasts by default but will + listen for them. If it hears such a broadcast on the wire it will + then start sending them at a frequency set by the parameter + <a class="indexterm" name="id313097"></a>lm interval.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lm announce</code></em> = <code class="literal">auto</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>lm announce</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="LMINTERVAL"></a>lm interval (G)</span></dt><dd><p>If Samba is set to produce Lanman announce + broadcasts needed by OS/2 clients (see the + <a class="indexterm" name="id313160"></a>lm announce parameter) then this + parameter defines the frequency in seconds with which they will be + made. If this is set to zero then no Lanman announcements will be + made despite the setting of the <a class="indexterm" name="id313168"></a>lm announce + parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lm interval</code></em> = <code class="literal">60</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>lm interval</code></em> = <code class="literal">120</code> +</em></span> +</p></dd><dt><span class="term"><a name="LOADPRINTERS"></a>load printers (G)</span></dt><dd><p>A boolean variable that controls whether all + printers in the printcap will be loaded for browsing by default. + See the <a class="indexterm" name="id313232"></a>printers section for + more details.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>load printers</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="LOCALMASTER"></a>local master (G)</span></dt><dd><p>This option allows <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> to try and become a local master browser + on a subnet. If set to <code class="constant">no</code> then <code class="literal"> + nmbd</code> will not attempt to become a local master browser + on a subnet and will also lose in all browsing elections. By + default this value is set to <code class="constant">yes</code>. Setting this value to + <code class="constant">yes</code> doesn't mean that Samba will <span class="emphasis"><em>become</em></span> the + local master browser on a subnet, just that <code class="literal">nmbd</code> + will <span class="emphasis"><em>participate</em></span> in elections for local master browser.</p><p>Setting this value to <code class="constant">no</code> will cause <code class="literal">nmbd</code> <span class="emphasis"><em>never</em></span> to become a local +master browser.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>local master</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="LOCKDIR"></a>lock dir</span></dt><dd><p>This parameter is a synonym for lock directory.</p></dd><dt><span class="term"><a name="LOCKDIRECTORY"></a>lock directory (G)</span></dt><dd><p>This option specifies the directory where lock + files will be placed. The lock files are used to implement the + <a class="indexterm" name="id313394"></a>max connections option. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lock directory</code></em> = <code class="literal">${prefix}/var/locks</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>lock directory</code></em> = <code class="literal">/var/run/samba/locks</code> +</em></span> +</p></dd><dt><span class="term"><a name="LOCKING"></a>locking (S)</span></dt><dd><p>This controls whether or not locking will be + performed by the server in response to lock requests from the + client.</p><p>If <code class="literal">locking = no</code>, all lock and unlock + requests will appear to succeed and all lock queries will report + that the file in question is available for locking.</p><p>If <code class="literal">locking = yes</code>, real locking will be performed + by the server.</p><p>This option <span class="emphasis"><em>may</em></span> be useful for read-only + filesystems which <span class="emphasis"><em>may</em></span> not need locking (such as + CDROM drives), although setting this parameter of <code class="constant">no</code> + is not really recommended even in this case.</p><p>Be careful about disabling locking either globally or in a + specific service, as lack of locking may result in data corruption. + You should never need to set this parameter.</p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="LOCKSPINCOUNT"></a>lock spin count (G)</span></dt><dd><p>This parameter has been made inoperative in Samba 3.0.24. + The functionality it contolled is now controlled by the parameter + <a class="indexterm" name="id313524"></a>lock spin time. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lock spin count</code></em> = <code class="literal">0</code> +</em></span> +</p></dd><dt><span class="term"><a name="LOCKSPINTIME"></a>lock spin time (G)</span></dt><dd><p>The time in microseconds that smbd should + keep waiting to see if a failed lock request can + be granted. This parameter has changed in default + value from Samba 3.0.23 from 10 to 200. The associated + <a class="indexterm" name="id313571"></a>lock spin count parameter is + no longer used in Samba 3.0.24. You should not need + to change the value of this parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lock spin time</code></em> = <code class="literal">200</code> +</em></span> +</p></dd><dt><span class="term"><a name="LOGFILE"></a>log file (G)</span></dt><dd><p> + This option allows you to override the name of the Samba log file (also known as the debug file). + </p><p> + This option takes the standard substitutions, allowing you to have separate log files for each user or machine. + </p><p><span class="emphasis"><em>No default</em></span></p><p>Example: <span class="emphasis"><em><em class="parameter"><code>log file</code></em> = <code class="literal">/usr/local/samba/var/log.%m</code> +</em></span> +</p></dd><dt><span class="term"><a name="DEBUGLEVEL"></a>debuglevel</span></dt><dd><p>This parameter is a synonym for log level.</p></dd><dt><span class="term"><a name="LOGLEVEL"></a>log level (G)</span></dt><dd><p> + The value of the parameter (a astring) allows the debug level (logging level) to be specified in the + <code class="filename">smb.conf</code> file. This parameter has been extended since the 2.2.x + series, now it allow to specify the debug level for multiple debug classes. This is to give greater + flexibility in the configuration of the system. + </p><p> + The default will be the log level specified on the command line or level zero if none was specified. + </p><p><span class="emphasis"><em>No default</em></span></p><p>Example: <span class="emphasis"><em><em class="parameter"><code>log level</code></em> = <code class="literal">3 passdb:5 auth:10 winbind:2</code> +</em></span> +</p></dd><dt><span class="term"><a name="LOGONDRIVE"></a>logon drive (G)</span></dt><dd><p> + This parameter specifies the local path to which the home directory will be + connected (see <a class="indexterm" name="id313742"></a>logon home) and is only used by NT + Workstations. + </p><p> + Note that this option is only useful if Samba is set up as a logon server. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>logon drive</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>logon drive</code></em> = <code class="literal">h:</code> +</em></span> +</p></dd><dt><span class="term"><a name="LOGONHOME"></a>logon home (G)</span></dt><dd><p> + This parameter specifies the home directory location when a Win95/98 or NT Workstation logs into a Samba PDC. + It allows you to do + </p><p> + <code class="prompt">C:\></code><strong class="userinput"><code>NET USE H: /HOME</code></strong> + </p><p> + from a command prompt, for example. + </p><p> + This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine. + </p><p> + This parameter can be used with Win9X workstations to ensure that roaming profiles are stored in a + subdirectory of the user's home directory. This is done in the following way: + </p><p> + <code class="literal">logon home = \\%N\%U\profile</code> + </p><p> + This tells Samba to return the above string, with substitutions made when a client requests the info, generally + in a NetUserGetInfo request. Win9X clients truncate the info to \\server\share when a user does + <code class="literal">net use /home</code> but use the whole string when dealing with profiles. + </p><p> + Note that in prior versions of Samba, the <a class="indexterm" name="id313860"></a>logon path was returned rather than + <em class="parameter"><code>logon home</code></em>. This broke <code class="literal">net use /home</code> + but allowed profiles outside the home directory. The current implementation is correct, and can be used for + profiles if you use the above trick. + </p><p> + Disable this feature by setting <a class="indexterm" name="id313884"></a>logon home = "" - using the empty string. + </p><p> + This option is only useful if Samba is set up as a logon server. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>logon home</code></em> = <code class="literal">\\%N\%U</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>logon home</code></em> = <code class="literal">\\remote_smb_server\%U</code> +</em></span> +</p></dd><dt><span class="term"><a name="LOGONPATH"></a>logon path (G)</span></dt><dd><p> + This parameter specifies the directory where roaming profiles (Desktop, NTuser.dat, etc) are + stored. Contrary to previous versions of these manual pages, it has nothing to do with Win 9X roaming + profiles. To find out how to handle roaming profiles for Win 9X system, see the + <a class="indexterm" name="id313953"></a>logon home parameter. + </p><p> + This option takes the standard substitutions, allowing you to have separate logon scripts for each user or + machine. It also specifies the directory from which the "Application Data", <code class="filename">desktop</code>, <code class="filename">start menu</code>, <code class="filename">network neighborhood</code>, <code class="filename">programs</code> and other + folders, and their contents, are loaded and displayed on your Windows NT client. + </p><p> + The share and the path must be readable by the user for the preferences and directories to be loaded onto the + Windows NT client. The share must be writeable when the user logs in for the first time, in order that the + Windows NT client can create the NTuser.dat and other directories. + Thereafter, the directories and any of the contents can, if required, be made read-only. It is not advisable + that the NTuser.dat file be made read-only - rename it to NTuser.man to achieve the desired effect (a + <span class="emphasis"><em>MAN</em></span>datory profile). + </p><p> + Windows clients can sometimes maintain a connection to the [homes] share, even though there is no user logged + in. Therefore, it is vital that the logon path does not include a reference to the homes share (i.e. setting + this parameter to \\%N\homes\profile_path will cause problems). + </p><p> + This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine. + </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> + Do not quote the value. Setting this as “<span class="quote">\\%N\profile\%U</span>” + will break profile handling. Where the tdbsam or ldapsam passdb backend + is used, at the time the user account is created the value configured + for this parameter is written to the passdb backend and that value will + over-ride the parameter value present in the smb.conf file. Any error + present in the passdb backend account record must be editted using the + appropriate tool (pdbedit on the command-line, or any other locally + provided system tool). + </p></div><p>Note that this option is only useful if Samba is set up as a domain controller.</p><p> + Disable the use of roaming profiles by setting the value of this parameter to the empty string. For + example, <a class="indexterm" name="id314030"></a>logon path = "". Take note that even if the default setting + in the smb.conf file is the empty string, any value specified in the user account settings in the passdb + backend will over-ride the effect of setting this parameter to null. Disabling of all roaming profile use + requires that the user account settings must also be blank. + </p><p> + An example of use is: +</p><pre class="programlisting"> +logon path = \\PROFILESERVER\PROFILE\%U +</pre><p> + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>logon path</code></em> = <code class="literal">\\%N\%U\profile</code> +</em></span> +</p></dd><dt><span class="term"><a name="LOGONSCRIPT"></a>logon script (G)</span></dt><dd><p> + This parameter specifies the batch file (<code class="filename">.bat</code>) or NT command file + (<code class="filename">.cmd</code>) to be downloaded and run on a machine when a user successfully logs in. The file + must contain the DOS style CR/LF line endings. Using a DOS-style editor to create the file is recommended. + </p><p> + The script must be a relative path to the <em class="parameter"><code>[netlogon]</code></em> service. If the [netlogon] + service specifies a <a class="indexterm" name="id314112"></a>path of <code class="filename">/usr/local/samba/netlogon</code>, and <a class="indexterm" name="id314125"></a>logon script = STARTUP.BAT, then the file that will be downloaded is: +</p><pre class="programlisting"> + /usr/local/samba/netlogon/STARTUP.BAT +</pre><p> + </p><p> + The contents of the batch file are entirely your choice. A suggested command would be to add <code class="literal">NET TIME \\SERVER /SET /YES</code>, to force every machine to synchronize clocks with the + same time server. Another use would be to add <code class="literal">NET USE U: \\SERVER\UTILS</code> + for commonly used utilities, or +</p><pre class="programlisting"> +<strong class="userinput"><code>NET USE Q: \\SERVER\ISO9001_QA</code></strong> +</pre><p> + for example. + </p><p> + Note that it is particularly important not to allow write access to the [netlogon] share, or to grant users + write permission on the batch files in a secure environment, as this would allow the batch files to be + arbitrarily modified and security to be breached. + </p><p> + This option takes the standard substitutions, allowing you to have separate logon scripts for each user or + machine. + </p><p> + This option is only useful if Samba is set up as a logon server. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>logon script</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>logon script</code></em> = <code class="literal">scripts\%U.bat</code> +</em></span> +</p></dd><dt><span class="term"><a name="LPPAUSECOMMAND"></a>lppause command (S)</span></dt><dd><p>This parameter specifies the command to be + executed on the server host in order to stop printing or spooling + a specific print job.</p><p>This command should be a program or script which takes + a printer name and job number to pause the print job. One way + of implementing this is by using job priorities, where jobs + having a too low priority won't be sent to the printer.</p><p>If a <em class="parameter"><code>%p</code></em> is given then the printer name + is put in its place. A <em class="parameter"><code>%j</code></em> is replaced with + the job number (an integer). On HPUX (see <em class="parameter"><code>printing=hpux + </code></em>), if the <em class="parameter"><code>-p%p</code></em> option is added + to the lpq command, the job will show up with the correct status, i.e. + if the job priority is lower than the set fence priority it will + have the PAUSED status, whereas if the priority is equal or higher it + will have the SPOOLED or PRINTING status.</p><p>Note that it is good practice to include the absolute path + in the lppause command as the PATH may not be available to the server.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lppause command</code></em> = <code class="literal"> +# Currently no default value is given to + this string, unless the value of the <a class="indexterm" name="id314292"></a>printing + parameter is <code class="constant">SYSV</code>, in which case the default is : + <code class="literal">lp -i %p-%j -H hold</code> or if the value of the + <em class="parameter"><code>printing</code></em> parameter is + <code class="constant">SOFTQ</code>, then the default is: + <code class="literal">qstat -s -j%j -h</code>. </code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>lppause command</code></em> = <code class="literal">/usr/bin/lpalt %p-%j -p0</code> +</em></span> +</p></dd><dt><span class="term"><a name="LPQCACHETIME"></a>lpq cache time (G)</span></dt><dd><p>This controls how long lpq info will be cached + for to prevent the <code class="literal">lpq</code> command being called too + often. A separate cache is kept for each variation of the <code class="literal"> + lpq</code> command used by the system, so if you use different + <code class="literal">lpq</code> commands for different users then they won't + share cache information.</p><p>The cache files are stored in <code class="filename">/tmp/lpq.xxxx</code> + where xxxx is a hash of the <code class="literal">lpq</code> command in use.</p><p>The default is 30 seconds, meaning that the cached results + of a previous identical <code class="literal">lpq</code> command will be used + if the cached data is less than 30 seconds old. A large value may + be advisable if your <code class="literal">lpq</code> command is very slow.</p><p>A value of 0 will disable caching completely.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lpq cache time</code></em> = <code class="literal">30</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>lpq cache time</code></em> = <code class="literal">10</code> +</em></span> +</p></dd><dt><span class="term"><a name="LPQCOMMAND"></a>lpq command (S)</span></dt><dd><p>This parameter specifies the command to be + executed on the server host in order to obtain <code class="literal">lpq + </code>-style printer status information.</p><p>This command should be a program or script which + takes a printer name as its only parameter and outputs printer + status information.</p><p>Currently nine styles of printer status information + are supported; BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX, CUPS, and SOFTQ. + This covers most UNIX systems. You control which type is expected + using the <em class="parameter"><code>printing =</code></em> option.</p><p>Some clients (notably Windows for Workgroups) may not + correctly send the connection number for the printer they are + requesting status information about. To get around this, the + server reports on the first printer service connected to by the + client. This only happens if the connection number sent is invalid.</p><p>If a <em class="parameter"><code>%p</code></em> is given then the printer name + is put in its place. Otherwise it is placed at the end of the + command.</p><p>Note that it is good practice to include the absolute path + in the <em class="parameter"><code>lpq command</code></em> as the <code class="envar">$PATH + </code> may not be available to the server. When compiled with + the CUPS libraries, no <em class="parameter"><code>lpq command</code></em> is + needed because smbd will make a library call to obtain the + print queue listing.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lpq command</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>lpq command</code></em> = <code class="literal">/usr/bin/lpq -P%p</code> +</em></span> +</p></dd><dt><span class="term"><a name="LPRESUMECOMMAND"></a>lpresume command (S)</span></dt><dd><p>This parameter specifies the command to be + executed on the server host in order to restart or continue + printing or spooling a specific print job.</p><p>This command should be a program or script which takes + a printer name and job number to resume the print job. See + also the <a class="indexterm" name="id314599"></a>lppause command parameter.</p><p>If a <em class="parameter"><code>%p</code></em> is given then the printer name + is put in its place. A <em class="parameter"><code>%j</code></em> is replaced with + the job number (an integer).</p><p>Note that it is good practice to include the absolute path + in the <em class="parameter"><code>lpresume command</code></em> as the PATH may not + be available to the server.</p><p>See also the <a class="indexterm" name="id314635"></a>printing parameter.</p><p>Default: Currently no default value is given + to this string, unless the value of the <em class="parameter"><code>printing</code></em> + parameter is <code class="constant">SYSV</code>, in which case the default is :</p><p><code class="literal">lp -i %p-%j -H resume</code></p><p>or if the value of the <em class="parameter"><code>printing</code></em> parameter + is <code class="constant">SOFTQ</code>, then the default is:</p><p><code class="literal">qstat -s -j%j -r</code></p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lpresume command</code></em> = <code class="literal">lpresume command = /usr/bin/lpalt %p-%j -p2</code> +</em></span> +</p></dd><dt><span class="term"><a name="LPRMCOMMAND"></a>lprm command (S)</span></dt><dd><p>This parameter specifies the command to be + executed on the server host in order to delete a print job.</p><p>This command should be a program or script which takes + a printer name and job number, and deletes the print job.</p><p>If a <em class="parameter"><code>%p</code></em> is given then the printer name + is put in its place. A <em class="parameter"><code>%j</code></em> is replaced with + the job number (an integer).</p><p>Note that it is good practice to include the absolute + path in the <em class="parameter"><code>lprm command</code></em> as the PATH may not be + available to the server.</p><p> + Examples of use are: +</p><pre class="programlisting"> +lprm command = /usr/bin/lprm -P%p %j + +or + +lprm command = /usr/bin/cancel %p-%j +</pre><p> + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lprm command</code></em> = <code class="literal"> determined by printing parameter</code> +</em></span> +</p></dd><dt><span class="term"><a name="MACHINEPASSWORDTIMEOUT"></a>machine password timeout (G)</span></dt><dd><p> + If a Samba server is a member of a Windows NT Domain (see the <a class="indexterm" name="id314802"></a>security = domain parameter) then periodically a running smbd process will try and change + the MACHINE ACCOUNT PASSWORD stored in the TDB called <code class="filename">private/secrets.tdb + </code>. This parameter specifies how often this password will be changed, in seconds. The default is one + week (expressed in seconds), the same as a Windows NT Domain member server. + </p><p> + See also <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a>, + and the <a class="indexterm" name="id314828"></a>security = domain parameter. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>machine password timeout</code></em> = <code class="literal">604800</code> +</em></span> +</p></dd><dt><span class="term"><a name="MAGICOUTPUT"></a>magic output (S)</span></dt><dd><p> + This parameter specifies the name of a file which will contain output created by a magic script (see the + <a class="indexterm" name="id314875"></a>magic script parameter below). + </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>If two clients use the same <em class="parameter"><code>magic script + </code></em> in the same directory the output file content is undefined. + </p></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>magic output</code></em> = <code class="literal"><magic script name>.out</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>magic output</code></em> = <code class="literal">myfile.txt</code> +</em></span> +</p></dd><dt><span class="term"><a name="MAGICSCRIPT"></a>magic script (S)</span></dt><dd><p>This parameter specifies the name of a file which, + if opened, will be executed by the server when the file is closed. + This allows a UNIX script to be sent to the Samba host and + executed on behalf of the connected user.</p><p>Scripts executed in this way will be deleted upon + completion assuming that the user has the appropriate level + of privilege and the file permissions allow the deletion.</p><p>If the script generates output, output will be sent to + the file specified by the <a class="indexterm" name="id314959"></a>magic output + parameter (see above).</p><p>Note that some shells are unable to interpret scripts + containing CR/LF instead of CR as + the end-of-line marker. Magic scripts must be executable + <span class="emphasis"><em>as is</em></span> on the host, which for some hosts and + some shells will require filtering at the DOS end.</p><p>Magic scripts are <span class="emphasis"><em>EXPERIMENTAL</em></span> and + should <span class="emphasis"><em>NOT</em></span> be relied upon.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>magic script</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>magic script</code></em> = <code class="literal">user.csh</code> +</em></span> +</p></dd><dt><span class="term"><a name="MANGLEDMAP"></a>mangled map (S)</span></dt><dd><p> + This is for those who want to directly map UNIX file names which cannot be represented on + Windows/DOS. The mangling of names is not always what is needed. In particular you may have + documents with file extensions that differ between DOS and UNIX. + For example, under UNIX it is common to use <code class="filename">.html</code> + for HTML files, whereas under Windows/DOS <code class="filename">.htm</code> + is more commonly used. + </p><p> + So to map <code class="filename">html</code> to <code class="filename">htm</code> + you would use: + </p><p> + <a class="indexterm" name="id315073"></a>mangled map = (*.html *.htm). + </p><p> + One very useful case is to remove the annoying <code class="filename">;1</code> off + the ends of filenames on some CDROMs (only visible under some UNIXes). To do this use a map of + (*;1 *;). + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>mangled map</code></em> = <code class="literal"> +# no mangled map</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>mangled map</code></em> = <code class="literal">(*;1 *;)</code> +</em></span> +</p></dd><dt><span class="term"><a name="MANGLEDNAMES"></a>mangled names (S)</span></dt><dd><p>This controls whether non-DOS names under UNIX + should be mapped to DOS-compatible names ("mangled") and made visible, + or whether non-DOS names should simply be ignored.</p><p>See the section on <a class="indexterm" name="id315151"></a>name mangling for + details on how to control the mangling process.</p><p>If mangling is used then the mangling algorithm is as follows:</p><div class="itemizedlist"><ul type="disc"><li><p>The first (up to) five alphanumeric characters + before the rightmost dot of the filename are preserved, forced + to upper case, and appear as the first (up to) five characters + of the mangled name.</p></li><li><p>A tilde "~" is appended to the first part of the mangled + name, followed by a two-character unique sequence, based on the + original root name (i.e., the original filename minus its final + extension). The final extension is included in the hash calculation + only if it contains any upper case characters or is longer than three + characters.</p><p>Note that the character to use may be specified using + the <a class="indexterm" name="id315185"></a>mangling char + option, if you don't like '~'.</p></li><li><p>Files whose UNIX name begins with a dot will be + presented as DOS hidden files. The mangled name will be created as + for other filenames, but with the leading dot removed and "___" as + its extension regardless of actual original extension (that's three + underscores).</p></li></ul></div><p>The two-digit hash value consists of upper case alphanumeric characters.</p><p>This algorithm can cause name collisions only if files + in a directory share the same first five alphanumeric characters. + The probability of such a clash is 1/1300.</p><p>The name mangling (if enabled) allows a file to be + copied between UNIX directories from Windows/DOS while retaining + the long UNIX filename. UNIX files can be renamed to a new extension + from Windows/DOS and will retain the same basename. Mangled names + do not change between sessions.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>mangled names</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="MANGLEPREFIX"></a>mangle prefix (G)</span></dt><dd><p> controls the number of prefix + characters from the original name used when generating + the mangled names. A larger value will give a weaker + hash and therefore more name collisions. The minimum + value is 1 and the maximum value is 6.</p><p> + mangle prefix is effective only when mangling method is hash2. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>mangle prefix</code></em> = <code class="literal">1</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>mangle prefix</code></em> = <code class="literal">4</code> +</em></span> +</p></dd><dt><span class="term"><a name="MANGLINGCHAR"></a>mangling char (S)</span></dt><dd><p>This controls what character is used as + the <span class="emphasis"><em>magic</em></span> character in <a class="indexterm" name="id315321"></a>name mangling. The + default is a '~' but this may interfere with some software. Use this option to set + it to whatever you prefer. This is effective only when mangling method is hash.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>mangling char</code></em> = <code class="literal">~</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>mangling char</code></em> = <code class="literal">^</code> +</em></span> +</p></dd><dt><span class="term"><a name="MANGLINGMETHOD"></a>mangling method (G)</span></dt><dd><p> controls the algorithm used for the generating + the mangled names. Can take two different values, "hash" and + "hash2". "hash" is the algorithm that was used + used in Samba for many years and was the default in Samba 2.2.x "hash2" is + now the default and is newer and considered a better algorithm (generates less collisions) in + the names. Many Win32 applications store the mangled names and so + changing to algorithms must not be done lightly as these applications + may break unless reinstalled.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>mangling method</code></em> = <code class="literal">hash2</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>mangling method</code></em> = <code class="literal">hash</code> +</em></span> +</p></dd><dt><span class="term"><a name="MAPACLINHERIT"></a>map acl inherit (S)</span></dt><dd><p>This boolean parameter controls whether <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will attempt to map the 'inherit' and 'protected' + access control entry flags stored in Windows ACLs into an extended attribute + called user.SAMBA_PAI. This parameter only takes effect if Samba is being run + on a platform that supports extended attributes (Linux and IRIX so far) and + allows the Windows 2000 ACL editor to correctly use inheritance with the Samba + POSIX ACL mapping code. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>map acl inherit</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="MAPARCHIVE"></a>map archive (S)</span></dt><dd><p> + This controls whether the DOS archive attribute + should be mapped to the UNIX owner execute bit. The DOS archive bit + is set when a file has been modified since its last backup. One + motivation for this option is to keep Samba/your PC from making + any file it touches from becoming executable under UNIX. This can + be quite annoying for shared source code, documents, etc... + </p><p> + Note that this requires the <a class="indexterm" name="id315501"></a>create mask parameter to be set such that owner + execute bit is not masked out (i.e. it must include 100). See the parameter + <a class="indexterm" name="id315509"></a>create mask for details. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>map archive</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="MAPHIDDEN"></a>map hidden (S)</span></dt><dd><p> + This controls whether DOS style hidden files should be mapped to the UNIX world execute bit. + </p><p> + Note that this requires the <a class="indexterm" name="id315559"></a>create mask to be set such that the world execute + bit is not masked out (i.e. it must include 001). See the parameter <a class="indexterm" name="id315567"></a>create mask + for details. + </p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="MAPREADONLY"></a>map read only (S)</span></dt><dd><p> + This controls how the DOS read only attribute should be mapped from a UNIX filesystem. + </p><p> + This parameter can take three different values, which tell <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> how to display the read only attribute on files, where either + <a class="indexterm" name="id315613"></a>store dos attributes is set to <code class="constant">No</code>, or no extended attribute is + present. If <a class="indexterm" name="id315624"></a>store dos attributes is set to <code class="constant">yes</code> then this + parameter is <span class="emphasis"><em>ignored</em></span>. This is a new parameter introduced in Samba version 3.0.21. + </p><p>The three settings are :</p><div class="itemizedlist"><ul type="disc"><li><p> + <code class="constant">Yes</code> - The read only DOS attribute is mapped to the inverse of the user + or owner write bit in the unix permission mode set. If the owner write bit is not set, the + read only attribute is reported as being set on the file. + </p></li><li><p> + <code class="constant">Permissions</code> - The read only DOS attribute is mapped to the effective permissions of + the connecting user, as evaluated by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> by reading the unix permissions and POSIX ACL (if present). + If the connecting user does not have permission to modify the file, the read only attribute + is reported as being set on the file. + </p></li><li><p> + <code class="constant">No</code> - The read only DOS attribute is unaffected by permissions, and can only be set by + the <a class="indexterm" name="id315681"></a>store dos attributes method. This may be useful for exporting mounted CDs. + </p></li></ul></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>map read only</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="MAPSYSTEM"></a>map system (S)</span></dt><dd><p> + This controls whether DOS style system files should be mapped to the UNIX group execute bit. + </p><p> + Note that this requires the <a class="indexterm" name="id315731"></a>create mask to be set such that the group + execute bit is not masked out (i.e. it must include 010). See the parameter + <a class="indexterm" name="id315739"></a>create mask for details. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>map system</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="MAPTOGUEST"></a>map to guest (G)</span></dt><dd><p>This parameter is only useful in <a class="indexterm" name="id315785"></a>SECURITY = + security modes other than <em class="parameter"><code>security = share</code></em> + and <em class="parameter"><code>security = server</code></em> + - i.e. <code class="constant">user</code>, and <code class="constant">domain</code>.</p><p>This parameter can take four different values, which tell + <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> what to do with user + login requests that don't match a valid UNIX user in some way.</p><p>The four settings are :</p><div class="itemizedlist"><ul type="disc"><li><p><code class="constant">Never</code> - Means user login + requests with an invalid password are rejected. This is the + default.</p></li><li><p><code class="constant">Bad User</code> - Means user + logins with an invalid password are rejected, unless the username + does not exist, in which case it is treated as a guest login and + mapped into the <a class="indexterm" name="id315849"></a>guest account.</p></li><li><p><code class="constant">Bad Password</code> - Means user logins + with an invalid password are treated as a guest login and mapped + into the <a class="indexterm" name="id315866"></a>guest account. Note that + this can cause problems as it means that any user incorrectly typing + their password will be silently logged on as "guest" - and + will not know the reason they cannot access files they think + they should - there will have been no message given to them + that they got their password wrong. Helpdesk services will + <span class="emphasis"><em>hate</em></span> you if you set the <em class="parameter"><code>map to + guest</code></em> parameter this way :-).</p></li><li><p><code class="constant">Bad Uid</code> - Is only applicable when Samba is configured + in some type of domain mode security (security = {domain|ads}) and means that + user logins which are successfully authenticated but which have no valid Unix + user account (and smbd is unable to create one) should be mapped to the defined + guest account. This was the default behavior of Samba 2.x releases. Note that + if a member server is running winbindd, this option should never be required + because the nss_winbind library will export the Windows domain users and groups + to the underlying OS via the Name Service Switch interface.</p></li></ul></div><p>Note that this parameter is needed to set up "Guest" + share services when using <em class="parameter"><code>security</code></em> modes other than + share and server. This is because in these modes the name of the resource being + requested is <span class="emphasis"><em>not</em></span> sent to the server until after + the server has successfully authenticated the client so the server + cannot make authentication decisions at the correct time (connection + to the share) for "Guest" shares. This parameter is not useful with + <em class="parameter"><code>security = server</code></em> as in this security mode + no information is returned about whether a user logon failed due to + a bad username or bad password, the same error is returned from a modern server + in both cases.</p><p>For people familiar with the older Samba releases, this + parameter maps to the old compile-time setting of the <code class="constant"> + GUEST_SESSSETUP</code> value in local.h.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>map to guest</code></em> = <code class="literal">Never</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>map to guest</code></em> = <code class="literal">Bad User</code> +</em></span> +</p></dd><dt><span class="term"><a name="MAXCONNECTIONS"></a>max connections (S)</span></dt><dd><p>This option allows the number of simultaneous connections to a service to be limited. + If <em class="parameter"><code>max connections</code></em> is greater than 0 then connections + will be refused if this number of connections to the service are already open. A value + of zero mean an unlimited number of connections may be made.</p><p>Record lock files are used to implement this feature. The lock files will be stored in + the directory specified by the <a class="indexterm" name="id316002"></a>lock directory option.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max connections</code></em> = <code class="literal">0</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>max connections</code></em> = <code class="literal">10</code> +</em></span> +</p></dd><dt><span class="term"><a name="MAXDISKSIZE"></a>max disk size (G)</span></dt><dd><p>This option allows you to put an upper limit + on the apparent size of disks. If you set this option to 100 + then all shares will appear to be not larger than 100 MB in + size.</p><p>Note that this option does not limit the amount of + data you can put on the disk. In the above case you could still + store much more than 100 MB on the disk, but if a client ever asks + for the amount of free disk space or the total disk size then the + result will be bounded by the amount specified in <em class="parameter"><code>max + disk size</code></em>.</p><p>This option is primarily useful to work around bugs + in some pieces of software that can't handle very large disks, + particularly disks over 1GB in size.</p><p>A <em class="parameter"><code>max disk size</code></em> of 0 means no limit.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max disk size</code></em> = <code class="literal">0</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>max disk size</code></em> = <code class="literal">1000</code> +</em></span> +</p></dd><dt><span class="term"><a name="MAXLOGSIZE"></a>max log size (G)</span></dt><dd><p> + This option (an integer in kilobytes) specifies the max size the log file should grow to. + Samba periodically checks the size and if it is exceeded it will rename the file, adding + a <code class="filename">.old</code> extension. + </p><p>A size of 0 means no limit. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max log size</code></em> = <code class="literal">5000</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>max log size</code></em> = <code class="literal">1000</code> +</em></span> +</p></dd><dt><span class="term"><a name="MAXMUX"></a>max mux (G)</span></dt><dd><p>This option controls the maximum number of + outstanding simultaneous SMB operations that Samba tells the client + it will allow. You should never need to set this parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max mux</code></em> = <code class="literal">50</code> +</em></span> +</p></dd><dt><span class="term"><a name="MAXOPENFILES"></a>max open files (G)</span></dt><dd><p>This parameter limits the maximum number of + open files that one <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> file + serving process may have open for a client at any one time. The + default for this parameter is set very high (10,000) as Samba uses + only one bit per unopened file.</p><p>The limit of the number of open files is usually set + by the UNIX per-process file descriptor limit rather than + this parameter so you should never need to touch this parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max open files</code></em> = <code class="literal">10000</code> +</em></span> +</p></dd><dt><span class="term"><a name="MAXPRINTJOBS"></a>max print jobs (S)</span></dt><dd><p>This parameter limits the maximum number of + jobs allowable in a Samba printer queue at any given moment. + If this number is exceeded, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will remote "Out of Space" to the client. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max print jobs</code></em> = <code class="literal">1000</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>max print jobs</code></em> = <code class="literal">5000</code> +</em></span> +</p></dd><dt><span class="term"><a name="PROTOCOL"></a>protocol</span></dt><dd><p>This parameter is a synonym for max protocol.</p></dd><dt><span class="term"><a name="MAXPROTOCOL"></a>max protocol (G)</span></dt><dd><p>The value of the parameter (a string) is the highest + protocol level that will be supported by the server.</p><p>Possible values are :</p><div class="itemizedlist"><ul type="disc"><li><p><code class="constant">CORE</code>: Earliest version. No + concept of user names.</p></li><li><p><code class="constant">COREPLUS</code>: Slight improvements on + CORE for efficiency.</p></li><li><p><code class="constant">LANMAN1</code>: First <span class="emphasis"><em> + modern</em></span> version of the protocol. Long filename + support.</p></li><li><p><code class="constant">LANMAN2</code>: Updates to Lanman1 protocol.</p></li><li><p><code class="constant">NT1</code>: Current up to date version of the protocol. + Used by Windows NT. Known as CIFS.</p></li></ul></div><p>Normally this option should not be set as the automatic + negotiation phase in the SMB protocol takes care of choosing + the appropriate protocol.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max protocol</code></em> = <code class="literal">NT1</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>max protocol</code></em> = <code class="literal">LANMAN1</code> +</em></span> +</p></dd><dt><span class="term"><a name="MAXREPORTEDPRINTJOBS"></a>max reported print jobs (S)</span></dt><dd><p> + This parameter limits the maximum number of jobs displayed in a port monitor for + Samba printer queue at any given moment. If this number is exceeded, the excess + jobs will not be shown. A value of zero means there is no limit on the number of + print jobs reported. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max reported print jobs</code></em> = <code class="literal">0</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>max reported print jobs</code></em> = <code class="literal">1000</code> +</em></span> +</p></dd><dt><span class="term"><a name="MAXSMBDPROCESSES"></a>max smbd processes (G)</span></dt><dd><p>This parameter limits the maximum number of <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> processes concurrently running on a system and is intended + as a stopgap to prevent degrading service to clients in the event that the server has insufficient + resources to handle more than this number of connections. Remember that under normal operating + conditions, each user will have an <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> associated with him or her to handle connections to all + shares from a given host.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max smbd processes</code></em> = <code class="literal">0</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>max smbd processes</code></em> = <code class="literal">1000</code> +</em></span> +</p></dd><dt><span class="term"><a name="MAXSTATCACHESIZE"></a>max stat cache size (G)</span></dt><dd><p>This parameter limits the size in memory of any + <em class="parameter"><code>stat cache</code></em> being used + to speed up case insensitive name mappings. This parameter is + the number of kilobyte (1024) units the stat cache can use. + A value of zero means unlimited which is not advised aѕ it can + use a lot of memory. + You should not need to change this parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max stat cache size</code></em> = <code class="literal">1024</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>max stat cache size</code></em> = <code class="literal">100</code> +</em></span> +</p></dd><dt><span class="term"><a name="MAXTTL"></a>max ttl (G)</span></dt><dd><p>This option tells <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> what the default 'time to live' + of NetBIOS names should be (in seconds) when <code class="literal">nmbd</code> is + requesting a name using either a broadcast packet or from a WINS server. You should + never need to change this parameter. The default is 3 days.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max ttl</code></em> = <code class="literal">259200</code> +</em></span> +</p></dd><dt><span class="term"><a name="MAXWINSTTL"></a>max wins ttl (G)</span></dt><dd><p>This option tells <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> when acting as a WINS server + (<a class="indexterm" name="id316771"></a>wins support = yes) what the maximum + 'time to live' of NetBIOS names that <code class="literal">nmbd</code> + will grant will be (in seconds). You should never need to change this + parameter. The default is 6 days (518400 seconds).</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max wins ttl</code></em> = <code class="literal">518400</code> +</em></span> +</p></dd><dt><span class="term"><a name="MAXXMIT"></a>max xmit (G)</span></dt><dd><p>This option controls the maximum packet size + that will be negotiated by Samba. The default is 16644, which + matches the behavior of Windows 2000. A value below 2048 is likely to cause problems. + You should never need to change this parameter from its default value. +</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max xmit</code></em> = <code class="literal">16644</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>max xmit</code></em> = <code class="literal">8192</code> +</em></span> +</p></dd><dt><span class="term"><a name="MESSAGECOMMAND"></a>message command (G)</span></dt><dd><p>This specifies what command to run when the + server receives a WinPopup style message.</p><p>This would normally be a command that would + deliver the message somehow. How this is to be done is + up to your imagination.</p><p>An example is: +</p><pre class="programlisting"> +<code class="literal">message command = csh -c 'xedit %s;rm %s' &</code> +</pre><p> + </p><p>This delivers the message using <code class="literal">xedit</code>, then + removes it afterwards. <span class="emphasis"><em>NOTE THAT IT IS VERY IMPORTANT + THAT THIS COMMAND RETURN IMMEDIATELY</em></span>. That's why I + have the '&' on the end. If it doesn't return immediately then + your PCs may freeze when sending messages (they should recover + after 30 seconds, hopefully).</p><p>All messages are delivered as the global guest user. + The command takes the standard substitutions, although <em class="parameter"><code> + %u</code></em> won't work (<em class="parameter"><code>%U</code></em> may be better + in this case).</p><p>Apart from the standard substitutions, some additional + ones apply. In particular:</p><div class="itemizedlist"><ul type="disc"><li><p><em class="parameter"><code>%s</code></em> = the filename containing + the message.</p></li><li><p><em class="parameter"><code>%t</code></em> = the destination that + the message was sent to (probably the server name).</p></li><li><p><em class="parameter"><code>%f</code></em> = who the message + is from.</p></li></ul></div><p>You could make this command send mail, or whatever else + takes your fancy. Please let us know of any really interesting + ideas you have.</p><p> + Here's a way of sending the messages as mail to root: +</p><pre class="programlisting"> +<code class="literal">message command = /bin/mail -s 'message from %f on %m' root < %s; rm %s</code> +</pre><p> + </p><p>If you don't have a message command then the message + won't be delivered and Samba will tell the sender there was + an error. Unfortunately WfWg totally ignores the error code + and carries on regardless, saying that the message was delivered. + </p><p> + If you want to silently delete it then try: +</p><pre class="programlisting"> +<code class="literal">message command = rm %s</code> +</pre><p> + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>message command</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>message command</code></em> = <code class="literal">csh -c 'xedit %s; rm %s' &</code> +</em></span> +</p></dd><dt><span class="term"><a name="MINPRINTSPACE"></a>min print space (S)</span></dt><dd><p>This sets the minimum amount of free disk + space that must be available before a user will be able to spool + a print job. It is specified in kilobytes. The default is 0, which + means a user can always spool a print job.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>min print space</code></em> = <code class="literal">0</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>min print space</code></em> = <code class="literal">2000</code> +</em></span> +</p></dd><dt><span class="term"><a name="MINPROTOCOL"></a>min protocol (G)</span></dt><dd><p>The value of the parameter (a string) is the + lowest SMB protocol dialect than Samba will support. Please refer + to the <a class="indexterm" name="id317130"></a>max protocol + parameter for a list of valid protocol names and a brief description + of each. You may also wish to refer to the C source code in + <code class="filename">source/smbd/negprot.c</code> for a listing of known protocol + dialects supported by clients.</p><p>If you are viewing this parameter as a security measure, you should + also refer to the <a class="indexterm" name="id317149"></a>lanman auth parameter. Otherwise, you should never need + to change this parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>min protocol</code></em> = <code class="literal">CORE</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>min protocol</code></em> = <code class="literal">NT1</code> +</em></span> +</p></dd><dt><span class="term"><a name="MINWINSTTL"></a>min wins ttl (G)</span></dt><dd><p>This option tells <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> + when acting as a WINS server (<a class="indexterm" name="id317220"></a>wins support = yes) what the minimum 'time to live' + of NetBIOS names that <code class="literal">nmbd</code> will grant will be (in + seconds). You should never need to change this parameter. The default + is 6 hours (21600 seconds).</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>min wins ttl</code></em> = <code class="literal">21600</code> +</em></span> +</p></dd><dt><span class="term"><a name="MSDFSPROXY"></a>msdfs proxy (S)</span></dt><dd><p>This parameter indicates that the share is a + stand-in for another CIFS share whose location is specified by + the value of the parameter. When clients attempt to connect to + this share, they are redirected to the proxied share using + the SMB-Dfs protocol.</p><p>Only Dfs roots can act as proxy shares. Take a look at the + <a class="indexterm" name="id317279"></a>msdfs root and <a class="indexterm" name="id317286"></a>host msdfs + options to find out how to set up a Dfs root share.</p><p><span class="emphasis"><em>No default</em></span></p><p>Example: <span class="emphasis"><em><em class="parameter"><code>msdfs proxy</code></em> = <code class="literal">\\otherserver\someshare</code> +</em></span> +</p></dd><dt><span class="term"><a name="MSDFSROOT"></a>msdfs root (S)</span></dt><dd><p>If set to <code class="constant">yes</code>, Samba treats the + share as a Dfs root and allows clients to browse the + distributed file system tree rooted at the share directory. + Dfs links are specified in the share directory by symbolic + links of the form <code class="filename">msdfs:serverA\\shareA,serverB\\shareB</code> + and so on. For more information on setting up a Dfs tree on + Samba, refer to the MSDFS chapter in the Samba3-HOWTO book.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>msdfs root</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="NAMECACHETIMEOUT"></a>name cache timeout (G)</span></dt><dd><p>Specifies the number of seconds it takes before + entries in samba's hostname resolve cache time out. If + the timeout is set to 0. the caching is disabled. +</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>name cache timeout</code></em> = <code class="literal">660</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>name cache timeout</code></em> = <code class="literal">0</code> +</em></span> +</p></dd><dt><span class="term"><a name="NAMERESOLVEORDER"></a>name resolve order (G)</span></dt><dd><p>This option is used by the programs in the Samba + suite to determine what naming services to use and in what order + to resolve host names to IP addresses. Its main purpose to is to + control how netbios name resolution is performed. The option takes a space + separated string of name resolution options.</p><p>The options are: "lmhosts", "host", + "wins" and "bcast". They cause names to be + resolved as follows:</p><div class="itemizedlist"><ul type="disc"><li><p> + <code class="constant">lmhosts</code> : Lookup an IP address in the Samba lmhosts file. If the line in lmhosts has + no name type attached to the NetBIOS name (see the manpage for lmhosts for details) then + any name type matches for lookup. + </p></li><li><p> + <code class="constant">host</code> : Do a standard host name to IP address resolution, using the system + <code class="filename">/etc/hosts </code>, NIS, or DNS lookups. This method of name resolution is + operating system depended for instance on IRIX or Solaris this may be controlled by the <code class="filename">/etc/nsswitch.conf</code> file. Note that this method is used only if the NetBIOS name + type being queried is the 0x20 (server) name type or 0x1c (domain controllers). The latter case is only + useful for active directory domains and results in a DNS query for the SRV RR entry matching + _ldap._tcp.domain. + </p></li><li><p><code class="constant">wins</code> : Query a name with + the IP address listed in the <a class="indexterm" name="id317498"></a>WINSSERVER parameter. If no WINS server has + been specified this method will be ignored.</p></li><li><p><code class="constant">bcast</code> : Do a broadcast on + each of the known local interfaces listed in the <a class="indexterm" name="id317515"></a>interfaces + parameter. This is the least reliable of the name resolution + methods as it depends on the target host being on a locally + connected subnet.</p></li></ul></div><p>The example below will cause the local lmhosts file to be examined + first, followed by a broadcast attempt, followed by a normal + system hostname lookup.</p><p>When Samba is functioning in ADS security mode (<code class="literal">security = ads</code>) + it is advised to use following settings for <em class="parameter"><code>name resolve order</code></em>:</p><p><code class="literal">name resolve order = wins bcast</code></p><p>DC lookups will still be done via DNS, but fallbacks to netbios names will + not inundate your DNS servers with needless querys for DOMAIN<0x1c> lookups.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>name resolve order</code></em> = <code class="literal">lmhosts host wins bcast</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>name resolve order</code></em> = <code class="literal">lmhosts bcast host</code> +</em></span> +</p></dd><dt><span class="term"><a name="NETBIOSALIASES"></a>netbios aliases (G)</span></dt><dd><p>This is a list of NetBIOS names that nmbd will + advertise as additional names by which the Samba server is known. This allows one machine + to appear in browse lists under multiple names. If a machine is acting as a browse server + or logon server none of these names will be advertised as either browse server or logon + servers, only the primary name of the machine will be advertised with these capabilities. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>netbios aliases</code></em> = <code class="literal"> +# empty string (no additional names)</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>netbios aliases</code></em> = <code class="literal">TEST TEST1 TEST2</code> +</em></span> +</p></dd><dt><span class="term"><a name="NETBIOSNAME"></a>netbios name (G)</span></dt><dd><p> + This sets the NetBIOS name by which a Samba server is known. By default it is the same as the first component + of the host's DNS name. If a machine is a browse server or logon server this name (or the first component of + the hosts DNS name) will be the name that these services are advertised under. + </p><p> + There is a bug in Samba-3 that breaks operation of browsing and access to shares if the netbios name + is set to the literal name <code class="literal">PIPE</code>. To avoid this problem, do not name your Samba-3 + server <code class="literal">PIPE</code>. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>netbios name</code></em> = <code class="literal"> +# machine DNS name</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>netbios name</code></em> = <code class="literal">MYNAME</code> +</em></span> +</p></dd><dt><span class="term"><a name="NETBIOSSCOPE"></a>netbios scope (G)</span></dt><dd><p>This sets the NetBIOS scope that Samba will + operate under. This should not be set unless every machine + on your LAN also sets this value.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>netbios scope</code></em> = <code class="literal"></code> +</em></span> +</p></dd><dt><span class="term"><a name="NISHOMEDIR"></a>nis homedir (G)</span></dt><dd><p>Get the home share server from a NIS map. For + UNIX systems that use an automounter, the user's home directory + will often be mounted on a workstation on demand from a remote + server. </p><p>When the Samba logon server is not the actual home directory + server, but is mounting the home directories via NFS then two + network hops would be required to access the users home directory + if the logon server told the client to use itself as the SMB server + for home directories (one over SMB and one over NFS). This can + be very slow.</p><p>This option allows Samba to return the home share as + being on a different server to the logon server and as + long as a Samba daemon is running on the home directory server, + it will be mounted on the Samba client directly from the directory + server. When Samba is returning the home share to the client, it + will consult the NIS map specified in + <a class="indexterm" name="id317804"></a>homedir map and return the server + listed there.</p><p>Note that for this option to work there must be a working + NIS system and the Samba server with this option must also + be a logon server.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>nis homedir</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="NTACLSUPPORT"></a>nt acl support (S)</span></dt><dd><p>This boolean parameter controls whether <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will attempt to map + UNIX permissions into Windows NT access control lists. The UNIX + permissions considered are the the traditional UNIX owner and + group permissions, as well as POSIX ACLs set on any files or + directories. This parameter was formally a global parameter in + releases prior to 2.2.2.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>nt acl support</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="NTLMAUTH"></a>ntlm auth (G)</span></dt><dd><p>This parameter determines whether or not <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will attempt to + authenticate users using the NTLM encrypted password response. + If disabled, either the lanman password hash or an NTLMv2 response + will need to be sent by the client.</p><p>If this option, and <code class="literal">lanman + auth</code> are both disabled, then only NTLMv2 logins will be + permited. Not all clients support NTLMv2, and most will require + special configuration to us it.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ntlm auth</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="NTPIPESUPPORT"></a>nt pipe support (G)</span></dt><dd><p>This boolean parameter controls whether + <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will allow Windows NT + clients to connect to the NT SMB specific <code class="constant">IPC$</code> + pipes. This is a developer debugging option and can be left + alone.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>nt pipe support</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="NTSTATUSSUPPORT"></a>nt status support (G)</span></dt><dd><p>This boolean parameter controls whether <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will negotiate NT specific status + support with Windows NT/2k/XP clients. This is a developer debugging option and should be left alone. + If this option is set to <code class="constant">no</code> then Samba offers + exactly the same DOS error codes that versions prior to Samba 2.2.3 + reported.</p><p>You should not need to ever disable this parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>nt status support</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="NULLPASSWORDS"></a>null passwords (G)</span></dt><dd><p>Allow or disallow client access to accounts that have null passwords. </p><p>See also <a href="smbpasswd.5.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(5)</span></a>.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>null passwords</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="OBEYPAMRESTRICTIONS"></a>obey pam restrictions (G)</span></dt><dd><p>When Samba 3.0 is configured to enable PAM support + (i.e. --with-pam), this parameter will control whether or not Samba + should obey PAM's account and session management directives. The + default behavior is to use PAM for clear text authentication only + and to ignore any account or session management. Note that Samba + always ignores PAM for authentication in the case of <a class="indexterm" name="id318122"></a>encrypt passwords = yes. The reason + is that PAM modules cannot support the challenge/response + authentication mechanism needed in the presence of SMB password encryption. +</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>obey pam restrictions</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="ONLYUSER"></a>only user (S)</span></dt><dd><p>This is a boolean option that controls whether + connections with usernames not in the <em class="parameter"><code>user</code></em> + list will be allowed. By default this option is disabled so that a + client can supply a username to be used by the server. Enabling + this parameter will force the server to only use the login + names from the <em class="parameter"><code>user</code></em> list and is only really + useful in <a class="indexterm" name="id318183"></a>security = share level security.</p><p>Note that this also means Samba won't try to deduce + usernames from the service name. This can be annoying for + the [homes] section. To get around this you could use <code class="literal">user = + %S</code> which means your <em class="parameter"><code>user</code></em> list + will be just the service name, which for home directories is the + name of the user.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>only user</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="OPENFILESDATABASEHASHSIZE"></a>open files database hash size (G)</span></dt><dd><p>This parameter was added in Samba 3.0.23. This is an internal tuning parameter that sets + the hash size of the tdb used for the open file databases. The presence of this parameter + allows tuning of the system for very large (thousands of concurrent users) Samba setups. + The default setting of this parameter should be sufficient for most normal environments. + It is advised not to change this parameter unless advised to by a Samba Team member.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>open files database hash size</code></em> = <code class="literal">10007</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>open files database hash size</code></em> = <code class="literal">1338457</code> +</em></span> +</p></dd><dt><span class="term"><a name="OPLOCKBREAKWAITTIME"></a>oplock break wait time (G)</span></dt><dd><p> + This is a tuning parameter added due to bugs in both Windows 9x and WinNT. If Samba responds to a client too + quickly when that client issues an SMB that can cause an oplock break request, then the network client can + fail and not respond to the break request. This tuning parameter (which is set in milliseconds) is the amount + of time Samba will wait before sending an oplock break request to such (broken) clients. + </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> + DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA OPLOCK CODE. + </p></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>oplock break wait time</code></em> = <code class="literal">0</code> +</em></span> +</p></dd><dt><span class="term"><a name="OPLOCKCONTENTIONLIMIT"></a>oplock contention limit (S)</span></dt><dd><p> + This is a <span class="emphasis"><em>very</em></span> advanced <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> tuning option to improve the efficiency of the + granting of oplocks under multiple client contention for the same file. + </p><p> + In brief it specifies a number, which causes <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>not to grant an oplock even when requested if the + approximate number of clients contending for an oplock on the same file goes over this + limit. This causes <code class="literal">smbd</code> to behave in a similar + way to Windows NT. + </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> + DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA OPLOCK CODE. + </p></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>oplock contention limit</code></em> = <code class="literal">2</code> +</em></span> +</p></dd><dt><span class="term"><a name="OPLOCKS"></a>oplocks (S)</span></dt><dd><p> + This boolean option tells <code class="literal">smbd</code> whether to + issue oplocks (opportunistic locks) to file open requests on this + share. The oplock code can dramatically (approx. 30% or more) improve + the speed of access to files on Samba servers. It allows the clients + to aggressively cache files locally and you may want to disable this + option for unreliable network environments (it is turned on by + default in Windows NT Servers). For more information see the file + <code class="filename">Speed.txt</code> in the Samba + <code class="filename">docs/</code> directory. + </p><p> + Oplocks may be selectively turned off on certain files with a share. See + the <a class="indexterm" name="id318454"></a>veto oplock files parameter. On some systems + oplocks are recognized by the underlying operating system. This + allows data synchronization between all access to oplocked files, + whether it be via Samba or NFS or a local UNIX process. See the + <a class="indexterm" name="id318463"></a>kernel oplocks parameter for details. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>oplocks</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="OS2DRIVERMAP"></a>os2 driver map (G)</span></dt><dd><p>The parameter is used to define the absolute + path to a file containing a mapping of Windows NT printer driver + names to OS/2 printer driver names. The format is:</p><p><nt driver name> = <os2 driver name>.<device name></p><p>For example, a valid entry using the HP LaserJet 5 + printer driver would appear as <code class="literal">HP LaserJet 5L = LASERJET.HP + LaserJet 5L</code>.</p><p> + The need for the file is due to the printer driver namespace problem described in + the chapter on Classical Printing in the Samba3-HOWTO book. For more + details on OS/2 clients, please refer to chapter on other clients in the Samba3-HOWTO book. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>os2 driver map</code></em> = <code class="literal"></code> +</em></span> +</p></dd><dt><span class="term"><a name="OSLEVEL"></a>os level (G)</span></dt><dd><p> + This integer value controls what level Samba advertises itself as for browse elections. The value of this + parameter determines whether <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> has a chance of becoming a local master browser for the <a class="indexterm" name="id318576"></a>workgroup in the local broadcast area. +</p><p><span class="emphasis"><em> + Note :</em></span>By default, Samba will win a local master browsing election over all Microsoft operating + systems except a Windows NT 4.0/2000 Domain Controller. This means that a misconfigured Samba host can + effectively isolate a subnet for browsing purposes. This parameter is largely auto-configured in the Samba-3 + release series and it is seldom necessary to manually over-ride the default setting. Please refer to + chapter 9 of the Samba-3 HOWTO document for further information regarding the use of this parameter. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>os level</code></em> = <code class="literal">20</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>os level</code></em> = <code class="literal">65</code> +</em></span> +</p></dd><dt><span class="term"><a name="PAMPASSWORDCHANGE"></a>pam password change (G)</span></dt><dd><p>With the addition of better PAM support in Samba 2.2, + this parameter, it is possible to use PAM's password change control + flag for Samba. If enabled, then PAM will be used for password + changes when requested by an SMB client instead of the program listed in + <a class="indexterm" name="id318651"></a>passwd program. + It should be possible to enable this without changing your + <a class="indexterm" name="id318658"></a>passwd chat parameter for most setups.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>pam password change</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="PANICACTION"></a>panic action (G)</span></dt><dd><p>This is a Samba developer option that allows a + system command to be called when either <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> or <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> crashes. This is usually used to + draw attention to the fact that a problem occurred. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>panic action</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>panic action</code></em> = <code class="literal">"/bin/sleep 90000"</code> +</em></span> +</p></dd><dt><span class="term"><a name="PARANOIDSERVERSECURITY"></a>paranoid server security (G)</span></dt><dd><p>Some version of NT 4.x allow non-guest + users with a bad passowrd. When this option is enabled, samba will not + use a broken NT 4.x server as password server, but instead complain + to the logs and exit. + </p><p>Disabling this option prevents Samba from making + this check, which involves deliberatly attempting a + bad logon to the remote server.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>paranoid server security</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="PASSDBBACKEND"></a>passdb backend (G)</span></dt><dd><p>This option allows the administrator to chose which backend + will be used for storing user and possibly group information. This allows + you to swap between dfferent storage mechanisms without recompile. </p><p>The parameter value is divided into two parts, the backend's name, and a 'location' + string that has meaning only to that particular backed. These are separated + by a : character.</p><p>Available backends can include: + </p><div class="itemizedlist"><ul type="disc"><li><p><code class="literal">smbpasswd</code> - The default smbpasswd + backend. Takes a path to the smbpasswd file as an optional argument. + </p></li><li><p><code class="literal">tdbsam</code> - The TDB based password storage + backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb + in the <a class="indexterm" name="id318855"></a>private dir directory.</p></li><li><p><code class="literal">ldapsam</code> - The LDAP based passdb + backend. Takes an LDAP URL as an optional argument (defaults to + <code class="literal">ldap://localhost</code>)</p><p>LDAP connections should be secured where possible. This may be done using either + Start-TLS (see <a class="indexterm" name="id318885"></a>ldap ssl) or by + specifying <em class="parameter"><code>ldaps://</code></em> in + the URL argument. </p><p>Multiple servers may also be specified in double-quotes, if your + LDAP libraries supports the LDAP URL notation. + (OpenLDAP does). + </p></li></ul></div><p> + + </p> + Examples of use are: +<pre class="programlisting"> +passdb backend = tdbsam:/etc/samba/private/passdb.tdb + +or + +passdb backend = ldapsam:"ldap://ldap-1.example.com ldap://ldap-2.example.com" +</pre><p>Default: <span class="emphasis"><em><em class="parameter"><code>passdb backend</code></em> = <code class="literal">smbpasswd</code> +</em></span> +</p></dd><dt><span class="term"><a name="PASSDBEXPANDEXPLICIT"></a>passdb expand explicit (G)</span></dt><dd><p> + This parameter controls whether Samba substitutes %-macros in the passdb fields if they are explicitly set. We + used to expand macros here, but this turned out to be a bug because the Windows client can expand a variable + %G_osver% in which %G would have been substituted by the user's primary group. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>passdb expand explicit</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="PASSWDCHAT"></a>passwd chat (G)</span></dt><dd><p>This string controls the <span class="emphasis"><em>"chat"</em></span> + conversation that takes places between <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> and the local password changing + program to change the user's password. The string describes a + sequence of response-receive pairs that <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> uses to determine what to send to the + <a class="indexterm" name="id319013"></a>passwd program and what to expect back. If the expected output is not + received then the password is not changed.</p><p>This chat sequence is often quite site specific, depending + on what local methods are used for password control (such as NIS + etc).</p><p>Note that this parameter only is only used if the <a class="indexterm" name="id319030"></a>unix password sync parameter is set to <code class="constant">yes</code>. This sequence is + then called <span class="emphasis"><em>AS ROOT</em></span> when the SMB password in the + smbpasswd file is being changed, without access to the old password + cleartext. This means that root must be able to reset the user's password without + knowing the text of the previous password. In the presence of + NIS/YP, this means that the <a class="indexterm" name="id319046"></a>passwd program must + be executed on the NIS master. + </p><p>The string can contain the macro <em class="parameter"><code>%n</code></em> which is substituted + for the new password. The chat sequence can also contain the standard + macros \n, \r, \t and \s to + give line-feed, carriage-return, tab and space. The chat sequence string can also contain + a '*' which matches any sequence of characters. Double quotes can be used to collect strings with spaces + in them into a single string.</p><p>If the send string in any part of the chat sequence is a full + stop ".", then no string is sent. Similarly, if the + expect string is a full stop then no string is expected.</p><p>If the <a class="indexterm" name="id319074"></a>pam password change parameter is set to <code class="constant">yes</code>, the + chat pairs may be matched in any order, and success is determined by the PAM result, not any particular + output. The \n macro is ignored for PAM conversions. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>passwd chat</code></em> = <code class="literal">*new*password* %n\n*new*password* %n\n *changed*</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>passwd chat</code></em> = <code class="literal">"*Enter OLD password*" %o\n "*Enter NEW password*" %n\n "*Reenter NEW password*" %n\n "*Password changed*"</code> +</em></span> +</p></dd><dt><span class="term"><a name="PASSWDCHATDEBUG"></a>passwd chat debug (G)</span></dt><dd><p>This boolean specifies if the passwd chat script + parameter is run in <span class="emphasis"><em>debug</em></span> mode. In this mode the + strings passed to and received from the passwd chat are printed + in the <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> log with a + <a class="indexterm" name="id319156"></a>debug level + of 100. This is a dangerous option as it will allow plaintext passwords + to be seen in the <code class="literal">smbd</code> log. It is available to help + Samba admins debug their <em class="parameter"><code>passwd chat</code></em> scripts + when calling the <em class="parameter"><code>passwd program</code></em> and should + be turned off after this has been done. This option has no effect if the + <a class="indexterm" name="id319184"></a>pam password change + paramter is set. This parameter is off by default.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>passwd chat debug</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="PASSWDCHATTIMEOUT"></a>passwd chat timeout (G)</span></dt><dd><p>This integer specifies the number of seconds smbd will wait for an initial + answer from a passwd chat script being run. Once the initial answer is received + the subsequent answers must be received in one tenth of this time. The default it + two seconds.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>passwd chat timeout</code></em> = <code class="literal">2</code> +</em></span> +</p></dd><dt><span class="term"><a name="PASSWDPROGRAM"></a>passwd program (G)</span></dt><dd><p>The name of a program that can be used to set + UNIX user passwords. Any occurrences of <em class="parameter"><code>%u</code></em> + will be replaced with the user name. The user name is checked for + existence before calling the password changing program.</p><p>Also note that many passwd programs insist in <span class="emphasis"><em>reasonable + </em></span> passwords, such as a minimum length, or the inclusion + of mixed case chars and digits. This can pose a problem as some clients + (such as Windows for Workgroups) uppercase the password before sending + it.</p><p><span class="emphasis"><em>Note</em></span> that if the <em class="parameter"><code>unix + password sync</code></em> parameter is set to <code class="constant">yes + </code> then this program is called <span class="emphasis"><em>AS ROOT</em></span> + before the SMB password in the smbpasswd + file is changed. If this UNIX password change fails, then + <code class="literal">smbd</code> will fail to change the SMB password also + (this is by design).</p><p>If the <em class="parameter"><code>unix password sync</code></em> parameter + is set this parameter <span class="emphasis"><em>MUST USE ABSOLUTE PATHS</em></span> + for <span class="emphasis"><em>ALL</em></span> programs called, and must be examined + for security implications. Note that by default <em class="parameter"><code>unix + password sync</code></em> is set to <code class="constant">no</code>.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>passwd program</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>passwd program</code></em> = <code class="literal">/bin/passwd %u</code> +</em></span> +</p></dd><dt><span class="term"><a name="PASSWORDLEVEL"></a>password level (G)</span></dt><dd><p>Some client/server combinations have difficulty + with mixed-case passwords. One offending client is Windows for + Workgroups, which for some reason forces passwords to upper + case when using the LANMAN1 protocol, but leaves them alone when + using COREPLUS! Another problem child is the Windows 95/98 + family of operating systems. These clients upper case clear + text passwords even when NT LM 0.12 selected by the protocol + negotiation request/response.</p><p>This parameter defines the maximum number of characters + that may be upper case in passwords.</p><p>For example, say the password given was "FRED". If <em class="parameter"><code> + password level</code></em> is set to 1, the following combinations + would be tried if "FRED" failed:</p><p>"Fred", "fred", "fRed", "frEd","freD"</p><p>If <em class="parameter"><code>password level</code></em> was set to 2, + the following combinations would also be tried: </p><p>"FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ..</p><p>And so on.</p><p>The higher value this parameter is set to the more likely + it is that a mixed case password will be matched against a single + case password. However, you should be aware that use of this + parameter reduces security and increases the time taken to + process a new connection.</p><p>A value of zero will cause only two attempts to be + made - the password as is and the password in all-lower case.</p><p>This parameter is used only when using plain-text passwords. It is + not at all used when encrypted passwords as in use (that is the default + since samba-3.0.0). Use this only when <a class="indexterm" name="id319448"></a>encrypt passwords = No.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>password level</code></em> = <code class="literal">0</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>password level</code></em> = <code class="literal">4</code> +</em></span> +</p></dd><dt><span class="term"><a name="PASSWORDSERVER"></a>password server (G)</span></dt><dd><p>By specifying the name of another SMB server + or Active Directory domain controller with this option, + and using <code class="literal">security = [ads|domain|server]</code> + it is possible to get Samba to + to do all its username/password validation using a specific remote server.</p><p>This option sets the name or IP address of the password server to use. + New syntax has been added to support defining the port to use when connecting + to the server the case of an ADS realm. To define a port other than the + default LDAP port of 389, add the port number using a colon after the + name or IP address (e.g. 192.168.1.100:389). If you do not specify a port, + Samba will use the standard LDAP port of tcp/389. Note that port numbers + have no effect on password servers for Windows NT 4.0 domains or netbios + connections.</p><p>If parameter is a name, it is looked up using the + parameter <a class="indexterm" name="id319530"></a>name resolve order and so may resolved + by any method and order described in that parameter.</p><p>The password server must be a machine capable of using + the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in + user level security mode.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Using a password server means your UNIX box (running + Samba) is only as secure as your password server. <span class="emphasis"><em>DO NOT + CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST</em></span>. + </p></div><p>Never point a Samba server at itself for password serving. + This will cause a loop and could lock up your Samba server!</p><p>The name of the password server takes the standard + substitutions, but probably the only useful one is <em class="parameter"><code>%m + </code></em>, which means the Samba server will use the incoming + client as the password server. If you use this then you better + trust your clients, and you had better restrict them with hosts allow!</p><p>If the <em class="parameter"><code>security</code></em> parameter is set to + <code class="constant">domain</code> or <code class="constant">ads</code>, then the list of machines in this + option must be a list of Primary or Backup Domain controllers for the + Domain or the character '*', as the Samba server is effectively + in that domain, and will use cryptographically authenticated RPC calls + to authenticate the user logging on. The advantage of using <code class="literal"> + security = domain</code> is that if you list several hosts in the + <em class="parameter"><code>password server</code></em> option then <code class="literal">smbd + </code> will try each in turn till it finds one that responds. This + is useful in case your primary server goes down.</p><p>If the <em class="parameter"><code>password server</code></em> option is set + to the character '*', then Samba will attempt to auto-locate the + Primary or Backup Domain controllers to authenticate against by + doing a query for the name <code class="constant">WORKGROUP<1C></code> + and then contacting each server returned in the list of IP + addresses from the name resolution source. </p><p>If the list of servers contains both names/IP's and the '*' + character, the list is treated as a list of preferred + domain controllers, but an auto lookup of all remaining DC's + will be added to the list as well. Samba will not attempt to optimize + this list by locating the closest DC.</p><p>If the <em class="parameter"><code>security</code></em> parameter is + set to <code class="constant">server</code>, then there are different + restrictions that <code class="literal">security = domain</code> doesn't + suffer from:</p><div class="itemizedlist"><ul type="disc"><li><p>You may list several password servers in + the <em class="parameter"><code>password server</code></em> parameter, however if an + <code class="literal">smbd</code> makes a connection to a password server, + and then the password server fails, no more users will be able + to be authenticated from this <code class="literal">smbd</code>. This is a + restriction of the SMB/CIFS protocol when in <code class="literal">security = server + </code> mode and cannot be fixed in Samba.</p></li><li><p>If you are using a Windows NT server as your + password server then you will have to ensure that your users + are able to login from the Samba server, as when in <code class="literal"> + security = server</code> mode the network logon will appear to + come from there rather than from the users workstation.</p></li></ul></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>password server</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>password server</code></em> = <code class="literal">NT-PDC, NT-BDC1, NT-BDC2, *</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>password server</code></em> = <code class="literal">windc.mydomain.com:389 192.168.1.101 *</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>password server</code></em> = <code class="literal">*</code> +</em></span> +</p></dd><dt><span class="term"><a name="DIRECTORY"></a>directory</span></dt><dd><p>This parameter is a synonym for path.</p></dd><dt><span class="term"><a name="PATH"></a>path (S)</span></dt><dd><p>This parameter specifies a directory to which + the user of the service is to be given access. In the case of + printable services, this is where print data will spool prior to + being submitted to the host for printing.</p><p>For a printable service offering guest access, the service + should be readonly and the path should be world-writeable and + have the sticky bit set. This is not mandatory of course, but + you probably won't get the results you expect if you do + otherwise.</p><p>Any occurrences of <em class="parameter"><code>%u</code></em> in the path + will be replaced with the UNIX username that the client is using + on this connection. Any occurrences of <em class="parameter"><code>%m</code></em> + will be replaced by the NetBIOS name of the machine they are + connecting from. These replacements are very useful for setting + up pseudo home directories for users.</p><p>Note that this path will be based on <a class="indexterm" name="id319834"></a>root dir + if one was specified.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>path</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>path</code></em> = <code class="literal">/home/fred</code> +</em></span> +</p></dd><dt><span class="term"><a name="PIDDIRECTORY"></a>pid directory (G)</span></dt><dd><p> + This option specifies the directory where pid files will be placed. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>pid directory</code></em> = <code class="literal">${prefix}/var/locks</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>pid directory</code></em> = <code class="literal">pid directory = /var/run/</code> +</em></span> +</p></dd><dt><span class="term"><a name="POSIXLOCKING"></a>posix locking (S)</span></dt><dd><p> + The <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> + daemon maintains an database of file locks obtained by SMB clients. The default behavior is + to map this internal database to POSIX locks. This means that file locks obtained by SMB clients are + consistent with those seen by POSIX compliant applications accessing the files via a non-SMB + method (e.g. NFS or local file access). You should never need to disable this parameter. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>posix locking</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="POSTEXEC"></a>postexec (S)</span></dt><dd><p>This option specifies a command to be run + whenever the service is disconnected. It takes the usual + substitutions. The command may be run as the root on some + systems.</p><p>An interesting example may be to unmount server + resources:</p><p><code class="literal">postexec = /etc/umount /cdrom</code></p><p>Default: <span class="emphasis"><em><em class="parameter"><code>postexec</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>postexec</code></em> = <code class="literal">echo \"%u disconnected from %S from %m (%I)\" >> /tmp/log</code> +</em></span> +</p></dd><dt><span class="term"><a name="EXEC"></a>exec</span></dt><dd><p>This parameter is a synonym for preexec.</p></dd><dt><span class="term"><a name="PREEXEC"></a>preexec (S)</span></dt><dd><p>This option specifies a command to be run whenever + the service is connected to. It takes the usual substitutions.</p><p>An interesting example is to send the users a welcome + message every time they log in. Maybe a message of the day? Here + is an example:</p><p> + <code class="literal">preexec = csh -c 'echo \"Welcome to %S!\" | + /usr/local/samba/bin/smbclient -M %m -I %I' & </code> + </p><p>Of course, this could get annoying after a while :-)</p><p> + See also <a class="indexterm" name="id320111"></a>preexec close and <a class="indexterm" name="id320118"></a>postexec. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>preexec</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>preexec</code></em> = <code class="literal">echo \"%u connected to %S from %m (%I)\" >> /tmp/log</code> +</em></span> +</p></dd><dt><span class="term"><a name="PREEXECCLOSE"></a>preexec close (S)</span></dt><dd><p> + This boolean option controls whether a non-zero return code from <a class="indexterm" name="id320180"></a>preexec + should close the service being connected to. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>preexec close</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="PREFEREDMASTER"></a>prefered master</span></dt><dd><p>This parameter is a synonym for preferred master.</p></dd><dt><span class="term"><a name="PREFERREDMASTER"></a>preferred master (G)</span></dt><dd><p> + This boolean parameter controls if <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> is a preferred master browser for its workgroup. + </p><p> + If this is set to <code class="constant">yes</code>, on startup, <code class="literal">nmbd</code> will force + an election, and it will have a slight advantage in winning the election. It is recommended that this + parameter is used in conjunction with <a class="indexterm" name="id320270"></a>domain master = yes, so that + <code class="literal">nmbd</code> can guarantee becoming a domain master. + </p><p> + Use this option with caution, because if there are several hosts (whether Samba servers, Windows 95 or NT) + that are preferred master browsers on the same subnet, they will each periodically and continuously attempt + to become the local master browser. This will result in unnecessary broadcast traffic and reduced browsing + capabilities. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>preferred master</code></em> = <code class="literal">auto</code> +</em></span> +</p></dd><dt><span class="term"><a name="AUTOSERVICES"></a>auto services</span></dt><dd><p>This parameter is a synonym for preload.</p></dd><dt><span class="term"><a name="PRELOAD"></a>preload (G)</span></dt><dd><p>This is a list of services that you want to be + automatically added to the browse lists. This is most useful + for homes and printers services that would otherwise not be + visible.</p><p> + Note that if you just want all printers in your + printcap file loaded then the <a class="indexterm" name="id320355"></a>load printers + option is easier. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>preload</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>preload</code></em> = <code class="literal">fred lp colorlp</code> +</em></span> +</p></dd><dt><span class="term"><a name="PRELOADMODULES"></a>preload modules (G)</span></dt><dd><p>This is a list of paths to modules that should + be loaded into smbd before a client connects. This improves + the speed of smbd when reacting to new connections somewhat. </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>preload modules</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>preload modules</code></em> = <code class="literal">/usr/lib/samba/passdb/mysql.so</code> +</em></span> +</p></dd><dt><span class="term"><a name="PRESERVECASE"></a>preserve case (S)</span></dt><dd><p> + This controls if new filenames are created with the case that the client passes, or if + they are forced to be the <a class="indexterm" name="id320472"></a>default case. + </p><p> + See the section on <a href="#NAMEMANGLINGSECT" title="NAME MANGLING">NAME MANGLING</a> for a fuller discussion. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>preserve case</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="PRINTOK"></a>print ok</span></dt><dd><p>This parameter is a synonym for printable.</p></dd><dt><span class="term"><a name="PRINTABLE"></a>printable (S)</span></dt><dd><p>If this parameter is <code class="constant">yes</code>, then + clients may open, write to and submit spool files on the directory + specified for the service. </p><p>Note that a printable service will ALWAYS allow writing + to the service path (user privileges permitting) via the spooling + of print data. The <a class="indexterm" name="id320662"></a>read only parameter controls only non-printing access to + the resource.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>printable</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="PRINTCAPCACHETIME"></a>printcap cache time (G)</span></dt><dd><p>This option specifies the number of seconds before the printing + subsystem is again asked for the known printers. If the value + is greater than 60 the initial waiting time is set to 60 seconds + to allow an earlier first rescan of the printing subsystem. + </p><p>Setting this parameter to 0 disables any rescanning for new + or removed printers after the initial startup. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>printcap cache time</code></em> = <code class="literal">750</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>printcap cache time</code></em> = <code class="literal">600</code> +</em></span> +</p></dd><dt><span class="term"><a name="PRINTCAP"></a>printcap</span></dt><dd><p>This parameter is a synonym for printcap name.</p></dd><dt><span class="term"><a name="PRINTCAPNAME"></a>printcap name (S)</span></dt><dd><p> + This parameter may be used to override the compiled-in default printcap name used by the server (usually + <code class="filename"> /etc/printcap</code>). See the discussion of the <a href="#PRINTERSSECT" title="The [printers] section">[printers]</a> section above for reasons why you might want to do this. + </p><p> + To use the CUPS printing interface set <code class="literal">printcap name = cups </code>. This should + be supplemented by an addtional setting <a class="indexterm" name="id320815"></a>printing = cups in the [global] + section. <code class="literal">printcap name = cups</code> will use the "dummy" printcap + created by CUPS, as specified in your CUPS configuration file. + </p><p> + On System V systems that use <code class="literal">lpstat</code> to + list available printers you can use <code class="literal">printcap name = lpstat + </code> to automatically obtain lists of available printers. This + is the default for systems that define SYSV at configure time in + Samba (this includes most System V based systems). If <em class="parameter"><code> + printcap name</code></em> is set to <code class="literal">lpstat</code> on + these systems then Samba will launch <code class="literal">lpstat -v</code> and + attempt to parse the output to obtain a printer list. + </p><p> + A minimal printcap file would look something like this: +</p><pre class="programlisting"> +print1|My Printer 1 +print2|My Printer 2 +print3|My Printer 3 +print4|My Printer 4 +print5|My Printer 5 +</pre><p> + where the '|' separates aliases of a printer. The fact that the second alias has a space in + it gives a hint to Samba that it's a comment. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + Under AIX the default printcap name is <code class="filename">/etc/qconfig</code>. Samba will + assume the file is in AIX <code class="filename">qconfig</code> format if the string <code class="filename">qconfig</code> appears in the printcap filename. + </p></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>printcap name</code></em> = <code class="literal">/etc/printcap</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>printcap name</code></em> = <code class="literal">/etc/myprintcap</code> +</em></span> +</p></dd><dt><span class="term"><a name="PRINTCOMMAND"></a>print command (S)</span></dt><dd><p>After a print job has finished spooling to + a service, this command will be used via a <code class="literal">system()</code> + call to process the spool file. Typically the command specified will + submit the spool file to the host's printing subsystem, but there + is no requirement that this be the case. The server will not remove + the spool file, so whatever command you specify should remove the + spool file when it has been processed, otherwise you will need to + manually remove old spool files.</p><p>The print command is simply a text string. It will be used + verbatim after macro substitutions have been made:</p><p>%s, %f - the path to the spool + file name</p><p>%p - the appropriate printer + name</p><p>%J - the job + name as transmitted by the client.</p><p>%c - The number of printed pages + of the spooled job (if known).</p><p>%z - the size of the spooled + print job (in bytes)</p><p>The print command <span class="emphasis"><em>MUST</em></span> contain at least + one occurrence of <em class="parameter"><code>%s</code></em> or <em class="parameter"><code>%f + </code></em> - the <em class="parameter"><code>%p</code></em> is optional. At the time + a job is submitted, if no printer name is supplied the <em class="parameter"><code>%p + </code></em> will be silently removed from the printer command.</p><p>If specified in the [global] section, the print command given + will be used for any printable service that does not have its own + print command specified.</p><p>If there is neither a specified print command for a + printable service nor a global print command, spool files will + be created but not processed and (most importantly) not removed.</p><p>Note that printing may fail on some UNIXes from the + <code class="constant">nobody</code> account. If this happens then create + an alternative guest account that can print and set the <a class="indexterm" name="id321038"></a>guest account + in the [global] section.</p><p>You can form quite complex print commands by realizing + that they are just passed to a shell. For example the following + will log a print job, print the file, then remove it. Note that + ';' is the usual separator for command in shell scripts.</p><p><code class="literal">print command = echo Printing %s >> + /tmp/print.log; lpr -P %p %s; rm %s</code></p><p>You may have to vary this command considerably depending + on how you normally print files on your system. The default for + the parameter varies depending on the setting of the <a class="indexterm" name="id321064"></a>printing + parameter.</p><p>Default: For <code class="literal">printing = BSD, AIX, QNX, LPRNG + or PLP :</code></p><p><code class="literal">print command = lpr -r -P%p %s</code></p><p>For <code class="literal">printing = SYSV or HPUX :</code></p><p><code class="literal">print command = lp -c -d%p %s; rm %s</code></p><p>For <code class="literal">printing = SOFTQ :</code></p><p><code class="literal">print command = lp -d%p -s %s; rm %s</code></p><p>For printing = CUPS : If SAMBA is compiled against + libcups, then <a class="indexterm" name="id321121"></a>printcap = cups + uses the CUPS API to + submit jobs, etc. Otherwise it maps to the System V + commands with the -oraw option for printing, i.e. it + uses <code class="literal">lp -c -d%p -oraw; rm %s</code>. + With <code class="literal">printing = cups</code>, + and if SAMBA is compiled against libcups, any manually + set print command will be ignored.</p><p><span class="emphasis"><em>No default</em></span></p><p>Example: <span class="emphasis"><em><em class="parameter"><code>print command</code></em> = <code class="literal">/usr/local/samba/bin/myprintscript %p %s</code> +</em></span> +</p></dd><dt><span class="term"><a name="PRINTERADMIN"></a>printer admin (S)</span></dt><dd><p> + This lists users who can do anything to printers + via the remote administration interfaces offered + by MS-RPC (usually using a NT workstation). + This parameter can be set per-share or globally. + Note: The root user always has admin rights. Use + caution with use in the global stanza as this can + cause side effects. + </p><p> + This parameter has been marked deprecated in favor + of using the SePrintOperatorPrivilege and individual + print security descriptors. It will be removed in a future release. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>printer admin</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>printer admin</code></em> = <code class="literal">admin, @staff</code> +</em></span> +</p></dd><dt><span class="term"><a name="PRINTER"></a>printer</span></dt><dd><p>This parameter is a synonym for printer name.</p></dd><dt><span class="term"><a name="PRINTERNAME"></a>printer name (S)</span></dt><dd><p> + This parameter specifies the name of the printer to which print jobs spooled through a printable service + will be sent. + </p><p> + If specified in the [global] section, the printer name given will be used for any printable service that + does not have its own printer name specified. + </p><p> + The default value of the <a class="indexterm" name="id321277"></a>printer name may be <code class="literal">lp</code> on many + systems. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>printer name</code></em> = <code class="literal">none</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>printer name</code></em> = <code class="literal">laserwriter</code> +</em></span> +</p></dd><dt><span class="term"><a name="PRINTING"></a>printing (S)</span></dt><dd><p>This parameters controls how printer status information is + interpreted on your system. It also affects the default values for + the <em class="parameter"><code>print command</code></em>, <em class="parameter"><code>lpq command</code></em>, <em class="parameter"><code>lppause command </code></em>, <em class="parameter"><code>lpresume command</code></em>, and <em class="parameter"><code>lprm command</code></em> if specified in the + [global] section.</p><p>Currently nine printing styles are supported. They are + <code class="constant">BSD</code>, <code class="constant">AIX</code>, + <code class="constant">LPRNG</code>, <code class="constant">PLP</code>, + <code class="constant">SYSV</code>, <code class="constant">HPUX</code>, + <code class="constant">QNX</code>, <code class="constant">SOFTQ</code>, + and <code class="constant">CUPS</code>.</p><p>To see what the defaults are for the other print + commands when using the various options use the <a href="testparm.1.html"><span class="citerefentry"><span class="refentrytitle">testparm</span>(1)</span></a> program.</p><p>This option can be set on a per printer basis. Please be + aware however, that you must place any of the various printing + commands (e.g. print command, lpq command, etc...) after defining + the value for the <em class="parameter"><code>printing</code></em> option since it will + reset the printing commands to default values.</p><p>See also the discussion in the <a href="#PRINTERSSECT" title="The [printers] section"> + [printers]</a> section.</p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="PRINTJOBUSERNAME"></a>printjob username (S)</span></dt><dd><p>This parameter specifies which user information will be + passed to the printing system. Usually, the username is sent, + but in some cases, e.g. the domain prefix is useful, too.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>printjob username</code></em> = <code class="literal">%U</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>printjob username</code></em> = <code class="literal">%D\%U</code> +</em></span> +</p></dd><dt><span class="term"><a name="PRIVATEDIR"></a>private dir (G)</span></dt><dd><p>This parameters defines the directory + smbd will use for storing such files as <code class="filename">smbpasswd</code> + and <code class="filename">secrets.tdb</code>. +</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>private dir</code></em> = <code class="literal">${prefix}/private</code> +</em></span> +</p></dd><dt><span class="term"><a name="PROFILEACLS"></a>profile acls (S)</span></dt><dd><p> + This boolean parameter was added to fix the problems that people have been + having with storing user profiles on Samba shares from Windows 2000 or + Windows XP clients. New versions of Windows 2000 or Windows XP service + packs do security ACL checking on the owner and ability to write of the + profile directory stored on a local workstation when copied from a Samba + share. + </p><p> + When not in domain mode with winbindd then the security info copied + onto the local workstation has no meaning to the logged in user (SID) on + that workstation so the profile storing fails. Adding this parameter + onto a share used for profile storage changes two things about the + returned Windows ACL. Firstly it changes the owner and group owner + of all reported files and directories to be BUILTIN\\Administrators, + BUILTIN\\Users respectively (SIDs S-1-5-32-544, S-1-5-32-545). Secondly + it adds an ACE entry of "Full Control" to the SID BUILTIN\\Users to + every returned ACL. This will allow any Windows 2000 or XP workstation + user to access the profile. + </p><p> + Note that if you have multiple users logging + on to a workstation then in order to prevent them from being able to access + each others profiles you must remove the "Bypass traverse checking" advanced + user right. This will prevent access to other users profile directories as + the top level profile directory (named after the user) is created by the + workstation profile code and has an ACL restricting entry to the directory + tree to the owning user. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>profile acls</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="QUEUEPAUSECOMMAND"></a>queuepause command (S)</span></dt><dd><p>This parameter specifies the command to be + executed on the server host in order to pause the printer queue.</p><p>This command should be a program or script which takes + a printer name as its only parameter and stops the printer queue, + such that no longer jobs are submitted to the printer.</p><p>This command is not supported by Windows for Workgroups, + but can be issued from the Printers window under Windows 95 + and NT.</p><p>If a <em class="parameter"><code>%p</code></em> is given then the printer name + is put in its place. Otherwise it is placed at the end of the command. + </p><p>Note that it is good practice to include the absolute + path in the command as the PATH may not be available to the + server.</p><p><span class="emphasis"><em>No default</em></span></p><p>Example: <span class="emphasis"><em><em class="parameter"><code>queuepause command</code></em> = <code class="literal">disable %p</code> +</em></span> +</p></dd><dt><span class="term"><a name="QUEUERESUMECOMMAND"></a>queueresume command (S)</span></dt><dd><p>This parameter specifies the command to be + executed on the server host in order to resume the printer queue. It + is the command to undo the behavior that is caused by the + previous parameter (<a class="indexterm" name="id321707"></a>queuepause command).</p><p>This command should be a program or script which takes + a printer name as its only parameter and resumes the printer queue, + such that queued jobs are resubmitted to the printer.</p><p>This command is not supported by Windows for Workgroups, + but can be issued from the Printers window under Windows 95 + and NT.</p><p>If a <em class="parameter"><code>%p</code></em> is given then the printer name + is put in its place. Otherwise it is placed at the end of the + command.</p><p>Note that it is good practice to include the absolute + path in the command as the PATH may not be available to the + server.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>queueresume command</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>queueresume command</code></em> = <code class="literal">enable %p</code> +</em></span> +</p></dd><dt><span class="term"><a name="READBMPX"></a>read bmpx (G)</span></dt><dd><p>This boolean parameter controls whether + <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will support the "Read + Block Multiplex" SMB. This is now rarely used and defaults to + <code class="constant">no</code>. You should never need to set this + parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>read bmpx</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="READLIST"></a>read list (S)</span></dt><dd><p> + This is a list of users that are given read-only access to a service. If the connecting user is in this list + then they will not be given write access, no matter what the <a class="indexterm" name="id321844"></a>read only option is set + to. The list can include group names using the syntax described in the <a class="indexterm" name="id321852"></a>invalid users + parameter. + </p><p>This parameter will not work with the <a class="indexterm" name="id321862"></a>security = share in + Samba 3.0. This is by design.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>read list</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>read list</code></em> = <code class="literal">mary, @students</code> +</em></span> +</p></dd><dt><span class="term"><a name="READONLY"></a>read only (S)</span></dt><dd><p>An inverted synonym is <a class="indexterm" name="id321924"></a>writeable.</p><p>If this parameter is <code class="constant">yes</code>, then users + of a service may not create or modify files in the service's + directory.</p><p>Note that a printable service (<code class="literal">printable = yes</code>) + will <span class="emphasis"><em>ALWAYS</em></span> allow writing to the directory + (user privileges permitting), but only via spooling operations.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>read only</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="READRAW"></a>read raw (G)</span></dt><dd><p>This parameter controls whether or not the server + will support the raw read SMB requests when transferring data + to clients.</p><p>If enabled, raw reads allow reads of 65535 bytes in + one packet. This typically provides a major performance benefit. + </p><p>However, some clients either negotiate the allowable + block size incorrectly or are incapable of supporting larger block + sizes, and for these clients you may need to disable raw reads.</p><p>In general this parameter should be viewed as a system tuning + tool and left severely alone.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>read raw</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="REALM"></a>realm (G)</span></dt><dd><p>This option specifies the kerberos realm to use. The realm is + used as the ADS equivalent of the NT4 <code class="literal">domain</code>. It + is usually set to the DNS name of the kerberos server. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>realm</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>realm</code></em> = <code class="literal">mysambabox.mycompany.com</code> +</em></span> +</p></dd><dt><span class="term"><a name="REMOTEANNOUNCE"></a>remote announce (G)</span></dt><dd><p> + This option allows you to setup <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a>to periodically announce itself + to arbitrary IP addresses with an arbitrary workgroup name. + </p><p> + This is useful if you want your Samba server to appear in a remote workgroup for + which the normal browse propagation rules don't work. The remote workgroup can be + anywhere that you can send IP packets to. + </p><p> + For example: +</p><pre class="programlisting"> +<code class="literal">remote announce = 192.168.2.255/SERVERS 192.168.4.255/STAFF</code> +</pre><p> + the above line would cause <code class="literal">nmbd</code> to announce itself + to the two given IP addresses using the given workgroup names. If you leave out the + workgroup name then the one given in the <a class="indexterm" name="id322141"></a>workgroup parameter + is used instead. + </p><p> + The IP addresses you choose would normally be the broadcast addresses of the remote + networks, but can also be the IP addresses of known browse masters if your network + config is that stable. + </p><p> + See the chapter on Network Browsing in the Samba-HOWTO book. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>remote announce</code></em> = <code class="literal"></code> +</em></span> +</p></dd><dt><span class="term"><a name="REMOTEBROWSESYNC"></a>remote browse sync (G)</span></dt><dd><p> + This option allows you to setup <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> to periodically request + synchronization of browse lists with the master browser of a Samba + server that is on a remote segment. This option will allow you to + gain browse lists for multiple workgroups across routed networks. This + is done in a manner that does not work with any non-Samba servers. + </p><p> + This is useful if you want your Samba server and all local + clients to appear in a remote workgroup for which the normal browse + propagation rules don't work. The remote workgroup can be anywhere + that you can send IP packets to. + </p><p> + For example: +</p><pre class="programlisting"> +<em class="parameter"><code>remote browse sync = 192.168.2.255 192.168.4.255</code></em> +</pre><p> + the above line would cause <code class="literal">nmbd</code> to request the master browser on the + specified subnets or addresses to synchronize their browse lists with + the local server. + </p><p> + The IP addresses you choose would normally be the broadcast + addresses of the remote networks, but can also be the IP addresses + of known browse masters if your network config is that stable. If + a machine IP address is given Samba makes NO attempt to validate + that the remote machine is available, is listening, nor that it + is in fact the browse master on its segment. + </p><p> + The <a class="indexterm" name="id322243"></a>remote browse sync may be used on networks + where there is no WINS server, and may be used on disjoint networks where + each network has its own WINS server. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>remote browse sync</code></em> = <code class="literal"></code> +</em></span> +</p></dd><dt><span class="term"><a name="RENAMEUSERSCRIPT"></a>rename user script (G)</span></dt><dd><p> + This is the full pathname to a script that will be run as root by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> under special circumstances described below. + </p><p> + When a user with admin authority or SeAddUserPrivilege rights renames a user (e.g.: from the NT4 User Manager + for Domains), this script will be run to rename the POSIX user. Two variables, <code class="literal">%uold</code> and + <code class="literal">%unew</code>, will be substituted with the old and new usernames, respectively. The script should + return 0 upon successful completion, and nonzero otherwise. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + The script has all responsibility to rename all the necessary data that is accessible in this posix method. + This can mean different requirements for different backends. The tdbsam and smbpasswd backends will take care + of the contents of their respective files, so the script is responsible only for changing the POSIX username, and + other data that may required for your circumstances, such as home directory. Please also consider whether or + not you need to rename the actual home directories themselves. The ldapsam backend will not make any changes, + because of the potential issues with renaming the LDAP naming attribute. In this case the script is + responsible for changing the attribute that samba uses (uid) for locating users, as well as any data that + needs to change for other applications using the same directory. + </p></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>rename user script</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="RESETONZEROVC"></a>reset on zero vc (G)</span></dt><dd><p> + This boolean option controls whether an incoming session setup + should kill other connections coming from the same IP. This matches + the default Windows 2003 behaviour. + + Setting this parameter to yes becomes necessary when you have a flaky + network and windows decides to reconnect while the old connection + still has files with share modes open. These files become inaccessible + over the new connection. + + The client sends a zero VC on the new connection, and Windows 2003 + kills all other connections coming from the same IP. This way the + locked files are accessible again. + + Please be aware that enabling this option will kill connections behind + a masquerading router. + + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>reset on zero vc</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="RESTRICTANONYMOUS"></a>restrict anonymous (G)</span></dt><dd><p>The setting of this parameter determines whether user and + group list information is returned for an anonymous connection. + and mirrors the effects of the +</p><pre class="programlisting"> +HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ + Control\LSA\RestrictAnonymous +</pre><p> + registry key in Windows 2000 and Windows NT. When set to 0, user + and group list information is returned to anyone who asks. When set + to 1, only an authenticated user can retrive user and + group list information. For the value 2, supported by + Windows 2000/XP and Samba, no anonymous connections are allowed at + all. This can break third party and Microsoft + applications which expect to be allowed to perform + operations anonymously.</p><p> + The security advantage of using restrict anonymous = 1 is dubious, + as user and group list information can be obtained using other + means. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> + The security advantage of using restrict anonymous = 2 is removed + by setting <a class="indexterm" name="id322431"></a>guest ok = yes on any share. + </p></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>restrict anonymous</code></em> = <code class="literal">0</code> +</em></span> +</p></dd><dt><span class="term"><a name="ROOT"></a>root</span></dt><dd><p>This parameter is a synonym for root directory.</p></dd><dt><span class="term"><a name="ROOTDIR"></a>root dir</span></dt><dd><p>This parameter is a synonym for root directory.</p></dd><dt><span class="term"><a name="ROOTDIRECTORY"></a>root directory (G)</span></dt><dd><p>The server will <code class="literal">chroot()</code> (i.e. + Change its root directory) to this directory on startup. This is + not strictly necessary for secure operation. Even without it the + server will deny access to files not in one of the service entries. + It may also check for, and deny access to, soft links to other + parts of the filesystem, or attempts to use ".." in file names + to access other directories (depending on the setting of the + <a class="indexterm" name="id322529"></a>wide smbconfoptions parameter). + </p><p>Adding a <em class="parameter"><code>root directory</code></em> entry other + than "/" adds an extra level of security, but at a price. It + absolutely ensures that no access is given to files not in the + sub-tree specified in the <em class="parameter"><code>root directory</code></em> + option, <span class="emphasis"><em>including</em></span> some files needed for + complete operation of the server. To maintain full operability + of the server you will need to mirror some system files + into the <em class="parameter"><code>root directory</code></em> tree. In particular + you will need to mirror <code class="filename">/etc/passwd</code> (or a + subset of it), and any binaries or configuration files needed for + printing (if required). The set of files that must be mirrored is + operating system dependent.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>root directory</code></em> = <code class="literal">/</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>root directory</code></em> = <code class="literal">/homes/smb</code> +</em></span> +</p></dd><dt><span class="term"><a name="ROOTPOSTEXEC"></a>root postexec (S)</span></dt><dd><p> + This is the same as the <em class="parameter"><code>postexec</code></em> + parameter except that the command is run as root. This is useful for + unmounting filesystems (such as CDROMs) after a connection is closed. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>root postexec</code></em> = <code class="literal"></code> +</em></span> +</p></dd><dt><span class="term"><a name="ROOTPREEXEC"></a>root preexec (S)</span></dt><dd><p> + This is the same as the <em class="parameter"><code>preexec</code></em> + parameter except that the command is run as root. This is useful for + mounting filesystems (such as CDROMs) when a connection is opened. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>root preexec</code></em> = <code class="literal"></code> +</em></span> +</p></dd><dt><span class="term"><a name="ROOTPREEXECCLOSE"></a>root preexec close (S)</span></dt><dd><p>This is the same as the <em class="parameter"><code>preexec close + </code></em> parameter except that the command is run as root.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>root preexec close</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="SECURITY"></a>security (G)</span></dt><dd><p>This option affects how clients respond to + Samba and is one of the most important settings in the <code class="filename"> + smb.conf</code> file.</p><p>The option sets the "security mode bit" in replies to + protocol negotiations with <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> to turn share level security on or off. Clients decide + based on this bit whether (and how) to transfer user and password + information to the server.</p><p>The default is <code class="literal">security = user</code>, as this is + the most common setting needed when talking to Windows 98 and + Windows NT.</p><p>The alternatives are <code class="literal">security = share</code>, + <code class="literal">security = server</code> or <code class="literal">security = domain + </code>.</p><p>In versions of Samba prior to 2.0.0, the default was + <code class="literal">security = share</code> mainly because that was + the only option at one stage.</p><p>There is a bug in WfWg that has relevance to this + setting. When in user or server level security a WfWg client + will totally ignore the username and password you type in the "connect + drive" dialog box. This makes it very difficult (if not impossible) + to connect to a Samba service as anyone except the user that + you are logged into WfWg as.</p><p>If your PCs use usernames that are the same as their + usernames on the UNIX machine then you will want to use + <code class="literal">security = user</code>. If you mostly use usernames + that don't exist on the UNIX box then use <code class="literal">security = + share</code>.</p><p>You should also use <code class="literal">security = share</code> if you + want to mainly setup shares without a password (guest shares). This + is commonly used for a shared printer server. It is more difficult + to setup guest shares with <code class="literal">security = user</code>, see + the <a class="indexterm" name="id322862"></a>map to guestparameter for details.</p><p>It is possible to use <code class="literal">smbd</code> in a <span class="emphasis"><em> + hybrid mode</em></span> where it is offers both user and share + level security under different <a class="indexterm" name="id322883"></a>NetBIOS aliases. </p><p>The different settings will now be explained.</p><p><a name="SECURITYEQUALSSHARE"></a><span class="emphasis"><em>SECURITY = SHARE</em></span></p><p>When clients connect to a share level security server they + need not log onto the server with a valid username and password before + attempting to connect to a shared resource (although modern clients + such as Windows 95/98 and Windows NT will send a logon request with + a username but no password when talking to a <code class="literal">security = share + </code> server). Instead, the clients send authentication information + (passwords) on a per-share basis, at the time they attempt to connect + to that share.</p><p>Note that <code class="literal">smbd</code> <span class="emphasis"><em>ALWAYS</em></span> + uses a valid UNIX user to act on behalf of the client, even in + <code class="literal">security = share</code> level security.</p><p>As clients are not required to send a username to the server + in share level security, <code class="literal">smbd</code> uses several + techniques to determine the correct UNIX user to use on behalf + of the client.</p><p>A list of possible UNIX usernames to match with the given + client password is constructed using the following methods :</p><div class="itemizedlist"><ul type="disc"><li><p>If the <a class="indexterm" name="id322959"></a>guest only parameter is set, then all the other + stages are missed and only the <a class="indexterm" name="id322966"></a>guest account username is checked. + </p></li><li><p>Is a username is sent with the share connection + request, then this username (after mapping - see <a class="indexterm" name="id322981"></a>username map), + is added as a potential username. + </p></li><li><p>If the client did a previous <span class="emphasis"><em>logon + </em></span> request (the SessionSetup SMB call) then the + username sent in this SMB will be added as a potential username. + </p></li><li><p>The name of the service the client requested is + added as a potential username. + </p></li><li><p>The NetBIOS name of the client is added to + the list as a potential username. + </p></li><li><p>Any users on the <a class="indexterm" name="id323021"></a>user list are added as potential usernames. + </p></li></ul></div><p>If the <em class="parameter"><code>guest only</code></em> parameter is + not set, then this list is then tried with the supplied password. + The first user for whom the password matches will be used as the + UNIX user.</p><p>If the <em class="parameter"><code>guest only</code></em> parameter is + set, or no username can be determined then if the share is marked + as available to the <em class="parameter"><code>guest account</code></em>, then this + guest user will be used, otherwise access is denied.</p><p>Note that it can be <span class="emphasis"><em>very</em></span> confusing + in share-level security as to which UNIX username will eventually + be used in granting access.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION"> + NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p><a name="SECURITYEQUALSUSER"></a><span class="emphasis"><em>SECURITY = USER</em></span></p><p>This is the default security setting in Samba 3.0. + With user-level security a client must first "log-on" with a + valid username and password (which can be mapped using the <a class="indexterm" name="id323090"></a>username map + parameter). Encrypted passwords (see the <a class="indexterm" name="id323098"></a>encrypted passwords parameter) can also + be used in this security mode. Parameters such as <a class="indexterm" name="id323106"></a>user and <a class="indexterm" name="id323113"></a>guest only if set are then applied and + may change the UNIX user to use on this connection, but only after + the user has been successfully authenticated.</p><p><span class="emphasis"><em>Note</em></span> that the name of the resource being + requested is <span class="emphasis"><em>not</em></span> sent to the server until after + the server has successfully authenticated the client. This is why + guest shares don't work in user level security without allowing + the server to automatically map unknown users into the <a class="indexterm" name="id323132"></a>guest account. + See the <a class="indexterm" name="id323140"></a>map to guest parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p><a name="SECURITYEQUALSDOMAIN"></a><span class="emphasis"><em>SECURITY = DOMAIN</em></span></p><p>This mode will only work correctly if <a href="net.8.html"><span class="citerefentry"><span class="refentrytitle">net</span>(8)</span></a> has been used to add this + machine into a Windows NT Domain. It expects the <a class="indexterm" name="id323178"></a>encrypted passwords + parameter to be set to <code class="constant">yes</code>. In this + mode Samba will try to validate the username/password by passing + it to a Windows NT Primary or Backup Domain Controller, in exactly + the same way that a Windows NT Server would do.</p><p><span class="emphasis"><em>Note</em></span> that a valid UNIX user must still + exist as well as the account on the Domain Controller to allow + Samba to have a valid UNIX account to map file access to.</p><p><span class="emphasis"><em>Note</em></span> that from the client's point + of view <code class="literal">security = domain</code> is the same + as <code class="literal">security = user</code>. It only + affects how the server deals with the authentication, + it does not in any way affect what the client sees.</p><p><span class="emphasis"><em>Note</em></span> that the name of the resource being + requested is <span class="emphasis"><em>not</em></span> sent to the server until after + the server has successfully authenticated the client. This is why + guest shares don't work in user level security without allowing + the server to automatically map unknown users into the <a class="indexterm" name="id323228"></a>guest account. + See the <a class="indexterm" name="id323235"></a>map to guest parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION"> + NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p>See also the <a class="indexterm" name="id323256"></a>password server parameter and + the <a class="indexterm" name="id323264"></a>encrypted passwords parameter.</p><p><a name="SECURITYEQUALSSERVER"></a><span class="emphasis"><em>SECURITY = SERVER</em></span></p><p> + In this mode Samba will try to validate the username/password by passing it to another SMB server, such as an + NT box. If this fails it will revert to <code class="literal">security = user</code>. It expects the + <a class="indexterm" name="id323290"></a>encrypted passwords parameter to be set to <code class="constant">yes</code>, unless the remote + server does not support them. However note that if encrypted passwords have been negotiated then Samba cannot + revert back to checking the UNIX password file, it must have a valid <code class="filename">smbpasswd</code> file to check users against. See the chapter about the User Database in + the Samba HOWTO Collection for details on how to set this up. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>This mode of operation has + significant pitfalls since it is more vulnerable to + man-in-the-middle attacks and server impersonation. In particular, + this mode of operation can cause significant resource consuption on + the PDC, as it must maintain an active connection for the duration + of the user's session. Furthermore, if this connection is lost, + there is no way to reestablish it, and futher authentications to the + Samba server may fail (from a single client, till it disconnects). + </p></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>From the client's point of + view <code class="literal">security = server</code> is the + same as <code class="literal">security = user</code>. It + only affects how the server deals with the authentication, it does + not in any way affect what the client sees.</p></div><p><span class="emphasis"><em>Note</em></span> that the name of the resource being + requested is <span class="emphasis"><em>not</em></span> sent to the server until after + the server has successfully authenticated the client. This is why + guest shares don't work in user level security without allowing + the server to automatically map unknown users into the <a class="indexterm" name="id323348"></a>guest account. + See the <a class="indexterm" name="id323355"></a>map to guest parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION"> + NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p>See also the <a class="indexterm" name="id323376"></a>password server parameter and the + <a class="indexterm" name="id323383"></a>encrypted passwords parameter.</p><p><a name="SECURITYEQUALSADS"></a><span class="emphasis"><em>SECURITY = ADS</em></span></p><p>In this mode, Samba will act as a domain member in an ADS realm. To operate + in this mode, the machine running Samba will need to have Kerberos installed + and configured and Samba will need to be joined to the ADS realm using the + net utility. </p><p>Note that this mode does NOT make Samba operate as a Active Directory Domain + Controller. </p><p>Read the chapter about Domain Membership in the HOWTO for details.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>security</code></em> = <code class="literal">USER</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>security</code></em> = <code class="literal">DOMAIN</code> +</em></span> +</p></dd><dt><span class="term"><a name="SECURITYMASK"></a>security mask (S)</span></dt><dd><p> + This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the + UNIX permission on a file using the native NT security dialog box. + </p><p> + This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not + in this mask from being modified. Make sure not to mix up this parameter with <a class="indexterm" name="id323475"></a>force security mode, which works in a manner similar to this one but uses a logical OR instead of an AND. + </p><p> + Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change. + </p><p> + If not set explicitly this parameter is 0777, allowing a user to modify all the user/group/world permissions on a file. + </p><p><span class="emphasis"><em> + Note</em></span> that users who can access the Samba server through other means can easily bypass this + restriction, so it is primarily useful for standalone "appliance" systems. Administrators of + most normal systems will probably want to leave it set to <code class="constant">0777</code>. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>security mask</code></em> = <code class="literal">0777</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>security mask</code></em> = <code class="literal">0770</code> +</em></span> +</p></dd><dt><span class="term"><a name="SERVERSCHANNEL"></a>server schannel (G)</span></dt><dd><p> + This controls whether the server offers or even demands the use of the netlogon schannel. + <a class="indexterm" name="id323559"></a>server schannel = no does not offer the schannel, <a class="indexterm" name="id323566"></a>server schannel = auto offers the schannel but does not enforce it, and <a class="indexterm" name="id323574"></a>server schannel = yes denies access if the client is not able to speak netlogon schannel. + This is only the case for Windows NT4 before SP4. + </p><p> + Please note that with this set to <code class="literal">no</code> you will have to apply the WindowsXP + <code class="filename">WinXP_SignOrSeal.reg</code> registry patch found in the docs/registry subdirectory of the Samba distribution tarball. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>server schannel</code></em> = <code class="literal">auto</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>server schannel</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="SERVERSIGNING"></a>server signing (G)</span></dt><dd><p>This controls whether the server offers or requires + the client it talks to to use SMB signing. Possible values + are <span class="emphasis"><em>auto</em></span>, <span class="emphasis"><em>mandatory</em></span> + and <span class="emphasis"><em>disabled</em></span>. + </p><p>When set to auto, SMB signing is offered, but not enforced. + When set to mandatory, SMB signing is required and if set + to disabled, SMB signing is not offered either.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>server signing</code></em> = <code class="literal">Disabled</code> +</em></span> +</p></dd><dt><span class="term"><a name="SERVERSTRING"></a>server string (G)</span></dt><dd><p>This controls what string will show up in the printer comment box in print + manager and next to the IPC connection in <code class="literal">net view</code>. It + can be any string that you wish to show to your users.</p><p>It also sets what will appear in browse lists next + to the machine name.</p><p>A <em class="parameter"><code>%v</code></em> will be replaced with the Samba + version number.</p><p>A <em class="parameter"><code>%h</code></em> will be replaced with the + hostname.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>server string</code></em> = <code class="literal">Samba %v</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>server string</code></em> = <code class="literal">University of GNUs Samba Server</code> +</em></span> +</p></dd><dt><span class="term"><a name="SETDIRECTORY"></a>set directory (S)</span></dt><dd><p> + If <code class="literal">set directory = no</code>, then users of the + service may not use the setdir command to change directory. + </p><p> + The <code class="literal">setdir</code> command is only implemented + in the Digital Pathworks client. See the Pathworks documentation + for details. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>set directory</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="SETPRIMARYGROUPSCRIPT"></a>set primary group script (G)</span></dt><dd><p>Thanks to the Posix subsystem in NT a Windows User has a + primary group in addition to the auxiliary groups. This script + sets the primary group in the unix userdatase when an + administrator sets the primary group from the windows user + manager or when fetching a SAM with <code class="literal">net rpc + vampire</code>. <em class="parameter"><code>%u</code></em> will be replaced + with the user whose primary group is to be set. + <em class="parameter"><code>%g</code></em> will be replaced with the group to + set.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>set primary group script</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>set primary group script</code></em> = <code class="literal">/usr/sbin/usermod -g '%g' '%u'</code> +</em></span> +</p></dd><dt><span class="term"><a name="SETQUOTACOMMAND"></a>set quota command (G)</span></dt><dd><p>The <code class="literal">set quota command</code> should only be used + whenever there is no operating system API available from the OS that + samba can use.</p><p>This option is only available if Samba was configured with the argument <code class="literal">--with-sys-quotas</code> or + on linux when <code class="literal">./configure --with-quotas</code> was used and a working quota api + was found in the system. Most packages are configured with these options already.</p><p>This parameter should specify the path to a script that + can set quota for the specified arguments.</p><p>The specified script should take the following arguments:</p><div class="itemizedlist"><ul type="disc"><li><p>1 - quota type + </p><div class="itemizedlist"><ul type="circle"><li><p>1 - user quotas</p></li><li><p>2 - user default quotas (uid = -1)</p></li><li><p>3 - group quotas</p></li><li><p>4 - group default quotas (gid = -1)</p></li></ul></div><p> + </p></li><li><p>2 - id (uid for user, gid for group, -1 if N/A)</p></li><li><p>3 - quota state (0 = disable, 1 = enable, 2 = enable and enforce)</p></li><li><p>4 - block softlimit</p></li><li><p>5 - block hardlimit</p></li><li><p>6 - inode softlimit</p></li><li><p>7 - inode hardlimit</p></li><li><p>8(optional) - block size, defaults to 1024</p></li></ul></div><p>The script should output at least one line of data on success. And nothing on failure.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>set quota command</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>set quota command</code></em> = <code class="literal">/usr/local/sbin/set_quota</code> +</em></span> +</p></dd><dt><span class="term"><a name="SHAREMODES"></a>share modes (S)</span></dt><dd><p>This enables or disables the honoring of + the <em class="parameter"><code>share modes</code></em> during a file open. These + modes are used by clients to gain exclusive read or write access + to a file.</p><p>These open modes are not directly supported by UNIX, so + they are simulated using shared memory, or lock files if your + UNIX doesn't support shared memory (almost all do).</p><p>The share modes that are enabled by this option are + <code class="constant">DENY_DOS</code>, <code class="constant">DENY_ALL</code>, + <code class="constant">DENY_READ</code>, <code class="constant">DENY_WRITE</code>, + <code class="constant">DENY_NONE</code> and <code class="constant">DENY_FCB</code>. + </p><p>This option gives full share compatibility and enabled + by default.</p><p>You should <span class="emphasis"><em>NEVER</em></span> turn this parameter + off as many Windows applications will break if you do so.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>share modes</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="SHORTPRESERVECASE"></a>short preserve case (S)</span></dt><dd><p> + This boolean parameter controls if new files which conform to 8.3 syntax, that is all in upper case and of + suitable length, are created upper case, or if they are forced to be the <a class="indexterm" name="id324165"></a>default case. + This option can be use with <a class="indexterm" name="id324172"></a>preserve case = yes to permit long filenames + to retain their case, while short names are lowered. + </p><p>See the section on <a href="#NAMEMANGLINGSECT" title="NAME MANGLING">NAME MANGLING</a>.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>short preserve case</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="SHOWADDPRINTERWIZARD"></a>show add printer wizard (G)</span></dt><dd><p>With the introduction of MS-RPC based printing support + for Windows NT/2000 client in Samba 2.2, a "Printers..." folder will + appear on Samba hosts in the share listing. Normally this folder will + contain an icon for the MS Add Printer Wizard (APW). However, it is + possible to disable this feature regardless of the level of privilege + of the connected user.</p><p>Under normal circumstances, the Windows NT/2000 client will + open a handle on the printer server with OpenPrinterEx() asking for + Administrator privileges. If the user does not have administrative + access on the print server (i.e is not root or a member of the + <em class="parameter"><code>printer admin</code></em> group), the OpenPrinterEx() + call fails and the client makes another open call with a request for + a lower privilege level. This should succeed, however the APW + icon will not be displayed.</p><p>Disabling the <em class="parameter"><code>show add printer wizard</code></em> + parameter will always cause the OpenPrinterEx() on the server + to fail. Thus the APW icon will never be displayed. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>This does not prevent the same user from having + administrative privilege on an individual printer.</p></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>show add printer wizard</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="SHUTDOWNSCRIPT"></a>shutdown script (G)</span></dt><dd><p>This a full path name to a script called by + <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> that should + start a shutdown procedure.</p><p>If the connected user posseses the <code class="constant">SeRemoteShutdownPrivilege</code>, + right, this command will be run as user.</p><p>The %z %t %r %f variables are expanded as follows:</p><div class="itemizedlist"><ul type="disc"><li><p><em class="parameter"><code>%z</code></em> will be substituted with the + shutdown message sent to the server.</p></li><li><p><em class="parameter"><code>%t</code></em> will be substituted with the + number of seconds to wait before effectively starting the + shutdown procedure.</p></li><li><p><em class="parameter"><code>%r</code></em> will be substituted with the + switch <span class="emphasis"><em>-r</em></span>. It means reboot after shutdown + for NT.</p></li><li><p><em class="parameter"><code>%f</code></em> will be substituted with the + switch <span class="emphasis"><em>-f</em></span>. It means force the shutdown + even if applications do not respond for NT.</p></li></ul></div><p>Shutdown script example: +</p><pre class="programlisting"> +#!/bin/bash + +$time=0 +let "time/60" +let "time++" + +/sbin/shutdown $3 $4 +$time $1 & +</pre><p> + Shutdown does not return so we need to launch it in background. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>shutdown script</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>shutdown script</code></em> = <code class="literal">/usr/local/samba/sbin/shutdown %m %t %r %f</code> +</em></span> +</p></dd><dt><span class="term"><a name="SMBPASSWDFILE"></a>smb passwd file (G)</span></dt><dd><p>This option sets the path to the encrypted smbpasswd file. By + default the path to the smbpasswd file is compiled into Samba.</p><p> + An example of use is: +</p><pre class="programlisting"> +smb passwd file = /etc/samba/smbpasswd +</pre><p> + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>smb passwd file</code></em> = <code class="literal">${prefix}/private/smbpasswd</code> +</em></span> +</p></dd><dt><span class="term"><a name="SMBPORTS"></a>smb ports (G)</span></dt><dd><p>Specifies which ports the server should listen on for SMB traffic.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>smb ports</code></em> = <code class="literal">445 139</code> +</em></span> +</p></dd><dt><span class="term"><a name="SOCKETADDRESS"></a>socket address (G)</span></dt><dd><p>This option allows you to control what + address Samba will listen for connections on. This is used to + support multiple virtual interfaces on the one server, each + with a different configuration.</p><p>By default Samba will accept connections on any + address.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>socket address</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>socket address</code></em> = <code class="literal">192.168.2.20</code> +</em></span> +</p></dd><dt><span class="term"><a name="SOCKETOPTIONS"></a>socket options (G)</span></dt><dd><p>This option allows you to set socket options + to be used when talking with the client.</p><p>Socket options are controls on the networking layer + of the operating systems which allow the connection to be + tuned.</p><p>This option will typically be used to tune your Samba server + for optimal performance for your local network. There is no way + that Samba can know what the optimal parameters are for your net, + so you must experiment and choose them yourself. We strongly + suggest you read the appropriate documentation for your operating + system first (perhaps <code class="literal">man + setsockopt</code> will help).</p><p>You may find that on some systems Samba will say + "Unknown socket option" when you supply an option. This means you + either incorrectly typed it or you need to add an include file + to includes.h for your OS. If the latter is the case please + send the patch to <a href="mailto:samba-technical@samba.org" target="_top"> + samba-technical@samba.org</a>.</p><p>Any of the supported socket options may be combined + in any way you like, as long as your OS allows it.</p><p>This is the list of socket options currently settable + using this option:</p><div class="itemizedlist"><ul type="disc"><li><p>SO_KEEPALIVE</p></li><li><p>SO_REUSEADDR</p></li><li><p>SO_BROADCAST</p></li><li><p>TCP_NODELAY</p></li><li><p>IPTOS_LOWDELAY</p></li><li><p>IPTOS_THROUGHPUT</p></li><li><p>SO_SNDBUF *</p></li><li><p>SO_RCVBUF *</p></li><li><p>SO_SNDLOWAT *</p></li><li><p>SO_RCVLOWAT *</p></li></ul></div><p>Those marked with a <span class="emphasis"><em>'*'</em></span> take an integer + argument. The others can optionally take a 1 or 0 argument to enable + or disable the option, by default they will be enabled if you + don't specify 1 or 0.</p><p>To specify an argument use the syntax SOME_OPTION = VALUE + for example <code class="literal">SO_SNDBUF = 8192</code>. Note that you must + not have any spaces before or after the = sign.</p><p>If you are on a local network then a sensible option + might be:</p><p><code class="literal">socket options = IPTOS_LOWDELAY</code></p><p>If you have a local network then you could try:</p><p><code class="literal">socket options = IPTOS_LOWDELAY TCP_NODELAY</code></p><p>If you are on a wide area network then perhaps try + setting IPTOS_THROUGHPUT. </p><p>Note that several of the options may cause your Samba + server to fail completely. Use these options with caution!</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>socket options</code></em> = <code class="literal">TCP_NODELAY</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>socket options</code></em> = <code class="literal">IPTOS_LOWDELAY</code> +</em></span> +</p></dd><dt><span class="term"><a name="STATCACHE"></a>stat cache (G)</span></dt><dd><p>This parameter determines if <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will use a cache in order to + speed up case insensitive name mappings. You should never need + to change this parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>stat cache</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="STOREDOSATTRIBUTES"></a>store dos attributes (S)</span></dt><dd><p> + If this parameter is set Samba attempts to first read DOS attributes (SYSTEM, HIDDEN, ARCHIVE or + READ-ONLY) from a filesystem extended attribute, before mapping DOS attributes to UNIX permission bits (such + as occurs with <a class="indexterm" name="id324831"></a>map hidden and <a class="indexterm" name="id324838"></a>map readonly). When set, DOS + attributes will be stored onto an extended attribute in the UNIX filesystem, associated with the file or + directory. For no other mapping to occur as a fall-back, the parameters <a class="indexterm" name="id324846"></a>map hidden, + <a class="indexterm" name="id324854"></a>map system, <a class="indexterm" name="id324861"></a>map archive and <a class="indexterm" name="id324868"></a>map readonly must be set to off. This parameter writes the DOS attributes as a string into the extended + attribute named "user.DOSATTRIB". This extended attribute is explicitly hidden from smbd clients requesting an + EA list. On Linux the filesystem must have been mounted with the mount option user_xattr in order for + extended attributes to work, also extended attributes must be compiled into the Linux kernel. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>store dos attributes</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="STRICTALLOCATE"></a>strict allocate (S)</span></dt><dd><p>This is a boolean that controls the handling of + disk space allocation in the server. When this is set to <code class="constant">yes</code> + the server will change from UNIX behaviour of not committing real + disk storage blocks when a file is extended to the Windows behaviour + of actually forcing the disk system to allocate real storage blocks + when a file is created or extended to be a given size. In UNIX + terminology this means that Samba will stop creating sparse files. + This can be slow on some systems.</p><p>When strict allocate is <code class="constant">no</code> the server does sparse + disk block allocation when a file is extended.</p><p>Setting this to <code class="constant">yes</code> can help Samba return + out of quota messages on systems that are restricting the disk quota + of users.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>strict allocate</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="STRICTLOCKING"></a>strict locking (S)</span></dt><dd><p> + This is an enumerated type that controls the handling of file locking in the server. When this is set to <code class="constant">yes</code>, + the server will check every read and write access for file locks, and deny access if locks exist. This can be slow on + some systems. + </p><p> + When strict locking is set to Auto (the default), the server performs file lock checks only on non-oplocked files. + As most Windows redirectors perform file locking checks locally on oplocked files this is a good trade off for + inproved performance. + </p><p> + When strict locking is disabled, the server performs file lock checks only when the client explicitly asks for them. + </p><p> + Well-behaved clients always ask for lock checks when it is important. So in the vast majority of cases, + <code class="literal">strict locking = Auto</code> or + <code class="literal">strict locking = no</code> is acceptable. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>strict locking</code></em> = <code class="literal">Auto</code> +</em></span> +</p></dd><dt><span class="term"><a name="STRICTSYNC"></a>strict sync (S)</span></dt><dd><p>Many Windows applications (including the Windows 98 explorer + shell) seem to confuse flushing buffer contents to disk with doing + a sync to disk. Under UNIX, a sync call forces the process to be + suspended until the kernel has ensured that all outstanding data in + kernel disk buffers has been safely stored onto stable storage. + This is very slow and should only be done rarely. Setting this + parameter to <code class="constant">no</code> (the default) means that + <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> ignores the Windows + applications requests for a sync call. There is only a possibility + of losing data if the operating system itself that Samba is running + on crashes, so there is little danger in this default setting. In + addition, this fixes many performance problems that people have + reported with the new Windows98 explorer shell file copies.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>strict sync</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="SVCCTLLIST"></a>svcctl list (G)</span></dt><dd><p>This option defines a list of init scripts that smbd + will use for starting and stopping Unix services via the Win32 + ServiceControl API. This allows Windows administrators to + utilize the MS Management Console plug-ins to manage a + Unix server running Samba.</p><p>The administrator must create a directory + name <code class="filename">svcctl</code> in Samba's $(libdir) + and create symbolic links to the init scripts in + <code class="filename">/etc/init.d/</code>. The name of the links + must match the names given as part of the <em class="parameter"><code>svcctl list</code></em>. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>svcctl list</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>svcctl list</code></em> = <code class="literal">cups postfix portmap httpd</code> +</em></span> +</p></dd><dt><span class="term"><a name="SYNCALWAYS"></a>sync always (S)</span></dt><dd><p>This is a boolean parameter that controls + whether writes will always be written to stable storage before + the write call returns. If this is <code class="constant">no</code> then the server will be + guided by the client's request in each write call (clients can + set a bit indicating that a particular write should be synchronous). + If this is <code class="constant">yes</code> then every write will be followed by a <code class="literal">fsync() + </code> call to ensure the data is written to disk. Note that + the <em class="parameter"><code>strict sync</code></em> parameter must be set to + <code class="constant">yes</code> in order for this parameter to have + any affect.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>sync always</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="SYSLOG"></a>syslog (G)</span></dt><dd><p> + This parameter maps how Samba debug messages are logged onto the system syslog logging levels. + Samba debug level zero maps onto syslog <code class="constant">LOG_ERR</code>, debug level one maps onto + <code class="constant">LOG_WARNING</code>, debug level two maps onto <code class="constant">LOG_NOTICE</code>, + debug level three maps onto LOG_INFO. All higher levels are mapped to <code class="constant">LOG_DEBUG</code>. + </p><p> + This parameter sets the threshold for sending messages to syslog. Only messages with debug + level less than this value will be sent to syslog. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>syslog</code></em> = <code class="literal">1</code> +</em></span> +</p></dd><dt><span class="term"><a name="SYSLOGONLY"></a>syslog only (G)</span></dt><dd><p> + If this parameter is set then Samba debug messages are logged into the system + syslog only, and not to the debug log files. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>syslog only</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="TEMPLATEHOMEDIR"></a>template homedir (G)</span></dt><dd><p>When filling out the user information for a Windows NT + user, the <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> daemon uses this + parameter to fill in the home directory for that user. If the + string <em class="parameter"><code>%D</code></em> is present it + is substituted with the user's Windows NT domain name. If the + string <em class="parameter"><code>%U</code></em> is present it + is substituted with the user's Windows NT user name.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>template homedir</code></em> = <code class="literal">/home/%D/%U</code> +</em></span> +</p></dd><dt><span class="term"><a name="TEMPLATESHELL"></a>template shell (G)</span></dt><dd><p>When filling out the user information for a Windows NT + user, the <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> daemon uses this + parameter to fill in the login shell for that user.</p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="TIMEOFFSET"></a>time offset (G)</span></dt><dd><p>This parameter is a setting in minutes to add + to the normal GMT to local time conversion. This is useful if + you are serving a lot of PCs that have incorrect daylight + saving time handling.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>time offset</code></em> = <code class="literal">0</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>time offset</code></em> = <code class="literal">60</code> +</em></span> +</p></dd><dt><span class="term"><a name="TIMESERVER"></a>time server (G)</span></dt><dd><p>This parameter determines if <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> advertises itself as a time server to Windows +clients.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>time server</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="UNIXCHARSET"></a>unix charset (G)</span></dt><dd><p>Specifies the charset the unix machine + Samba runs on uses. Samba needs to know this in order to be able to + convert text to the charsets other SMB clients use. + </p><p>This is also the charset Samba will use when specifying arguments + to scripts that it invokes. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>unix charset</code></em> = <code class="literal">UTF8</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>unix charset</code></em> = <code class="literal">ASCII</code> +</em></span> +</p></dd><dt><span class="term"><a name="UNIXEXTENSIONS"></a>unix extensions (G)</span></dt><dd><p>This boolean parameter controls whether Samba + implments the CIFS UNIX extensions, as defined by HP. + These extensions enable Samba to better serve UNIX CIFS clients + by supporting features such as symbolic links, hard links, etc... + These extensions require a similarly enabled client, and are of + no current use to Windows clients.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>unix extensions</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="UNIXPASSWORDSYNC"></a>unix password sync (G)</span></dt><dd><p>This boolean parameter controls whether Samba + attempts to synchronize the UNIX password with the SMB password + when the encrypted SMB password in the smbpasswd file is changed. + If this is set to <code class="constant">yes</code> the program specified in the <em class="parameter"><code>passwd + program</code></em>parameter is called <span class="emphasis"><em>AS ROOT</em></span> - + to allow the new UNIX password to be set without access to the + old UNIX password (as the SMB password change code has no + access to the old password cleartext, only the new).</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>unix password sync</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="UPDATEENCRYPTED"></a>update encrypted (G)</span></dt><dd><p> + This boolean parameter allows a user logging on with a plaintext password to have their encrypted (hashed) + password in the smbpasswd file to be updated automatically as they log on. This option allows a site to + migrate from plaintext password authentication (users authenticate with plaintext password over the + wire, and are checked against a UNIX account atabase) to encrypted password authentication (the SMB + challenge/response authentication mechanism) without forcing all users to re-enter their passwords via + smbpasswd at the time the change is made. This is a convenience option to allow the change over to encrypted + passwords to be made over a longer period. Once all users have encrypted representations of their passwords + in the smbpasswd file this parameter should be set to <code class="constant">no</code>. + </p><p> + In order for this parameter to be operative the <a class="indexterm" name="id325719"></a>encrypt passwords parameter must + be set to <code class="constant">no</code>. The default value of <a class="indexterm" name="id325730"></a>encrypt passwords = Yes. Note: This must be set to <code class="constant">no</code> for this <a class="indexterm" name="id325741"></a>update encrypted to work. + </p><p> + Note that even when this parameter is set a user authenticating to <code class="literal">smbd</code> + must still enter a valid password in order to connect correctly, and to update their hashed (smbpasswd) + passwords. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>update encrypted</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="USECLIENTDRIVER"></a>use client driver (S)</span></dt><dd><p>This parameter applies only to Windows NT/2000 + clients. It has no effect on Windows 95/98/ME clients. When + serving a printer to Windows NT/2000 clients without first installing + a valid printer driver on the Samba host, the client will be required + to install a local printer driver. From this point on, the client + will treat the print as a local printer and not a network printer + connection. This is much the same behavior that will occur + when <code class="literal">disable spoolss = yes</code>. + </p><p>The differentiating factor is that under normal + circumstances, the NT/2000 client will attempt to open the network + printer using MS-RPC. The problem is that because the client + considers the printer to be local, it will attempt to issue the + OpenPrinterEx() call requesting access rights associated with the + logged on user. If the user possesses local administator rights but + not root privilege on the Samba host (often the case), the + OpenPrinterEx() call will fail. The result is that the client will + now display an "Access Denied; Unable to connect" message + in the printer queue window (even though jobs may successfully be + printed). </p><p>If this parameter is enabled for a printer, then any attempt + to open the printer with the PRINTER_ACCESS_ADMINISTER right is mapped + to PRINTER_ACCESS_USE instead. Thus allowing the OpenPrinterEx() + call to succeed. <span class="emphasis"><em>This parameter MUST not be able enabled + on a print share which has valid print driver installed on the Samba + server.</em></span></p><p>Default: <span class="emphasis"><em><em class="parameter"><code>use client driver</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="USEKERBEROSKEYTAB"></a>use kerberos keytab (G)</span></dt><dd><p> + Specifies whether Samba should attempt to maintain service principals in the systems + keytab file for <code class="constant">host/FQDN</code> and <code class="constant">cifs/FQDN</code>. + </p><p> + When you are using the heimdal Kerberos libraries, you must also specify the following in + <code class="filename">/etc/krb5.conf</code>: +</p><pre class="programlisting"> +[libdefaults] +default_keytab_name = FILE:/etc/krb5.keytab +</pre><p> + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>use kerberos keytab</code></em> = <code class="literal">False</code> +</em></span> +</p></dd><dt><span class="term"><a name="USEMMAP"></a>use mmap (G)</span></dt><dd><p>This global parameter determines if the tdb internals of Samba can + depend on mmap working correctly on the running system. Samba requires a coherent + mmap/read-write system memory cache. Currently only HPUX does not have such a + coherent cache, and so this parameter is set to <code class="constant">no</code> by + default on HPUX. On all other systems this parameter should be left alone. This + parameter is provided to help the Samba developers track down problems with + the tdb internal code. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>use mmap</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="USER"></a>user</span></dt><dd><p>This parameter is a synonym for username.</p></dd><dt><span class="term"><a name="USERS"></a>users</span></dt><dd><p>This parameter is a synonym for username.</p></dd><dt><span class="term"><a name="USERNAME"></a>username (S)</span></dt><dd><p>Multiple users may be specified in a comma-delimited + list, in which case the supplied password will be tested against + each username in turn (left to right).</p><p>The <em class="parameter"><code>username</code></em> line is needed only when + the PC is unable to supply its own username. This is the case + for the COREPLUS protocol or where your users have different WfWg + usernames to UNIX usernames. In both these cases you may also be + better using the \\server\share%user syntax instead.</p><p>The <em class="parameter"><code>username</code></em> line is not a great + solution in many cases as it means Samba will try to validate + the supplied password against each of the usernames in the + <em class="parameter"><code>username</code></em> line in turn. This is slow and + a bad idea for lots of users in case of duplicate passwords. + You may get timeouts or security breaches using this parameter + unwisely.</p><p>Samba relies on the underlying UNIX security. This + parameter does not restrict who can login, it just offers hints + to the Samba server as to what usernames might correspond to the + supplied password. Users can login as whoever they please and + they will be able to do no more damage than if they started a + telnet session. The daemon runs as the user that they log in as, + so they cannot do anything that user cannot do.</p><p>To restrict a service to a particular set of users you + can use the <a class="indexterm" name="id326066"></a>valid users parameter.</p><p>If any of the usernames begin with a '@' then the name + will be looked up first in the NIS netgroups list (if Samba + is compiled with netgroup support), followed by a lookup in + the UNIX groups database and will expand to a list of all users + in the group of that name.</p><p>If any of the usernames begin with a '+' then the name + will be looked up only in the UNIX groups database and will + expand to a list of all users in the group of that name.</p><p>If any of the usernames begin with a '&' then the name + will be looked up only in the NIS netgroups database (if Samba + is compiled with netgroup support) and will expand to a list + of all users in the netgroup group of that name.</p><p>Note that searching though a groups database can take + quite some time, and some clients may time out during the + search.</p><p>See the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">NOTE ABOUT + USERNAME/PASSWORD VALIDATION</a> for more information on how + this parameter determines access to the services.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>username</code></em> = <code class="literal"> +# The guest account if a guest service, + else <empty string>.</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>username</code></em> = <code class="literal">fred, mary, jack, jane, @users, @pcgroup</code> +</em></span> +</p></dd><dt><span class="term"><a name="USERNAMELEVEL"></a>username level (G)</span></dt><dd><p>This option helps Samba to try and 'guess' at + the real UNIX username, as many DOS clients send an all-uppercase + username. By default Samba tries all lowercase, followed by the + username with the first letter capitalized, and fails if the + username is not found on the UNIX machine.</p><p>If this parameter is set to non-zero the behavior changes. + This parameter is a number that specifies the number of uppercase + combinations to try while trying to determine the UNIX user name. The + higher the number the more combinations will be tried, but the slower + the discovery of usernames will be. Use this parameter when you have + strange usernames on your UNIX machine, such as <code class="constant">AstrangeUser + </code>.</p><p>This parameter is needed only on UNIX systems that have case + sensitive usernames.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>username level</code></em> = <code class="literal">0</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>username level</code></em> = <code class="literal">5</code> +</em></span> +</p></dd><dt><span class="term"><a name="USERNAMEMAP"></a>username map (G)</span></dt><dd><p> + This option allows you to specify a file containing a mapping of usernames from the clients to the server. + This can be used for several purposes. The most common is to map usernames that users use on DOS or Windows + machines to those that the UNIX box uses. The other is to map multiple users to a single username so that they + can more easily share files. + </p><p> + Please note that for user or share mode security, the username map is applied prior to validating the user + credentials. Domain member servers (domain or ads) apply the username map after the user has been + successfully authenticated by the domain controller and require fully qualified enties in the map table (e.g. + biddle = DOMAIN\foo). + </p><p> + The map file is parsed line by line. Each line should contain a single UNIX username on the left then a '=' + followed by a list of usernames on the right. The list of usernames on the right may contain names of the form + @group in which case they will match any UNIX username in that group. The special client name '*' is a + wildcard and matches any name. Each line of the map file may be up to 1023 characters long. + </p><p> + The file is processed on each line by taking the supplied username and comparing it with each username on the + right hand side of the '=' signs. If the supplied name matches any of the names on the right hand side then it + is replaced with the name on the left. Processing then continues with the next line. + </p><p> + If any line begins with a '#' or a ';' then it is ignored. + </p><p> + If any line begins with an '!' then the processing will stop after that line if a mapping was done by the + line. Otherwise mapping continues with every line being processed. Using '!' is most useful when you have a + wildcard mapping line later in the file. + </p><p> + For example to map from the name <code class="constant">admin</code> or <code class="constant">administrator</code> to the UNIX + name <code class="constant"> root</code> you would use: +</p><pre class="programlisting"> +<code class="literal">root = admin administrator</code> +</pre><p> + Or to map anyone in the UNIX group <code class="constant">system</code> to the UNIX name <code class="constant">sys</code> you would use: +</p><pre class="programlisting"> +<code class="literal">sys = @system</code> +</pre><p> + </p><p> + You can have as many mappings as you like in a username map file. + </p><p> + If your system supports the NIS NETGROUP option then the netgroup database is checked before the <code class="filename">/etc/group </code> database for matching groups. + </p><p> + You can map Windows usernames that have spaces in them by using double quotes around the name. For example: +</p><pre class="programlisting"> +<code class="literal">tridge = "Andrew Tridgell"</code> +</pre><p> + would map the windows username "Andrew Tridgell" to the unix username "tridge". + </p><p> + The following example would map mary and fred to the unix user sys, and map the rest to guest. Note the use of the + '!' to tell Samba to stop processing if it gets a match on that line: +</p><pre class="programlisting"> +!sys = mary fred +guest = * +</pre><p> + </p><p> + Note that the remapping is applied to all occurrences of usernames. Thus if you connect to \\server\fred and + <code class="constant">fred</code> is remapped to <code class="constant">mary</code> then you will actually be connecting to + \\server\mary and will need to supply a password suitable for <code class="constant">mary</code> not + <code class="constant">fred</code>. The only exception to this is the username passed to the <a class="indexterm" name="id326373"></a>password server (if you have one). The password server will receive whatever username the client + supplies without modification. + </p><p> + Also note that no reverse mapping is done. The main effect this has is with printing. Users who have been + mapped may have trouble deleting print jobs as PrintManager under WfWg will think they don't own the print + job. + </p><p> + Samba versions prior to 3.0.8 would only support reading the fully qualified username (e.g.: DOMAIN\user) from + the username map when performing a kerberos login from a client. However, when looking up a map entry for a + user authenticated by NTLM[SSP], only the login name would be used for matches. This resulted in inconsistent + behavior sometimes even on the same server. + </p><p> + The following functionality is obeyed in version 3.0.8 and later: + </p><p> + When performing local authentication, the username map is applied to the login name before attempting to authenticate + the connection. + </p><p> + When relying upon a external domain controller for validating authentication requests, smbd will apply the username map + to the fully qualified username (i.e. DOMAIN\user) only after the user has been successfully authenticated. + </p><p> + An example of use is: +</p><pre class="programlisting"> +username map = /usr/local/samba/lib/users.map +</pre><p> + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>username map</code></em> = <code class="literal"> +# no username map</code> +</em></span> +</p></dd><dt><span class="term"><a name="USERNAMEMAPSCRIPT"></a>username map script (G)</span></dt><dd><p>This script is a mutually exclusive alternative to the + <a class="indexterm" name="id326456"></a>username map parameter. This parameter + specifies and external program or script that must accept a single + command line option (the username transmitted in the authentication + request) and return a line line on standard output (the name to which + the account should mapped). In this way, it is possible to store + username map tables in an LDAP or NIS directory services. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>username map script</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>username map script</code></em> = <code class="literal">/etc/samba/scripts/mapusers.sh</code> +</em></span> +</p></dd><dt><span class="term"><a name="USERSHAREALLOWGUESTS"></a>usershare allow guests (G)</span></dt><dd><p>This parameter controls whether user defined shares are allowed + to be accessed by non-authenticated users or not. It is the equivalent + of allowing people who can create a share the option of setting + <em class="parameter"><code>guest ok = yes</code></em> in a share + definition. Due to the security sensitive nature of this the default + is set to off.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>usershare allow guests</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="USERSHAREMAXSHARES"></a>usershare max shares (G)</span></dt><dd><p>This parameter specifies the number of user defined shares + that are allowed to be created by users belonging to the group owning the + usershare directory. If set to zero (the default) user defined shares are ignored. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>usershare max shares</code></em> = <code class="literal">0</code> +</em></span> +</p></dd><dt><span class="term"><a name="USERSHAREOWNERONLY"></a>usershare owner only (G)</span></dt><dd><p>This parameter controls whether the pathname exported by + a user defined shares must be owned by the user creating the + user defined share or not. If set to True (the default) then + smbd checks that the directory path being shared is owned by + the user who owns the usershare file defining this share and + refuses to create the share if not. If set to False then no + such check is performed and any directory path may be exported + regardless of who owns it. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>usershare owner only</code></em> = <code class="literal">True</code> +</em></span> +</p></dd><dt><span class="term"><a name="USERSHAREPATH"></a>usershare path (G)</span></dt><dd><p>This parameter specifies the absolute path of the directory on the + filesystem used to store the user defined share definition files. + This directory must be owned by root, and have no access for + other, and be writable only by the group owner. In addition the + "sticky" bit must also be set, restricting rename and delete to + owners of a file (in the same way the /tmp directory is usually configured). + Members of the group owner of this directory are the users allowed to create + usershares. If this parameter is undefined then no user defined + shares are allowed. + </p><p> + For example, a valid usershare directory might be /usr/local/samba/lib/usershares, + set up as follows. + </p><p> + </p><pre class="programlisting"> + ls -ld /usr/local/samba/lib/usershares/ + drwxrwx--T 2 root power_users 4096 2006-05-05 12:27 /usr/local/samba/lib/usershares/ + </pre><p> + </p><p> + In this case, only members of the group "power_users" can create user defined shares. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>usershare path</code></em> = <code class="literal">NULL</code> +</em></span> +</p></dd><dt><span class="term"><a name="USERSHAREPREFIXALLOWLIST"></a>usershare prefix allow list (G)</span></dt><dd><p>This parameter specifies a list of absolute pathnames + the root of which are allowed to be exported by user defined share definitions. + If the pathname exported doesn't start with one of the strings in this + list the user defined share will not be allowed. This allows the Samba + administrator to restrict the directories on the system that can be + exported by user defined shares. + </p><p> + If there is a "usershare prefix deny list" and also a + "usershare prefix allow list" the deny list is processed + first, followed by the allow list, thus leading to the most + restrictive interpretation. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>usershare prefix allow list</code></em> = <code class="literal">NULL</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>usershare prefix allow list</code></em> = <code class="literal">/home /data /space</code> +</em></span> +</p></dd><dt><span class="term"><a name="USERSHAREPREFIXDENYLIST"></a>usershare prefix deny list (G)</span></dt><dd><p>This parameter specifies a list of absolute pathnames + the root of which are NOT allowed to be exported by user defined share definitions. + If the pathname exported starts with one of the strings in this + list the user defined share will not be allowed. Any pathname not + starting with one of these strings will be allowed to be exported + as a usershare. This allows the Samba administrator to restrict the + directories on the system that can be exported by user defined shares. + </p><p> + If there is a "usershare prefix deny list" and also a + "usershare prefix allow list" the deny list is processed + first, followed by the allow list, thus leading to the most + restrictive interpretation. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>usershare prefix deny list</code></em> = <code class="literal">NULL</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>usershare prefix deny list</code></em> = <code class="literal">/etc /dev /private</code> +</em></span> +</p></dd><dt><span class="term"><a name="USERSHARETEMPLATESHARE"></a>usershare template share (G)</span></dt><dd><p>User defined shares only have limited possible parameters + such as path, guest ok etc. This parameter allows usershares to + "cloned" from an existing share. If "usershare template share" + is set to the name of an existing share, then all usershares + created have their defaults set from the parameters set on this + share. + </p><p> + The target share may be set to be invalid for real file + sharing by setting the parameter "-valid = False" on the template + share definition. This causes it not to be seen as a real exported + share but to be able to be used as a template for usershares. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>usershare template share</code></em> = <code class="literal">NULL</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>usershare template share</code></em> = <code class="literal">template_share</code> +</em></span> +</p></dd><dt><span class="term"><a name="USESENDFILE"></a>use sendfile (S)</span></dt><dd><p>If this parameter is <code class="constant">yes</code>, and the <code class="constant">sendfile()</code> + system call is supported by the underlying operating system, then some SMB read calls + (mainly ReadAndX and ReadRaw) will use the more efficient sendfile system call for files that + are exclusively oplocked. This may make more efficient use of the system CPU's + and cause Samba to be faster. Samba automatically turns this off for clients + that use protocol levels lower than NT LM 0.12 and when it detects a client is + Windows 9x (using sendfile from Linux will cause these clients to fail). + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>use sendfile</code></em> = <code class="literal">false</code> +</em></span> +</p></dd><dt><span class="term"><a name="USESPNEGO"></a>use spnego (G)</span></dt><dd><p>This variable controls controls whether samba will try + to use Simple and Protected NEGOciation (as specified by rfc2478) with + WindowsXP and Windows2000 clients to agree upon an authentication mechanism. +</p><p> + Unless further issues are discovered with our SPNEGO + implementation, there is no reason this should ever be + disabled.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>use spnego</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="UTMP"></a>utmp (G)</span></dt><dd><p> + This boolean parameter is only available if Samba has been configured and compiled + with the option <code class="literal">--with-utmp</code>. If set to + <code class="constant">yes</code> then Samba will attempt to add utmp or utmpx records + (depending on the UNIX system) whenever a connection is made to a Samba server. + Sites may use this to record the user connecting to a Samba share. + </p><p> + Due to the requirements of the utmp record, we are required to create a unique + identifier for the incoming user. Enabling this option creates an n^2 algorithm + to find this number. This may impede performance on large installations. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>utmp</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="UTMPDIRECTORY"></a>utmp directory (G)</span></dt><dd><p>This parameter is only available if Samba has + been configured and compiled with the option <code class="literal"> + --with-utmp</code>. It specifies a directory pathname that is + used to store the utmp or utmpx files (depending on the UNIX system) that + record user connections to a Samba server. By default this is + not set, meaning the system will use whatever utmp file the + native system is set to use (usually + <code class="filename">/var/run/utmp</code> on Linux).</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>utmp directory</code></em> = <code class="literal"> +# Determined automatically</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>utmp directory</code></em> = <code class="literal">/var/run/utmp</code> +</em></span> +</p></dd><dt><span class="term"><a name="-VALID"></a>-valid (S)</span></dt><dd><p> This parameter indicates whether a share is + valid and thus can be used. When this parameter is set to false, + the share will be in no way visible nor accessible. + </p><p> + This option should not be + used by regular users but might be of help to developers. + Samba uses this option internally to mark shares as deleted. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>-valid</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="VALIDUSERS"></a>valid users (S)</span></dt><dd><p> + This is a list of users that should be allowed to login to this service. Names starting with + '@', '+' and '&' are interpreted using the same rules as described in the + <em class="parameter"><code>invalid users</code></em> parameter. + </p><p> + If this is empty (the default) then any user can login. If a username is in both this list + and the <em class="parameter"><code>invalid users</code></em> list then access is denied + for that user. + </p><p> + The current servicename is substituted for <em class="parameter"><code>%S</code></em>. + This is useful in the [homes] section. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>valid users</code></em> = <code class="literal"> +# No valid users list (anyone can login) </code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>valid users</code></em> = <code class="literal">greg, @pcusers</code> +</em></span> +</p></dd><dt><span class="term"><a name="VETOFILES"></a>veto files (S)</span></dt><dd><p> + This is a list of files and directories that are neither visible nor accessible. Each entry in + the list must be separated by a '/', which allows spaces to be included in the entry. '*' and '?' + can be used to specify multiple files or directories as in DOS wildcards. + </p><p> + Each entry must be a unix path, not a DOS path and must <span class="emphasis"><em>not</em></span> include the + unix directory separator '/'. + </p><p> + Note that the <a class="indexterm" name="id327272"></a>case sensitive option is applicable in vetoing files. + </p><p> + One feature of the veto files parameter that it is important to be aware of is Samba's behaviour when + trying to delete a directory. If a directory that is to be deleted contains nothing but veto files this + deletion will <span class="emphasis"><em>fail</em></span> unless you also set the <a class="indexterm" name="id327288"></a>delete veto files + parameter to <em class="parameter"><code>yes</code></em>. + </p><p> + Setting this parameter will affect the performance of Samba, as it will be forced to check all files + and directories for a match as they are scanned. + </p><p> + Examples of use include: +</p><pre class="programlisting"> +; Veto any files containing the word Security, +; any ending in .tmp, and any directory containing the +; word root. +veto files = /*Security*/*.tmp/*root*/ + +; Veto the Apple specific files that a NetAtalk server +; creates. +veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ +</pre><p> + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>veto files</code></em> = <code class="literal">No files or directories are vetoed.</code> +</em></span> +</p></dd><dt><span class="term"><a name="VETOOPLOCKFILES"></a>veto oplock files (S)</span></dt><dd><p> + This parameter is only valid when the <a class="indexterm" name="id327357"></a>oplocks + parameter is turned on for a share. It allows the Samba administrator + to selectively turn off the granting of oplocks on selected files that + match a wildcarded list, similar to the wildcarded list used in the + <a class="indexterm" name="id327366"></a>veto files parameter. + </p><p> + You might want to do this on files that you know will be heavily contended + for by clients. A good example of this is in the NetBench SMB benchmark + program, which causes heavy client contention for files ending in + <code class="filename">.SEM</code>. To cause Samba not to grant + oplocks on these files you would use the line (either in the [global] + section or in the section for the particular NetBench share. + </p><p> + An example of use is: +</p><pre class="programlisting"> +veto oplock files = /.*SEM/ +</pre><p> + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>veto oplock files</code></em> = <code class="literal"> +# No files are vetoed for oplock grants</code> +</em></span> +</p></dd><dt><span class="term"><a name="VFSOBJECT"></a>vfs object</span></dt><dd><p>This parameter is a synonym for vfs objects.</p></dd><dt><span class="term"><a name="VFSOBJECTS"></a>vfs objects (S)</span></dt><dd><p>This parameter specifies the backend names which + are used for Samba VFS I/O operations. By default, normal + disk I/O operations are used but these can be overloaded + with one or more VFS objects. </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>vfs objects</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>vfs objects</code></em> = <code class="literal">extd_audit recycle</code> +</em></span> +</p></dd><dt><span class="term"><a name="VOLUME"></a>volume (S)</span></dt><dd><p>This allows you to override the volume label + returned for a share. Useful for CDROMs with installation programs + that insist on a particular volume label.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>volume</code></em> = <code class="literal"> +# the name of the share</code> +</em></span> +</p></dd><dt><span class="term"><a name="WIDELINKS"></a>wide links (S)</span></dt><dd><p>This parameter controls whether or not links + in the UNIX file system may be followed by the server. Links + that point to areas within the directory tree exported by the + server are always allowed; this parameter controls access only + to areas that are outside the directory tree being exported.</p><p>Note that setting this parameter can have a negative + effect on your server performance due to the extra system calls + that Samba has to do in order to perform the link checks.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>wide links</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="WINBINDCACHETIME"></a>winbind cache time (G)</span></dt><dd><p>This parameter specifies the number of + seconds the <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> daemon will cache + user and group information before querying a Windows NT server + again.</p><p> + This does not apply to authentication requests, these are always + evaluated in real time unless the <a class="indexterm" name="id327609"></a>winbind offline logon option has been enabled. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind cache time</code></em> = <code class="literal">300</code> +</em></span> +</p></dd><dt><span class="term"><a name="WINBINDENUMGROUPS"></a>winbind enum groups (G)</span></dt><dd><p>On large installations using <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> it may be necessary to suppress + the enumeration of groups through the <code class="literal">setgrent()</code>, + <code class="literal">getgrent()</code> and + <code class="literal">endgrent()</code> group of system calls. If + the <em class="parameter"><code>winbind enum groups</code></em> parameter is + <code class="constant">no</code>, calls to the <code class="literal">getgrent()</code> system + call will not return any data. </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Turning off group enumeration may cause some programs to behave oddly. </p></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind enum groups</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="WINBINDENUMUSERS"></a>winbind enum users (G)</span></dt><dd><p>On large installations using <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> it may be + necessary to suppress the enumeration of users through the <code class="literal">setpwent()</code>, + <code class="literal">getpwent()</code> and + <code class="literal">endpwent()</code> group of system calls. If + the <em class="parameter"><code>winbind enum users</code></em> parameter is + <code class="constant">no</code>, calls to the <code class="literal">getpwent</code> system call + will not return any data. </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Turning off user + enumeration may cause some programs to behave oddly. For + example, the finger program relies on having access to the + full user list when searching for matching + usernames. </p></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind enum users</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="WINBINDEXPANDGROUPS"></a>winbind expand groups (G)</span></dt><dd><p>This option controls the maximum depth that winbindd + will traverse when flattening nested group memberships + of Windows domain groups. This is different from the + <a class="indexterm" name="id327830"></a>winbind nested groups option + which implements the Windows NT4 model of local group + nesting. The "winbind expand groups" + parameter specifically applies to the membership of + domain groups.</p><p>Be aware that a high value for this parameter can + result in system slowdown as the main parent winbindd daemon + must perform the group unrolling and will be unable to answer + incoming NSS or authentication requests during this time.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind expand groups</code></em> = <code class="literal">1</code> +</em></span> +</p></dd><dt><span class="term"><a name="WINBINDNESTEDGROUPS"></a>winbind nested groups (G)</span></dt><dd><p>If set to yes, this parameter activates the support for nested + groups. Nested groups are also called local groups or + aliases. They work like their counterparts in Windows: Nested + groups are defined locally on any machine (they are shared + between DC's through their SAM) and can contain users and + global groups from any trusted SAM. To be able to use nested + groups, you need to run nss_winbind.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind nested groups</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="WINBINDNORMALIZENAMES"></a>winbind normalize names (G)</span></dt><dd><p>This parameter controls whether winbindd will replace + whitespace in user and group names with an underscore (_) character. + For example, whether the name "Space Kadet" should be + replaced with the string "space_kadet". + Frequently Unix shell scripts will have difficulty with usernames + contains whitespace due to the default field separator in the shell. + Do not enable this option if the underscore character is used in + account names within your domain + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind normalize names</code></em> = <code class="literal">no</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>winbind normalize names</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="WINBINDNSSINFO"></a>winbind nss info (G)</span></dt><dd><p>This parameter is designed to control how Winbind retrieves Name + Service Information to construct a user's home directory and login shell. + Currently the following settings are available: + + </p><div class="itemizedlist"><ul type="disc"><li><p><em class="parameter"><code>template</code></em> + - The default, using the parameters of <em class="parameter"><code>template + shell</code></em> and <em class="parameter"><code>template homedir</code></em>) + </p></li><li><p><em class="parameter"><code>sfu</code></em> + - When Samba is running in security = ads and your Active Directory + Domain Controller does support the Microsoft "Services for Unix" (SFU) + LDAP schema, winbind can retrieve the login shell and the home + directory attributes directly from your Directory Server. Note that + retrieving UID and GID from your ADS-Server requires to use + <em class="parameter"><code>idmap backend</code></em> = idmap_ad as well. + </p></li></ul></div><p> + +</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind nss info</code></em> = <code class="literal">template</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>winbind nss info</code></em> = <code class="literal">template sfu</code> +</em></span> +</p></dd><dt><span class="term"><a name="WINBINDOFFLINELOGON"></a>winbind offline logon (G)</span></dt><dd><p>This parameter is designed to control whether Winbind should + allow to login with the <em class="parameter"><code>pam_winbind</code></em> + module using Cached Credentials. If enabled, winbindd will store user credentials + from successful logins encrypted in a local cache. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind offline logon</code></em> = <code class="literal">false</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>winbind offline logon</code></em> = <code class="literal">true</code> +</em></span> +</p></dd><dt><span class="term"><a name="WINBINDREFRESHTICKETS"></a>winbind refresh tickets (G)</span></dt><dd><p>This parameter is designed to control whether Winbind should refresh Kerberos Tickets + retrieved using the <em class="parameter"><code>pam_winbind</code></em> module. + +</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind refresh tickets</code></em> = <code class="literal">false</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>winbind refresh tickets</code></em> = <code class="literal">true</code> +</em></span> +</p></dd><dt><span class="term"><a name="WINBINDRPCONLY"></a>winbind rpc only (G)</span></dt><dd><p> + Setting this parameter to <code class="literal">yes</code> forces + winbindd to use RPC instead of LDAP to retrieve information from Domain + Controllers. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind rpc only</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="WINBINDSEPARATOR"></a>winbind separator (G)</span></dt><dd><p>This parameter allows an admin to define the character + used when listing a username of the form of <em class="replaceable"><code>DOMAIN + </code></em>\<em class="replaceable"><code>user</code></em>. This parameter + is only applicable when using the <code class="filename">pam_winbind.so</code> + and <code class="filename">nss_winbind.so</code> modules for UNIX services. + </p><p>Please note that setting this parameter to + causes problems + with group membership at least on glibc systems, as the character + + is used as a special character for NIS in /etc/group.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind separator</code></em> = <code class="literal">'\'</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>winbind separator</code></em> = <code class="literal">+</code> +</em></span> +</p></dd><dt><span class="term"><a name="WINBINDTRUSTEDDOMAINSONLY"></a>winbind trusted domains only (G)</span></dt><dd><p> + This parameter is designed to allow Samba servers that are members + of a Samba controlled domain to use UNIX accounts distributed via NIS, + rsync, or LDAP as the uid's for winbindd users in the hosts primary domain. + Therefore, the user <code class="literal">DOMAIN\user1</code> would be mapped to + the account user1 in /etc/passwd instead of allocating a new uid for him or her. + </p><p> + This parameter is now deprecated in favor of the newer idmap_nss backend. + Refer to the <a class="indexterm" name="id328357"></a>idmap domains smb.conf option and + the <a href="idmap_nss.8.html"><span class="citerefentry"><span class="refentrytitle">idmap_nss</span>(8)</span></a> man page for more information. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind trusted domains only</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="WINBINDUSEDEFAULTDOMAIN"></a>winbind use default domain (G)</span></dt><dd><p>This parameter specifies whether the + <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> daemon should operate on users + without domain component in their username. Users without a domain + component are treated as is part of the winbindd server's own + domain. While this does not benifit Windows users, it makes SSH, FTP and + e-mail function in a way much closer to the way they + would in a native unix system.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind use default domain</code></em> = <code class="literal">no</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>winbind use default domain</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="WINSHOOK"></a>wins hook (G)</span></dt><dd><p>When Samba is running as a WINS server this + allows you to call an external program for all changes to the + WINS database. The primary use for this option is to allow the + dynamic update of external name resolution databases such as + dynamic DNS.</p><p>The wins hook parameter specifies the name of a script + or executable that will be called as follows:</p><p><code class="literal">wins_hook operation name nametype ttl IP_list</code></p><div class="itemizedlist"><ul type="disc"><li><p>The first argument is the operation and is + one of "add", "delete", or + "refresh". In most cases the operation + can be ignored as the rest of the parameters + provide sufficient information. Note that + "refresh" may sometimes be called when + the name has not previously been added, in that + case it should be treated as an add.</p></li><li><p>The second argument is the NetBIOS name. If the + name is not a legal name then the wins hook is not called. + Legal names contain only letters, digits, hyphens, underscores + and periods.</p></li><li><p>The third argument is the NetBIOS name + type as a 2 digit hexadecimal number. </p></li><li><p>The fourth argument is the TTL (time to live) + for the name in seconds.</p></li><li><p>The fifth and subsequent arguments are the IP + addresses currently registered for that name. If this list is + empty then the name should be deleted.</p></li></ul></div><p>An example script that calls the BIND dynamic DNS update + program <code class="literal">nsupdate</code> is provided in the examples + directory of the Samba source code. </p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="WINSPROXY"></a>wins proxy (G)</span></dt><dd><p>This is a boolean that controls if <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> will respond to broadcast name + queries on behalf of other hosts. You may need to set this + to <code class="constant">yes</code> for some older clients.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>wins proxy</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="WINSSERVER"></a>wins server (G)</span></dt><dd><p>This specifies the IP address (or DNS name: IP + address for preference) of the WINS server that <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> should register with. If you have a WINS server on + your network then you should set this to the WINS server's IP.</p><p>You should point this at your WINS server if you have a + multi-subnetted network.</p><p>If you want to work in multiple namespaces, you can + give every wins server a 'tag'. For each tag, only one + (working) server will be queried for a name. The tag should be + separated from the ip address by a colon. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>You need to set up Samba to point + to a WINS server if you have multiple subnets and wish cross-subnet + browsing to work correctly.</p></div><p>See the chapter in the Samba3-HOWTO on Network Browsing.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>wins server</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>wins server</code></em> = <code class="literal">mary:192.9.200.1 fred:192.168.3.199 mary:192.168.2.61 + +# For this example when querying a certain name, 192.19.200.1 will + be asked first and if that doesn't respond 192.168.2.61. If either + of those doesn't know the name 192.168.3.199 will be queried.</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>wins server</code></em> = <code class="literal">192.9.200.1 192.168.2.61</code> +</em></span> +</p></dd><dt><span class="term"><a name="WINSSUPPORT"></a>wins support (G)</span></dt><dd><p>This boolean controls if the <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> process in Samba will act as a WINS server. You should + not set this to <code class="constant">yes</code> unless you have a multi-subnetted network and + you wish a particular <code class="literal">nmbd</code> to be your WINS server. + Note that you should <span class="emphasis"><em>NEVER</em></span> set this to <code class="constant">yes</code> + on more than one machine in your network.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>wins support</code></em> = <code class="literal">no</code> +</em></span> +</p></dd><dt><span class="term"><a name="WORKGROUP"></a>workgroup (G)</span></dt><dd><p>This controls what workgroup your server will + appear to be in when queried by clients. Note that this parameter + also controls the Domain name used with + the <a class="indexterm" name="id328788"></a>security = domain + setting.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>workgroup</code></em> = <code class="literal">WORKGROUP</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>workgroup</code></em> = <code class="literal">MYGROUP</code> +</em></span> +</p></dd><dt><span class="term"><a name="WRITABLE"></a>writable</span></dt><dd><p>This parameter is a synonym for writeable.</p></dd><dt><span class="term"><a name="WRITEABLE"></a>writeable (S)</span></dt><dd><p>Inverted synonym for <a class="indexterm" name="id328872"></a>read only.</p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="WRITECACHESIZE"></a>write cache size (S)</span></dt><dd><p>If this integer parameter is set to non-zero value, + Samba will create an in-memory cache for each oplocked file + (it does <span class="emphasis"><em>not</em></span> do this for + non-oplocked files). All writes that the client does not request + to be flushed directly to disk will be stored in this cache if possible. + The cache is flushed onto disk when a write comes in whose offset + would not fit into the cache or when the file is closed by the client. + Reads for the file are also served from this cache if the data is stored + within it.</p><p>This cache allows Samba to batch client writes into a more + efficient write size for RAID disks (i.e. writes may be tuned to + be the RAID stripe size) and can improve performance on systems + where the disk subsystem is a bottleneck but there is free + memory for userspace programs.</p><p>The integer parameter specifies the size of this cache + (per oplocked file) in bytes.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>write cache size</code></em> = <code class="literal">0</code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>write cache size</code></em> = <code class="literal">262144 +# for a 256k cache size per file</code> +</em></span> +</p></dd><dt><span class="term"><a name="WRITELIST"></a>write list (S)</span></dt><dd><p> + This is a list of users that are given read-write access to a service. If the + connecting user is in this list then they will be given write access, no matter + what the <a class="indexterm" name="id328980"></a>read only option is set to. The list can + include group names using the @group syntax. + </p><p> + Note that if a user is in both the read list and the write list then they will be + given write access. + </p><p> + By design, this parameter will not work with the + <a class="indexterm" name="id328995"></a>security = share in Samba 3.0. + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>write list</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>write list</code></em> = <code class="literal">admin, root, @staff</code> +</em></span> +</p></dd><dt><span class="term"><a name="WRITERAW"></a>write raw (G)</span></dt><dd><p>This parameter controls whether or not the server + will support raw write SMB's when transferring data from clients. + You should never need to change this parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>write raw</code></em> = <code class="literal">yes</code> +</em></span> +</p></dd><dt><span class="term"><a name="WTMPDIRECTORY"></a>wtmp directory (G)</span></dt><dd><p> + This parameter is only available if Samba has been configured and compiled with the option <code class="literal"> + --with-utmp</code>. It specifies a directory pathname that is used to store the wtmp or wtmpx files (depending on + the UNIX system) that record user connections to a Samba server. The difference with the utmp directory is the fact + that user info is kept after a user has logged out. + </p><p> + By default this is not set, meaning the system will use whatever utmp file the native system is set to use (usually + <code class="filename">/var/run/wtmp</code> on Linux). + </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>wtmp directory</code></em> = <code class="literal"></code> +</em></span> +</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>wtmp directory</code></em> = <code class="literal">/var/log/wtmp</code> +</em></span> +</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id329153"></a><h2>WARNINGS</h2><p> + Although the configuration file permits service names to contain spaces, your client software may not. + Spaces will be ignored in comparisons anyway, so it shouldn't be a problem - but be aware of the possibility. + </p><p> + On a similar note, many clients - especially DOS clients - limit service names to eight characters. + <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> has no such + limitation, but attempts to connect from such clients will fail if they truncate the service names. For this + reason you should probably keep your service names down to eight characters in length. + </p><p> + Use of the <code class="literal">[homes]</code> and <code class="literal">[printers]</code> special sections make life + for an administrator easy, but the various combinations of default attributes can be tricky. Take extreme + care when designing these sections. In particular, ensure that the permissions on spool directories are + correct. + </p></div><div class="refsect1" lang="en"><a name="id329196"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id329207"></a><h2>SEE ALSO</h2><p> + <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a>, <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a>, <a href="swat.8.html"><span class="citerefentry"><span class="refentrytitle">swat</span>(8)</span></a>, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>, <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a>, <a href="smbclient.1.html"><span class="citerefentry"><span class="refentrytitle">smbclient</span>(1)</span></a>, <a href="nmblookup.1.html"><span class="citerefentry"><span class="refentrytitle">nmblookup</span>(1)</span></a>, <a href="testparm.1.html"><span class="citerefentry"><span class="refentrytitle">testparm</span>(1)</span></a>, <a href="testprns.1.html"><span class="citerefentry"><span class="refentrytitle">testprns</span>(1)</span></a>.</p></div><div class="refsect1" lang="en"><a name="id329286"></a><h2>AUTHOR</h2><p> + The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar to the way the Linux kernel is developed. + </p><p> + The original Samba man pages were written by Karl Auer. The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at <a href="ftp://ftp.icce.rug.nl/pub/unix/" target="_top"> + ftp://ftp.icce.rug.nl/pub/unix/</a>) and updated for the Samba 2.0 release by Jeremy Allison. The conversion + to DocBook for Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 for Samba 3.0 was done by + Alexander Bokovoy. + </p></div></div></body></html> |